Can you use multiple DKIM signatures?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
And yes, and it's more common than you might think.
An email can carry multiple DKIM-Signature headers, each signed by a different private key and pointing to a different DNS selector. The receiving server validates each signature independently. DKIM passes as long as at least one valid signature exists for a domain that can help with DMARC alignment.
When does this actually happen?
During migrations. If you're switching ESPs, you might have both the old provider and the new provider signing messages for a period. This lets receiving servers validate against either key during the transition without dropping mail.
When using multiple sending systems. Some senders route transactional email through one system and marketing email through another. If the receiving server passes the message through an intermediate system that adds its own signature, you can end up with two valid signatures.
Shared infrastructure with its own signing. Mailing list servers and forwarders sometimes add their own DKIM signature alongside the original sender's, especially those implementing ARC support.
Multiple signatures don't cause problems. Any invalid signatures are ignored. The valid ones are what count. If you're troubleshooting a complex authentication setup and want to see all the signatures on a message, our free Review My Emails Email Header Analyzer shows each DKIM-Signature header and its validation status separately.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.