Double DKIM

InboxSys rolls out Double DKIM testing feature!

If you see additional DKIM warnings in your InboxSys account, here is why.

As you may or may not know it’s best practice to align your domains when sending emails, such as your bounce domain, sender from domain, hostname, image hosting and link tracking domain, meaning that ideally all these should be on the same domain name.

Although this is best practice, this is an unrealistic point of view. In reality, often Email Service Providers require you to use their own domain for your bounce domain, for various reasons such as processing bounces and feedbackloop data. This is where double DKIM comes in.

Double DKIM is about ensuring each domain you use in your message headers are signed. This can be read about in https://tools.ietf.org/html/rfc6376.

So, is it, and why is it, necessary to sign Double with DKIM, even if all your domains align perfectly?

Apart from declaring which domains may be used in this message, the secondary DKIM signature (ESP signature) is also meant as a fallback. If there is a fault on the sender's DNS, the message still has a valid DKIM signature.

Understanding the importance of Double DKIM is the first step, beyond that there is a preferred way of signing your DKIM signatures.

1. For multiple domains, use separate ’selectors’
2. Use different Keys when using multiple domains
3. The Minimum recommended length for DKIM keys is 2048 bit.

Summary

The key takeaways from this is to remember when using multiple domains, take into consideration Double DKIM. By doing this you shall be better aligned and your configuration will be looked upon favourably by some filters & ISPs, which could mean improved Deliverability rates.