Is it bad to have multiple DKIM signatures on an email?

Yes, in most cases, it is completely normal and acceptable for an email to have multiple DKIM signatures. This often happens when an email passes through various legitimate mail servers or services, such as your Email Service Provider (ESP) or a forwarding service, each adding its own signature. Receiving mail servers are designed to handle this, and typically, only one valid and aligned DKIM signature is needed for DMARC to pass.

How do I check my email for multiple DKIM signatures?

To check your email's DKIM signatures, you can view the email's raw headers. Look for lines starting with "DKIM-Signature:". Each instance represents a different signature. You can then use online DKIM validators by copying the relevant parts of the header to check the validity of each signature. DMARC aggregate reports also provide detailed information on all DKIM signatures observed for your domain, indicating their pass/fail status.

Can multiple DKIM signatures hurt my email deliverability?

Generally, no. As long as at least one of the DKIM signatures is valid and aligns with your From domain, it will satisfy the DKIM requirement for DMARC. However, if multiple signatures are present and all of them are invalid, or if an unauthorized signature is consistently failing, it could raise suspicion with some receiving mail servers and potentially impact deliverability or lead to blocklisting.

What is double DKIM signing, and is it necessary?

Double signing DKIM occurs when an email is signed by your domain's DKIM key and then signed again by an Email Service Provider (ESP) or another intermediary service. This is a common practice that helps both your domain and the ESP's infrastructure maintain their sending reputations. The ESP's signature verifies that the email came from their servers, while your domain's signature verifies its origin.

What does it mean when an email has multiple DKIM signatures? - Technical - Email deliverability - Knowledge base

When reviewing email headers, you might occasionally spot more than one DKIM-Signature field. This can sometimes cause a moment of confusion, especially if you are meticulous about your email authentication. Many email professionals, when they first encounter multiple DKIM signatures, wonder if it indicates a problem, a misconfiguration, or something more serious like a security issue.

The presence of multiple DKIM signatures (or double DKIM signing) is often normal and even beneficial in complex email sending scenarios. It usually signifies that an email has been handled by more than one legitimate mail server or service before reaching its final destination. Understanding why this happens and how receiving mail servers interpret these multiple signatures is key to ensuring your emails maintain strong deliverability and authentication.

I often see people asking about this phenomenon, and it’s a valid concern. My aim here is to demystify what it means when an email has multiple DKIM signatures, helping you understand the underlying mechanisms and reassuring you that in most cases, it is nothing to worry about. We will explore the common reasons for this occurrence and its implications for your email deliverability and security practices.

Suped DMARC monitoring

Free forever, no credit card required

Learn more

Trusted by teams securing millions of inboxes

Understanding DKIM and its purpose

DomainKeys Identified Mail (DKIM) is an email authentication standard that allows an organization to claim responsibility for a message in a way that can be validated by recipients. It works by attaching a digital signature to the email header, which is then verified by the recipient's mail server against a public key published in the sender's DNS records. This process helps ensure that the email has not been tampered with in transit and that it genuinely originates from the claimed sender domain.

The primary goal of DKIM, alongside SPF and DMARC, is to combat email spoofing and phishing. By verifying the sender's domain, it helps mailbox providers distinguish legitimate emails from fraudulent ones, significantly improving email security. When a DKIM signature is present and valid, it adds a layer of trust to the email, positively impacting its chances of reaching the inbox.

DKIM's core function

A DKIM signature uses cryptographic digital signatures to authenticate the sender's domain and ensure email integrity. This signature is created using the sender's private key, which is matched against a public key published in the sender's DNS record. You can learn more about how DKIM works in email security.

How it impacts deliverability

A valid DKIM signature helps build and maintain a strong sender reputation. When your emails are consistently signed and verified, it signals to receiving mail servers that your domain is trustworthy. This helps prevent your legitimate emails from being flagged as spam or even outright rejected by email providers. DKIM is part of a larger authentication framework that includes DMARC and SPF.

Why multiple DKIM signatures appear

There are several common scenarios that lead to an email carrying more than one DKIM signature. Knowing these can help you understand why you're seeing them and whether they are legitimate.

Email service providers (ESPs): Many ESPs, such as HubSpot, SendGrid, or ActiveCampaign, will add their own DKIM signature in addition to your domain's signature. This is a common practice, sometimes referred to as double DKIM signing, ensuring that their sending infrastructure is also authenticated. This is often done to maintain their own sending reputation and protect against abuse originating from their platforms. Often, one signature is for your email sending domain and the other is for your return-path domain tied to your dedicated IP. Learn more about the advantages and disadvantages of double signing DKIM by ESPs.
Email forwarding: When an email is forwarded from one mailbox to another, the forwarding server might add its own DKIM signature. This is common with services like Gmail or Outlook which add their own layer of authentication. The original DKIM signature from the sender remains, and the new signature is added by the forwarding server. According to DMARCLY, multiple DKIM signatures can be added to an email message when it is forwarded.
Internal mail routing: In large organizations, emails might pass through several internal mail servers or security appliances before being delivered to an external recipient. Each of these internal systems might apply its own DKIM signature. This can be part of a robust internal security protocol.
Specific domain configurations: Some domains might intentionally configure multiple DKIM records (each with a different selector) to sign emails originating from different systems or for different types of campaigns. For example, a company might use one DKIM key for marketing emails and another for transactional emails.

