Yes, you can have multiple DKIM records on your domain. Unlike DMARC or SPF, DKIM sets no limit to the number of records you can configure for a single domain as long as it is permitted by your DNS host.

What is the DKIM Protocol?

DKIM is an email authentication standard, which uses public/private key encryption for the sender’s domain. It is the result of a growing need for domain protection, which is vital for the protection against spam. With this authentication process, DKIM verifies whether the email was generated from an authorized server (recognized and configured by administrators), thus preventing spam.

DKIM exists in your DNS as a TXT (Text) or CNAME (Canonical Name) DNS record, and looks something like this:

What is a DKIM Record?

A DKIM record is a DNS record that enables the DomainKeys Identified Mail (DKIM) email authentication protocol. DKIM records can be TXT (text) records or CNAME (canonical name) records. The DKIM record is also known as the DKIM public key, which is the public part of your DKIM implementation while the DKIM signature key (private key) is used to sign messages.

A DKIM record may look like this: v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0B…..

Why is DKIM Important?

DKIM is one of the standard authentication protocols out there, at par with DMARC and SPF. It is a highly scalable technology that allows sending parties to sign outbound messages with hash values. When used to protect email messages, DKIM can help ensure an email is never tampered with till it gets successfully and safely delivered to recipient inboxes.

DKIM helps stop spam emails and improves deliverability. It also reduces the chances of message modifications during transfer, preserving the original message body for the receiver.

What Does a DKIM Record Contain?

A complete DKIM key pair contains 2 main components to it:

A DKIM public key
A DKIM private key

The public key is accessible to email-receiving servers and is published on the sender’s DNS, while the private key is known only to the sender and is used for signing messages before they are sent.

DKIM Record Example

Below is an example of a DKIM record:

The private key is to be shared only with authorized senders and no one else. The DKIM record generated below is essentially the public key (value) that needs to be published on your domain pointing to your domain which is:

dkimselector._domainkey.mydomain.com

What is DKIM Selector?

A DKIM selector is a unique DKIM key locator that helps receivers identify the DKIM public key in the sender’s DNS. It can be an alphanumeric value and appears as the subdomain part of the sender’s DKIM-enabled domain.

DKIM selectors are denoted by the s= tag, for example: s=selector1

When Can I Have Multiple DKIM Records For the Same Domain?

It is possible to configure multiple DKIM records for the same domain under the following circumstances:

When using multiple email vendors: If you use multiple email service providers to send your emails, each provider must have separate DKIM keys configured. Hence multiple DKIM records need to be published for the same domain, associated with each provider.
When rotating DKIM keys: You can configure two or more DKIM records and rotate between them periodically, to enhance email security.
When using multiple subdomains: If you use multiple subdomains, each utilizing separate email systems to send messages, you can configure multiple DKIM records.

How to Add Multiple DKIM Records?

To create multiple DKIM records use our DKIM generator tool. It’s free!

Once you have assigned a selector to your record (e.g., s1), you need to access your DNS to publish it. You can do this manually, or you can contact your domain registrar to publish the keys on your behalf.

To publish multiple DKIM records simply create separate TXT/CNAME records for each of your sending sources and paste them on your DNS for the same domain. Make sure every time you create a record you use a unique DKIM selector that doesn’t match with any of the selectors concatenated into your previous records. This will prevent the new record from conflicting with any of your existing ones.

For example:

If you have an existing DKIM record at s1._domainkey.domain.com (where s1 is your chosen selector), you CAN NOT have multiple records for domain.com using s1 as your selector. Make sure every time your new records for domain.com are pointing to unique selector values (e.g s2, s3, s4, s5…and so on) as shown below:

s2._domainkey.domain.com

s3._domainkey.domain.com

s4._domainkey.domain.com

s5._domainkey.domain.com

Is Having Multiple DKIM Records a Safe Practice?

Yes. Publishing multiple DKIM records to boost your domain’s security and activate the protocol for third parties is a safe and heavily endorsed practice. However, the same cannot be said regarding SPF and DMARC. To exercise caution, learn about the impacts of configuring multiple SPF records on your domain.

How Many Records Can I Have?

This are no restrictions on the number of DKIM records you can configure for a domain, and it depends entirely on your requirements. As long as each DKIM record has a unique selector associated with it,

However, it is important to consider DNS size constraints when configuring numerous DKIM records. TXT records have a maximum size of 255 characters making it an important aspect to consider when configuring lengthy DKIM keys or multiple DKIM records.

About
Latest Posts

Yunes Tarada

Domain & Email Security Expert at PowerDMARC

Yunes is an Operations Team Lead at PowerDMARC with expert knowledge in email authentication and security. Yunes is a Microsoft-certified Azure Administrator Associate with certifications in CompTIA A+ and many more.

Can I Have Multiple DKIM DNS Records on My Domain?