You inspect the headers of an email sent through your ESP (Brevo, Mailchimp, SendGrid…) and notice two distinct DKIM signatures: one with your domain, one with the ESP’s domain. Is this normal? Absolutely, and it’s actually desirable.
What It Looks Like in the Headers
Here’s a typical Authentication-Results example:
Authentication-Results: mx.google.com;
dkim=pass header.i=@yourdomain.com header.s=mail header.b=xjAWgYt1;
dkim=pass header.i=@esp-domain.com header.s=mail header.b=zNRqfud1;
spf=pass ...
dmarc=pass (p=REJECT) header.from=yourdomain.com
And two DKIM-Signature: blocks in the message: one with d=yourdomain.com, the other with d=esp-domain.com.
Why Your Domain Signs
The first signature, using your domain (d=yourdomain.com), serves to:
- Prove authenticity: the receiving server can verify the message hasn’t been tampered with
- Satisfy DMARC alignment: the
d=domain in the signature must match theFrom:domain for DMARC to pass - Build your domain reputation: mailbox providers associate sending quality with your signing domain
For more details on how DKIM works, see our complete DKIM guide.
Why the ESP Adds Its Own Signature
The second signature, with the ESP’s domain, exists for a specific reason: Feedback Loops (FBL).
The Classic FBL Model
Most FBL programs are IP-based. The ESP registers its sending IPs with mailbox providers (Outlook, etc.) and receives a report whenever a recipient marks a message as spam.
The Gmail and Yahoo Exception
Gmail and Yahoo (formerly Verizon Media Group, including AOL) work differently: their FBL programs are based on the DKIM domain, not the IP.
In practice:
- Gmail: if you register your domain on Google Postmaster Tools, you can access complaint rates associated with your DKIM domain
- Yahoo/AOL: the FBL program sends complaints in ARF format to the DKIM domain owner
The problem: your ESP also needs to receive these complaints to block unhappy recipients and prevent future sends to people who no longer want your emails.
Solution: the ESP adds a second DKIM signature with its own domain, already registered on Google Postmaster Tools and Yahoo’s FBL program. This way, both parties receive complaints.
Impact on DMARC
All DKIM signatures on an email are evaluated by the receiving server. However, for DMARC alignment, only the signature whose d= domain matches the From: domain is considered.
| Signature | d= Domain | Used for DMARC? |
|---|---|---|
| Yours | yourdomain.com | Yes (aligns with From:) |
| ESP’s | esp-domain.com | No (no alignment) |
The ESP’s signature doesn’t interfere with your DMARC. It coexists silently for FBL purposes.
How to Check Your DKIM Signatures
- Header Analyzer: paste a received email’s headers to see all DKIM signatures and their results
- DKIM Checker: verify your DKIM DNS record is correctly published
- Free audit: send a test email to validate your entire configuration
What If You Only See One Signature?
If only the ESP’s domain appears in the DKIM signature, it means you haven’t enabled DKIM with your own domain at your ESP. Consequences:
- DMARC will fail on DKIM alignment (the
d=doesn’t match yourFrom:) - Your domain reputation isn’t being built
- You depend entirely on the ESP’s IP reputation
Most ESPs offer an option to sign with your domain. Look in settings for: “Authenticate your domain”, “Custom DKIM”, or “Domain authentication”. This typically requires adding a CNAME or TXT record in your DNS zone.
Further Reading
- Configure DKIM, the complete guide
- DKIM RSA Key Size: 1024 vs 2048 vs Ed25519
- Configure DMARC, to understand alignment
- Run a free audit to check your setup in 30 seconds