What does it mean when an email has multiple DKIM signatures?
Summary
What email marketers say11Marketer opinions
Email marketer from EmailSecuritySPF shares that emails often have multiple DKIM signatures. Even if one signature fails verification, the email can still pass the DKIM check if another signature verifies correctly.
Email marketer from Email Geeks shares the second DKIM signature is often the ESP's signature.
Email marketer from Cloudflare explains that a DKIM check can help prevent email spoofing. The purpose of a DKIM is to prove an email isn't forged and shows that the sending organization authorizes the message.
Email marketer from Stack Overflow explains that multiple DKIM signatures can occur when an email is forwarded, as each server involved may add its own signature.
Email marketer from Reddit mentions multiple DKIMs is often due to ESP configuration, and can be a sign of legitimacy, implying multiple parties are vouching for the email's authenticity.
Email marketer from AuthSMTP shares that multiple DKIM signatures can be present in an email header. This often occurs when the sender uses a third party email provider.
Email marketer from Mimecast mentions that organizations can set up multiple DKIM signatures for various reasons, including different sending domains, subdomains, or email streams.
Email marketer from Email Geeks shares that it’s not uncommon to have multiple signatures, although the organizational domains usually differ.
Email marketer from SuperUser explains that multiple DKIM signatures are generally added by different entities that handle the email, typically when different organizations have a hand in processing the same email.
Email marketer from Email Geeks confirms that in HubSpot, one DKIM signature is for your email sending domain, and the other is for your return path domain tied to your dedicated IP.
Email marketer from EasyDMARC shares that even though there can be multiple DKIM records, each domain can only have one DKIM record per selector. If using multiple ESP's this will generate the need for multiple DKIM records.
What the experts say2Expert opinions
Expert from Word to the Wise explains that multiple DKIM signatures are a feature of the DKIM spec, and are often created by intermediaries such as mailing lists or forwarders. This is typically safe if the forwarding system adds it's own DKIM.
Expert from Email Geeks explains it's fine for emails to have multiple keys, but you might not need both from the same organization.
What the documentation says3Technical articles
Documentation from dkim.org explains that a single message might be signed by multiple DKIM signatures, possibly by different administrative domains. This is useful in a number of scenarios, such as when outsourcing handling of some or all email.
Documentation from RFC 6376 states that a message can contain multiple DKIM signatures, each potentially from a different entity involved in handling the message, supporting scenarios like email forwarding or third-party services.
Documentation from Proofpoint explains that a DKIM check can fail because the signature is invalid, the header fields have been modified, or multiple signatures exist and at least one fails verification.