In these scenarios, the multiple signatures aren't a sign of an issue, but rather a reflection of the email's journey or the sender's sophisticated setup. It's perfectly normal for an email to have multiple DKIM signatures. As Microsoft explains, a message can have multiple DKIM signatures by different domains, and many hosted email services sign the message using the service domain. You can read more about configuring DKIM for email.

Impact on email deliverability and authentication

The good news is that receiving mail servers are designed to handle multiple DKIM signatures gracefully. When an email arrives with multiple signatures, mail servers typically attempt to validate each one. For DMARC (Domain-based Message Authentication, Reporting, and Conformance) to pass, only one of the DKIM signatures needs to align with the From domain and verify correctly.

How mail servers interpret them

Validation process: Mailbox providers like Yahoo Mail and Gmail will check all present DKIM signatures. If even one signature passes validation and alignment with the From domain, the email will typically pass DKIM authentication. This is crucial for DKIM precedence determination.
DMARC implications: For a DMARC check to pass, an email only needs one SPF or DKIM signature to align and pass. So, if one of the multiple DKIM signatures aligns and is valid, your email will satisfy the DKIM portion of DMARC authentication. This is why DMARC and DKIM alignmentare crucial.

However, while generally harmless, there are some edge cases where multiple DKIM signatures might indicate an issue. If one of the signatures is invalid or points to an unauthorized domain, it could potentially raise a red flag with some strict receiving mail servers, even if another signature passes. This is why regular monitoring of your DMARC reports is essential. These reports provide insights into DKIM authentication results and can help you identify any unexpected or failing signatures.

Managing multiple DKIM signatures

While multiple DKIM signatures are usually fine, there are best practices to ensure they don't inadvertently affect your email deliverability or security. Proper management and monitoring are crucial to maintaining a healthy sending reputation and avoiding potential blocklists (or blacklists).

Best practices

Verify all signatures: Even if one passes, it’s good practice to ensure all DKIM signatures on your emails are valid and authorized. Use a DKIM validator to check each one. If you see MXToolBox or similar tools for this purpose.
Monitor DMARC reports: Regularly review your DMARC aggregate and forensic reports. These reports provide invaluable data on all your email streams, including which DKIM signatures are being applied and whether they are passing or failing. This helps you catch any unexpected authentication issues, such as DKIM temperror or DKIM errors during implementation.
Understand your ESP's DKIM: If you use an ESP, understand their DKIM implementation. They usually add a signature for their own domain, which is normal and contributes to overall email trust.

Potential pitfalls

Misconfigured or unauthorized signatures: An invalid or unexpected DKIM signature, especially one that doesn't align with your domain, could negatively impact your sender reputation. This might occur if an attacker tries to inject a signature or if an intermediary server has a bad configuration.
Over-signing: While multiple signatures are okay, an excessive number of unnecessary signatures (e.g., from poorly configured internal systems) can bloat email headers and potentially cause minor processing delays, though this is rare. DKIM oversigning refers to including too many headers in the DKIM signature.
Confusion during troubleshooting: If you are troubleshooting deliverability issues, having multiple signatures might add a layer of complexity to the diagnostic process. It is important to identify which signature is causing problems, if any.

By understanding the typical reasons for multiple DKIM signatures and actively monitoring your DMARC reports, you can ensure that your email authentication remains robust, protecting your brand reputation and maximizing your inbox placement rates.

Views from the trenches

Best practices

Ensure your primary sending domain's DKIM signature is always valid and aligns with your DMARC policy.

Regularly check DMARC aggregate reports to identify all domains signing your email, authorized or otherwise.

Work closely with your ESP to understand their DKIM signing practices and how they interact with your domain's DKIM.

If using multiple sending systems, ensure each has a correctly configured and unique DKIM selector.

Common pitfalls

Ignoring additional DKIM signatures, assuming they are always benign, which can mask underlying issues.

Not monitoring DMARC reports, leading to delayed detection of unauthorized or failing DKIM signatures.

Misunderstanding ESP DKIM configurations, resulting in confusion during troubleshooting deliverability.

Failing to account for forwarding services adding their own DKIM signatures, which can sometimes break DMARC alignment.

Expert tips

When troubleshooting, focus on the DKIM signature that aligns with your DMARC organizational domain for primary validation.

Use a tool to visualize your DMARC reports to easily identify all authenticating domains and their statuses.

Consider segmenting your email sending by subdomain, each with its own DKIM, for better control and reputation management.

Be aware that some legacy systems or niche mail servers might handle multiple DKIM signatures inconsistently.

Marketer view

Marketer from Email Geeks says the presence of two different DKIM signatures in an email payload is typically not a cause for concern.

2024-01-30 - Email Geeks

Marketer view

Marketer from Email Geeks says it is common for emails to contain multiple signatures, although usually from different organizational domains.

2024-01-30 - Email Geeks

Conclusion: multiple DKIM signatures are usually fine

In summary, finding multiple DKIM signatures in your email headers is usually not a problem. It’s a common and often necessary aspect of modern email ecosystems, especially when using third-party email service providers or when emails are forwarded. The key is to ensure that at least one of these signatures properly authenticates and aligns with your sending domain, as this is what DMARC checks for.

By understanding the reasons behind multiple signatures and actively monitoring your DMARC reports, you can proactively address any potential issues and maintain strong email deliverability. This diligence will help protect your brand from spoofing and ensure your legitimate messages consistently reach their intended recipients.