Yes, you can have multiple DKIM records on your domain. Unlike DMARC or SPF, DKIM sets no limit to the number of records you can configure for a single domain as long as it is permitted by your DNS host.
Some common reasons for setting up multiple DKIM records
- You use a number of third-party email vendors for your daily communications. In this case, you need to configure separate selectors and public-private key pairs to activate authentication for each of these vendors.
Note: The DKIM activation process is different for different email vendors. We have a dedicated section on our knowledgebase with step-by-step tutorials on how to enable DKIM for several vendors, which you can check out!
- For enhanced security, you may want to rotate your DKIM keys periodically. Changing or rotating your keys from time to time is considered to be standard practice and is highly recommended by security experts.
What is the DKIM protocol?
DKIM is an email authentication standard, which uses public/private key encryption for the sender’s domain. It is the result of a growing need for domain protection, which is vital for the protection against spam. With this authentication process, DKIM verifies whether the email was generated from an authorized server (recognized and configured by administrators), thus preventing spam.
DKIM exists in your DNS as a TXT (Text) or CNAME (Canonical Name) DNS record, and looks something like this:
Why is DKIM important?
DKIM is one of the standard authentications protocols out there, at par with DMARC and SPF. It is a highly scalable technology that allows sending parties to sign outbound messages with hash values. When used to protect email messages, DKIM can help ensure an email is never tampered with till it gets successfully and safely delivered to recipient inboxes.
DKIM does help to stop spam emails and improves deliverability. It also reduces the chances of message modifications during transfer, preserving the original message body for the receiver.
What does a DKIM record contain?
A complete DKIM key pair contains 2 main components to it:
- A DKIM public key
- A DKIM private key
The public key is accessible to email receiving servers and is published on the sender’s DNS, while the private key is known only to the sender and is used for signing messages before they are sent.
What does it look like?
Given below is an example of a DKIM record:
The private key is to be shared only with authorized senders and no one else. The DKIM record generated below is essentially the public key (value) that needs to be published on your domain pointing to your domain which is:
How to add multiple DKIM records?
To create multiple DKIM records use our DKIM generator tool. It’s free!
Once you are done with assigning a selector to your record (e.g. s1) you need to gain access to your DNS to publish it. You can do this manually or you can contact your domain registrar to publish the keys on your behalf.
To publish multiple DKIM records simply create separate TXT/CNAME records for each of your sending sources and paste them on your DNS for the same domain. Make sure every time you create a record you use a unique DKIM selector that doesn’t match with any of the selectors concatenated into your previous records. This will prevent the new record from conflicting with any of your existing ones.
If you have an existing DKIM record at s1._domainkey.domain.com (where s1 is your chosen selector), you CAN NOT have multiple records for domain.com using s1 as your selector. Make sure every time your new records for domain.com are pointing to unique selector values (e.g s2, s3, s4, s5…and so on) as shown below:
Is it a safe practice?
Yes. It is a safe and heavily endorsed practice to publish multiple DKIM records for boosting your domain’s security as well as to activate the protocol for your third parties. The same however cannot be said regarding SPF and DMARC. To exercise caution, learn about the impacts of configuring multiple SPF records on your domain.