Yes, you can have multiple DKIM records (learn how to do it)
TLDR: Yes, a domain can have multiple DKIM records, and most domains that send through more than one service have several. Each service publishes its own record at a unique selector (like google._domainkey.yourdomain.com
or s1._domainkey.yourdomain.com
), so they never conflict. Unlike SPF, which allows only one record per domain, DKIM has no limit on how many selectors you can add. The only rule: each selector holds just one key.
DomainKeys Identified Mail (DKIM) is an important part of email authentication. It helps verify that your emails haven’t been altered during transit and that your message (in fact) is from your domain.
If you send email through more than one service (Google Workspace for staff, a platform for marketing, something else for invoices), you’ve probably wondered whether your domain can carry a DKIM record for each.
The short answer is yes. In fact, it’s exactly how DKIM is meant to work.
Each sending service gets its own DKIM record, published at its own selector, so they sit side by side in your DNS without stepping on each other. That’s the good news. The harder part is keeping all of them configured, current, and rotated as your list of services grows.
This guide answers the common questions first: can you, how many, what are the rules? Then, it walks through the best practices for managing multiple DKIM records without letting one expired key send your mail to spam.
Can you have multiple DKIM records?
Yes. A single domain can hold as many DKIM records as it needs, one for each service that sends email on your behalf.
Each record lives at its own selector, a label that prefixes the DNS entry like selector._domainkey.yourdomain.com
. Google Workspace might publish at google._domainkey
, while a marketing platform uses s1._domainkey
, and a transactional service uses its own.
Because every service signs with its own selector, the receiving server always knows which key to check, and the records never conflict.
How many DKIM records can you have?
There’s no set limit. You can publish as many DKIM records as you have sending services, each at its own selector.
This is a key difference from SPF, where a domain is allowed only one record and runs into a 10 DNS lookup limit. DKIM has neither restriction, because each key is namespaced by its selector.
The one rule to follow: never publish two different keys at the same selector. If you need another key, give it a new selector.
DKIM and its role in email security
DomainKeys Identified Mail (often just shortened to DKIM) is an email authentication method that detects forged sender addresses in emails. It works by adding a unique digital signature to the header of each email sent from your domain.
This signature is created using a private key that only your mail server can access. When the email is received, the recipient’s mail server uses the corresponding public key (published in your domain’s DNS records) to verify the signature. If the signature matches, it confirms that the email hasn’t been altered and is genuinely from the sender.
And that’s that.
This mark of authenticity prevents malicious actors from impersonating your domain to deceive recipients. It maintains the trust and security of your communications, which is especially important in an age where phishing attacks are becoming more prevalent (and more sophisticated).
Plus, it can improve your email deliverability. Email providers are more likely to trust emails properly authenticated with DKIM, which means your emails are more likely to land in recipients’ inboxes rather than being flagged as spam.
Challenges of managing multiple DKIM records
Managing one DKIM record is relatively simple, but things can get a bit more complicated when you introduce multiple DKIM records. However, it’s an essential practice if you use a variety of email services with multiple subdomains.
Here are some of the challenges you’ll face:
Complexity of configuration
Setting up and maintaining multiple DKIM records isn’t a straightforward process. Each email service and subdomain requires its own DKIM key, which must be correctly configured in the DNS records. This involves:
- Generating unique private-public key pairs
- Publishing the public keys in the DNS
- Correctly implementing the corresponding private keys on mail servers
The more services and subdomains you manage, the more complex this configuration becomes. Any mistake in the setup can lead to DKIM failures, and that means your emails could be marked as spam or not delivered at all.
Coordination across teams
DKIM management requires close collaboration between various teams within an organization, including IT, security, and marketing. Each team has a role to play:
- IT manages the technical setup
- Security double-checks that the keys are handled safely
- Marketing relies on email deliverability to reach customers
Without proper coordination, miscommunications and delays can occur, leading to misconfigurations or lapses in DKIM management. To keep everyone on the same page, you’ll need to establish clear lines of communication and define responsibilities.
Risk of misconfiguration
Incorrect DKIM configurations are a common issue that can have serious repercussions. Misconfigurations can occur in various ways:
- Using the wrong selector
- Publishing incorrect key lengths
- Failing to update expired keys
These errors can cause DKIM failures, undermining the authenticity of your emails and harming your domain’s reputation. Regular audits and automated tools help mitigate these risks, but the potential for human error is always there.
Curious about your DKIM record? Use Valimail’s free DKIM checker to troubleshoot your DKIM record.
Best practices for managing multiple DKIM records
Managing multiple DKIM records can be daunting, but with the right strategies, you can streamline the process and improve your email security. Here are some best practices to help you better manage DKIM records across your domain.
