Can I Have Multiple DKIM Records on My Domain?
Can you have multiple DKIM records on a single domain? The answer is yes, you can have as many DKIM records on your domain as allowed by your DNS provider.
What is DKIM?
DKIM stands for DomainKeys Identified Mail. It is an email authentication method designed to detect forged header fields and content in emails. DKIM allows the receiving email server to check if email headers and content have been tampered with in transit.
DKIM is based on asymmetric cryptography, which uses pairs of keys: private keys which are known only to the sending server, and public keys which are published in the DNS and accessible to the receiving server.
Before leaving the outgoing email server, an email message is signed with the private key stashed on the server; upon arriving at the receiving server, the email message is checked by the server with the public key published in the DNS.
What is a DKIM record?
A DKIM record is a TXT record published in the DNS. It consists of a list of tags, one of which is the "p=" tag, which contains the public DKIM key.
Here is an example DKIM record:
k=rsa; t=s; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCnVgd0NyrRE261IIiPqi+0H1baNyKcdj8Kea/VlSP4exzvKx8pJ01EWMwd094FV/6OCBIf7KGKgowMnWl3tW3Z5G++uZHkdgF+6xg7b9PynmX/NTo2kx92hlGgegwyulF5B7d2FM0doaCeoO4rD05jZzwi3cXx/156Gg9Xwd/Z/QIDAQAB
The DKIM record above consists of a list of tags defining the parameters of the record. The p tag in the record specifies the base64 encoded public key, which is used by the receiving server to validate the DKIM signature.
A DKIM record can also be a CNAME record, in which case, it maps the CNAME record to a TXT-typed DKIM record.
For example, if you set up DKIM in SendGrid, it creates a CNAME-typed DKIM record which looks like:
s1.domainkey.uXXX.wlXXX.sendgrid.net
This record maps to a TXT-typed DKIM record:
k=rsa; t=s; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCnVgd0NyrRE261IIiPqi+0H1baNyKcdj8Kea/VlSP4exzvKx8pJ01EWMwd094FV/6OCBIf7KGKgowMnWl3tW3Z5G++uZHkdgF+6xg7b9PynmX/NTo2kx92hlGgegwyulF5B7d2FM0doaCeoO4rD05jZzwi3cXx/156Gg9Xwd/Z/QIDAQAB
All DKIM records on domain example.com exist on xxx._domainkey.example.com, with xxx being the DKIM selector, regardless of the record type.
What is a DKIM selector?
A DKIM selector is a string used to specify the location of the DKIM public key on a domain. The main purpose of DKIM selectors is to allow for multiple DKIM key pairs on the same organization's domain name.
For example, you can choose a selector "may10" and create a DKIM public key at that selector on domain example.com: may10._domainkey.example.com.
You can also choose another selector "july29" and create a DKIM public key at that selector on domain example.com: july29._domainkey.example.com.
To learn more about DKIM selectors, refer to: What is a DKIM selector.
Can I have multiple DKIM records on a single domain?
As mentioned in the previous section, multiple DKIM records on a single domain are made possible by creating multiple DKIM selectors on that domain, with each selector pointing to a DKIM record.
The possibility of having multiple DKIM records on a single domain is instrumental in the following scenarios:
-
an organization uses multiple email delivery services to send emails on behalf of a single domain, in which case, multiple DKIM selectors and private/public key pairs must be used to separate these services.
For example, if you authorize both SendGrid and Mailgun to send emails on behalf of your domain, you need to have at least one DKIM record for SendGrid and one for Mailgun. This way, the signing/verification servers of the two services can locate the their respective key pairs correctly.
-
if you are using only one email delivery service, having multiple selectors/key pairs is essential to a DKIM security mechanism called "DKIM key rotation". This is basically a process where the key pairs are updated periodically to lower the risk of the key pairs being compromised.
Learn more about this process in What is a DKIM selector.
Unlike SPF and DMARC, having multiple DKIM records on a single domain is not only possible, but oftentimes necessary.
Related posts:
Protect Business Email & Improve Email Deliverability
Get a 14 day trial. No credit card required.
Create Account