DKIM for Multiple Senders: Key Management Guide
Configure DKIM when using multiple email services. Learn how to manage DKIM selectors for marketing platforms, support tools, and transactional systems.
Last updated: 2026-02-04
Modern organizations send email from many sources: marketing from Mailchimp, support tickets from Zendesk, transactional emails from SES, and internal mail from Google Workspace. Each needs its own DKIM configuration.
Multiple DKIM selectors can coexist for the same domain. Each email service signs with its own key, and receivers verify using the selector specified in the signature.
How Multiple DKIM Keys Work
DKIM selectors make multiple keys possible. When an email is signed, the selector tells receivers where to find the public key:
DKIM-Signature: d=yourdomain.com; s=mailchimp; ...
The receiver looks up: mailchimp._domainkey.yourdomain.com
This means:
- Each service can have its own key pair
- Keys don't conflict with each other
- You can rotate keys for one service without affecting others
- Failed signatures from one service don't impact other services
Common Multi-Service Scenarios
Marketing + Transactional + Corporate Email
| Purpose | Service | Selector | DNS Record |
|---|---|---|---|
| Corporate email | Google Workspace | `google` | `google._domainkey` |
| Marketing campaigns | Mailchimp | `k1` | `k1._domainkey` |
| Transactional | Amazon SES | `amazonses` | `amazonses._domainkey` |
| Support tickets | Zendesk | `zendesk1` | `zendesk1._domainkey` |
E-commerce Stack
| Purpose | Service | Selector |
|---|---|---|
| Order confirmations | SendGrid | `s1`, `s2` |
| Abandoned cart | Klaviyo | `klaviyo` |
| Support | Freshdesk | `freshdesk` |
| Corporate | Microsoft 365 | `selector1`, `selector2` |
SaaS Application
| Purpose | Service | Selector |
|---|---|---|
| App notifications | Self-hosted Postfix | `mail` |
| Marketing | HubSpot | `hs1` |
| Support | Intercom | `intercom` |
| Team email | Google Workspace | `google` |
Need a custom DKIM key?
Generate keys for services that don't provide their own DKIM configuration.
Setting Up Multiple Services
Inventory your email sources
List every service that sends email from your domain. Check with marketing, support, product, and IT teams—there are often more sources than expected.
Document current DKIM status
For each service, note: Does it support DKIM? What selector does it use? Is it already configured?
Configure each service
Enable DKIM in each service's dashboard. Most provide DNS records to add. For services without built-in DKIM, generate custom keys.
Add all DNS records
Add each service's DKIM record to your DNS. They use different selectors, so there's no conflict.
Verify each service
Send test emails from each service and check headers for DKIM pass results.
DNS Record Example
For a domain using Google Workspace, Mailchimp, and a custom application:
; Google Workspace
google._domainkey.yourdomain.com TXT "v=DKIM1; k=rsa; p=MIIBIj..."
; Mailchimp
k1._domainkey.yourdomain.com TXT "v=DKIM1; k=rsa; p=MIGfMA0..."
; Custom application
app._domainkey.yourdomain.com TXT "v=DKIM1; k=rsa; p=MIIBIjA..."
All three records exist simultaneously. