What does it mean when an email has multiple DKIM signatures?

Key findings

• Common occurrence: Many legitimate emails, especially those sent via an Email Service Provider, will contain more than one DKIM signature.
• Purposeful design: The DKIM standard (defined in RFC 6376) explicitly permits multiple signatures on a single message.
• DMARC authentication: For DMARC to pass, only one of the DKIM signatures needs to align with the header.from domain and successfully verify.
• Multiple signing entities: Often, one signature comes from your sending domain (or a subdomain), and another comes from the domain of the Email Service Provider (ESP) or a third-party service managing parts of your email infrastructure.
• Feedback loop integration: ESPs might add a second DKIM signature to track spam complaints through their own feedback loop programs, which helps them manage their reputation.

Key considerations

• Validation status: While multiple signatures are acceptable, ensure at least one DKIM signature is valid and aligns with your sending domain to achieve DMARC compliance.
• Identify sources: Understand which entities are adding signatures. Your ESP typically provides documentation on their DKIM signing practices.
• Monitor DMARC reports: Regularly check your DMARC aggregate reports to confirm that DKIM authentication is consistently passing, even with multiple signatures.
• Troubleshooting: If you encounter deliverability issues or DKIM failures, examine each signature to ensure none are invalid or pointing to compromised keys.

Key opinions

• Normal operation: Having multiple DKIM signatures is considered standard practice and generally not a cause for concern.
• ESP contributions: It is very common for the second signature to be added by the Email Service Provider (ESP), serving their authentication and tracking needs.
• Subdomain variations: The presence of two signatures can arise if a marketer uses a dedicated IP or a specific subdomain for their return-path that differs from the friendly from address.
• Deliverability benefit: Some marketers find that double signing can enhance deliverability by providing redundant authentication checks.
• Sender reputation: A valid ESP signature helps ensure their reputation is applied, aiding the sender's inbox placement.

Key considerations

• Configuration clarity: Marketers should ensure they understand their ESP's specific DKIM configuration and why additional signatures are present.
• Avoid redundancy: While multiple signatures are fine, having two DKIM keys from the exact same organization might indicate an unnecessary setup.
• Impact on tools: Some email testing tools or score checkers might flag multiple signatures, but this is usually a diagnostic flag, not an error.
• Custom DKIM: For maximum control over email branding and authentication, marketers often aim to have their own domain's DKIM signature present and valid.

Key opinions

• Standard practice: It's standard for an email to have both a signing domain (SDID) and a responsible domain (ADSP) signature, often managed by different entities.
• Functional redundancy: Multiple signatures offer redundancy. If one signature fails, another can still pass, potentially preventing delivery issues.
• Feedback loop support: ESPs frequently use their own DKIM signatures to facilitate feedback loop (FBL) reporting, which is crucial for managing their IP reputation.
• DMARC flexibility: DMARC only requires one valid and aligned DKIM or SPF signature to pass, making multiple DKIMs a non-issue if at least one is correctly configured.
• Delegated sending: When a brand delegates sending to an ESP, it is common for both the brand's domain and the ESP's domain to apply DKIM signatures to the same message.

Key considerations

• Signature validity: While multiple signatures are acceptable, any invalid or poorly configured signature could potentially raise spam flags, even if another is valid. It's important to monitor for DKIM temperrors.
• Alignment strategy: Ensure that at least one DKIM signature aligns with your DMARC policy's requirements, specifically regarding the organizational domain.
• Debugging: When troubleshooting deliverability, it's vital to inspect all DKIM signatures in the email header to determine which ones are passing or failing validation.
• ESP relationship: Understanding why your ESP adds a second signature can help with overall deliverability management and reputation monitoring.

Key findings

• RFC compliance: RFC 6376, the standard for DKIM, explicitly allows for an email to carry multiple DKIM-Signature header fields.
• DMARC evaluation: DMARC only requires that at least one of the authentication methods (SPF or DKIM) passes alignment to fulfill its requirements.
• Use cases: Documentation outlines scenarios such as mail relaying, third-party senders, and feedback loop mechanisms where multiple signatures are necessary or beneficial.
• Selector usage: Multiple DKIM signatures can use different selectors, allowing for separate keys to be managed for different purposes or subdomains.

Key considerations

• Implementation guidelines: Adhere to the DKIM specification when implementing multiple signatures to ensure proper validation by receiving mail servers.
• DMARC policy impact: Understand how each signature contributes to DMARC alignment, especially for domains with strict DMARC policies like p=quarantine or p=reject.
• Domain separation: Leverage multiple selectors for a single domain to provide separate DKIM signatures for different departments or sending locations, as suggested by Zoho Mail documentation.