1. Centralize DKIM management
Centralized tools or DKIM management platforms transform how you organize complex email ecosystems. A centralized management system allows you to generate, publish, and update DKIM keys from a single interface—this helps maintain consistency and reduce the likelihood of errors.
It also streamlines the entire DKIM process, making it easier to maintain and monitor your DKIM configuration across all email sources.
And we can help.
Valimail provides a solution for centralized DKIM management. Our platform automates the generation, publication, and rotation of DKIM keys to keep your email authentication up-to-date and correctly configured. Here’s how:
- Automated DKIM Configuration: Valimail’s platform automates the setup and maintenance of DKIM records, reducing the workload on your IT team and minimizing the risk of errors.
- Real-Time Monitoring: Our real-time monitoring tools alert you to any issues with your DKIM configurations, allowing you to address problems before they impact email deliverability.
- Comprehensive Management: Valimail centralizes the management of all your email authentication protocols, including DKIM, SPF, and DMARC.
2. Regularly audit DKIM records
Perform periodic audits of your DKIM records to double-check that they are correctly configured and up-to-date. Proactive audits help you catch any discrepancies, expired keys, or misconfigurations that could lead to DKIM failures.
3. Implement key rotation policies
Key rotation involves regularly updating your DKIM keys to minimize the risk of compromise and guarantee your email authentication is working properly. Rotating your keys on a set schedule reduces the chance of attackers exploiting old or exposed keys.
Sometimes, DKIM keys become compromised, but this doesn’t mean it’s the end of the world. If a DKIM key is accidentally exposed or compromised, a rotation policy guarantees it will be updated soon, minimizing potential damage.
4. Use unique selectors for different services
A selector is a string that helps identify the DKIM key used to sign an email. Using unique selectors for different services helps you easily pinpoint and address issues specific to each service (making troubleshooting more straightforward).
It also helps isolate potential security issues and reduce the risk of widespread compromise if one key is exposed. With unique selectors, you can manage and rotate DKIM keys for each service independently—this helps you update keys regularly without affecting other services.
5. Automate DKIM configuration and monitoring
Automating the configuration and monitoring of DKIM records reduces manual effort. Automation tools can handle the repetitive tasks of generating, publishing, and updating DKIM keys, and they can also monitor their performance. This provides up-to-date DKIM configuration, real-time alerts, and non-stop peace of mind.
6. Coordinate with third-party providers
Work closely with third-party email service providers to maintain a secure and reliable DKIM setup. You likely use plenty of different tools for everything from marketing campaigns and customer support to invoicing and transactional emails—work with these providers to guarantee they’re aligned with your DKIM policies and configurations.
7. Maintain comprehensive documentation
Keep detailed records of your DKIM configurations, key rotation schedules, and any changes you make to your setup. This documentation trail provides a clear record of your email authentication practices, making it easier to troubleshoot issues, train new team members, and guarantee continuity during staff transitions.
Centralize and streamline DKIM management with Valimail
Managing multiple DKIM records can be complex and time-consuming, but it’s something you’ll need to do if you have a variety of sending services and subdomains. And, fortunately, you don’t have to do it alone.
Valimail can help.
Valimail centralizes and streamlines your DKIM management. Our automated solutions make it easy to set up, monitor, and maintain your DKIM records and keys to guarantee your emails are always authenticated correctly. With Valimail, you can enjoy peace of mind from knowing your email authentication is in expert hands.
Ready to take your DKIM management to the next level? Valimail Monitor gives you insight into your DKIM management for free.
Frequently asked questions
Can you have multiple DKIM records on one domain?
Yes. A domain can have as many DKIM records as it has sending services, each published at its own unique selector. This is standard practice for any organization that sends through more than one email service, and the records don’t interfere with each other.
How many DKIM records can you have?
There’s no fixed limit. You can add a DKIM record for every service that sends on your behalf, each at its own selector. Unlike SPF, which permits only one record per domain, DKIM places no cap on the number of selectors you can publish.
Can you have two DKIM records at the same selector?
No. Each selector should hold exactly one DKIM key. The receiving server uses the selector named in the message’s signature to look up the matching key, so two keys at one selector cause conflicts and failures. If you need an additional key, publish it under a new selector.
Do multiple DKIM records cause deliverability problems?
Not when they’re set up correctly. As long as each record sits at its own selector and its key is valid and current, multiple DKIM records improve authentication rather than hurt it. Problems come from misconfigurations, expired keys, duplicate selectors, or a service left unsigned, which is exactly what regular audits and monitoring are for.
How it works
Once you click Generate, Ollama reads this article and crafts 5 comprehension questions. Your answers are graded against the article content — general knowledge won't be enough. Score 70+ to count toward your certificate.
Questions are cached — you'll always get the same 5 for this article.