What does it mean when an email has multiple DKIM signatures?

Summary

Multiple DKIM signatures in an email indicate the message has been processed by several entities, each potentially adding their own signature from different administrative domains. This is a standard feature, commonly seen with ESPs, email forwarders, mailing lists, and when outsourcing email management. The second DKIM signature is often the ESP's. Multiple signatures can be a sign of legitimacy, with different parties vouching for the email's authenticity. Even if one signature fails, the email can still pass DKIM checks if another signature verifies correctly. Organizations may set up multiple DKIM signatures for various reasons, including different sending domains, subdomains, or email streams. Each domain can only have one DKIM record per selector, necessitating multiple records when using multiple ESPs. While multiple keys are acceptable, having multiple from the same organization may be redundant.

Key findings

  • Multiple Entities: Multiple entities, such as ESPs, forwarders, and mailing lists, can add DKIM signatures.
  • ESP Signatures: The second DKIM signature often comes from the ESP being used for sending.
  • Legitimacy Indicator: Multiple valid signatures can suggest increased legitimacy.
  • HubSpot Configuration: In HubSpot, one DKIM signature covers the sending domain, and another covers the return-path domain.
  • Forwarding Implications: Forwarding systems can add their own DKIM signatures.
  • Domain limits: Each domain can only have one DKIM record per selector.
  • Delegated Management: Multiple DKIM Signatures can be useful when outsourcing email handling.

Key considerations

  • Organizational Domains: Ensure that organizational domains associated with multiple signatures differ.
  • DKIM Configuration: Properly configure DKIM to prevent spoofing.
  • Verification: Even if one signature fails, the email can pass checks if another is valid.
  • Third-Party Involvement: Multiple signatures are common when using third-party services.
  • Redundancy: Avoid redundant DKIM keys from the same organization.
  • Failure Scenarios: Understand the reasons for DKIM check failures, like invalid signatures or header modification.

What email marketers say
11Marketer opinions

Multiple DKIM signatures in an email indicate that the message has been processed by several entities, each adding its own signature. This is common when using ESPs, forwarding emails, or when various organizational domains are involved. The presence of multiple signatures can be a sign of legitimacy, confirming that different parties have verified the email's authenticity. Even if one signature fails, the email can still pass DKIM checks if another signature is valid.

Key opinions

  • Multiple Entities: Multiple DKIM signatures often arise because different entities (ESPs, forwarders, etc.) have processed the email.
  • ESP Signatures: The second DKIM signature frequently comes from the ESP being used.
  • Legitimacy Sign: Multiple valid signatures can indicate legitimacy, implying multiple parties vouch for the email.
  • HubSpot Example: In platforms like HubSpot, one DKIM signature covers the email sending domain, while another covers the return path domain tied to the dedicated IP.
  • Verification: An email can still pass DKIM checks if at least one signature verifies correctly, even if others fail.
  • Domain Limits: Each domain can only have one DKIM record per selector, requiring multiple DKIM records when using multiple ESPs.

Key considerations

  • Organizational Domains: Pay attention to the organizational domains associated with each signature, as they should differ.
  • Email Spoofing: Ensure DKIM checks are properly configured to prevent email spoofing.
  • Configuration: Organizations may set up multiple DKIM signatures for different sending domains or email streams.
  • Third-Party Providers: Using third-party email providers often results in multiple DKIM signatures being added to the header.
  • Forwarding Implications: Email forwarding can add another DKIM signature as it passes through the system, which can be safe to use if the forwarding system adds it's own DKIM.
Marketer view

Email marketer from EmailSecuritySPF shares that emails often have multiple DKIM signatures. Even if one signature fails verification, the email can still pass the DKIM check if another signature verifies correctly.

December 2024 - EmailSecuritySPF
Marketer view

Email marketer from Email Geeks shares the second DKIM signature is often the ESP's signature.

December 2021 - Email Geeks
Marketer view

Email marketer from Cloudflare explains that a DKIM check can help prevent email spoofing. The purpose of a DKIM is to prove an email isn't forged and shows that the sending organization authorizes the message.

May 2022 - Cloudflare
Marketer view

Email marketer from Stack Overflow explains that multiple DKIM signatures can occur when an email is forwarded, as each server involved may add its own signature.

June 2024 - Stack Overflow
Marketer view

Email marketer from Reddit mentions multiple DKIMs is often due to ESP configuration, and can be a sign of legitimacy, implying multiple parties are vouching for the email's authenticity.

November 2024 - Reddit
Marketer view

Email marketer from AuthSMTP shares that multiple DKIM signatures can be present in an email header. This often occurs when the sender uses a third party email provider.

December 2024 - AuthSMTP
Marketer view

Email marketer from Mimecast mentions that organizations can set up multiple DKIM signatures for various reasons, including different sending domains, subdomains, or email streams.

August 2023 - Mimecast
Marketer view

Email marketer from Email Geeks shares that it’s not uncommon to have multiple signatures, although the organizational domains usually differ.

August 2021 - Email Geeks
Marketer view

Email marketer from SuperUser explains that multiple DKIM signatures are generally added by different entities that handle the email, typically when different organizations have a hand in processing the same email.

April 2022 - SuperUser
Marketer view

Email marketer from Email Geeks confirms that in HubSpot, one DKIM signature is for your email sending domain, and the other is for your return path domain tied to your dedicated IP.

January 2025 - Email Geeks
Marketer view

Email marketer from EasyDMARC shares that even though there can be multiple DKIM records, each domain can only have one DKIM record per selector. If using multiple ESP's this will generate the need for multiple DKIM records.

May 2024 - EasyDMARC

What the experts say
2Expert opinions

Having multiple DKIM signatures in an email is a standard feature, often seen when intermediaries like mailing lists or email forwarders are involved. It's generally acceptable, particularly when the forwarding system includes its own DKIM signature. While multiple keys are fine, it might not be necessary to have multiple from the same organization.

Key opinions

  • Standard Feature: Multiple DKIM signatures are a designed aspect of the DKIM specification.
  • Intermediary Involvement: Mailing lists and forwarders frequently add their own DKIM signatures.
  • Forwarding Safety: It's safe if the forwarding system adds its DKIM.
  • Redundancy Consideration: Having multiple DKIM keys from the same organization might be unnecessary.

Key considerations

  • Forwarding System DKIM: Ensure that the forwarding system appends its own valid DKIM signature.
  • Key Origin: Evaluate whether multiple keys from the same organization are truly needed.
Expert view

Expert from Word to the Wise explains that multiple DKIM signatures are a feature of the DKIM spec, and are often created by intermediaries such as mailing lists or forwarders. This is typically safe if the forwarding system adds it's own DKIM.

January 2025 - Word to the Wise
Expert view

Expert from Email Geeks explains it's fine for emails to have multiple keys, but you might not need both from the same organization.

January 2024 - Email Geeks

What the documentation says
3Technical articles

Documentation indicates that multiple DKIM signatures on an email can arise from different administrative domains or entities involved in handling the message, such as when outsourcing email management, using third-party services, or during email forwarding. A DKIM check might fail if a signature is invalid, header fields are modified, or if at least one of the multiple signatures fails verification.

Key findings

  • Multiple Domains: Multiple DKIM signatures can come from different administrative domains signing the same email.
  • Outsourcing Support: Multiple signatures are useful when outsourcing email handling.
  • Third-Party Services: Email forwarding and third-party services often result in multiple DKIM signatures.
  • Failure Reasons: DKIM checks can fail due to invalid signatures, header modifications, or at least one failed signature in a set of multiple signatures.

Key considerations

  • Signature Validity: Ensure that each DKIM signature is valid to pass verification checks.
  • Header Integrity: Maintain the integrity of header fields to prevent DKIM check failures.
  • Domain Alignment: Verify that the DKIM signatures align with the sending domains to enhance deliverability and trust.
Technical article

Documentation from dkim.org explains that a single message might be signed by multiple DKIM signatures, possibly by different administrative domains. This is useful in a number of scenarios, such as when outsourcing handling of some or all email.

February 2025 - dkim.org
Technical article

Documentation from RFC 6376 states that a message can contain multiple DKIM signatures, each potentially from a different entity involved in handling the message, supporting scenarios like email forwarding or third-party services.

August 2021 - RFC Editor
Technical article

Documentation from Proofpoint explains that a DKIM check can fail because the signature is invalid, the header fields have been modified, or multiple signatures exist and at least one fails verification.

July 2022 - Proofpoint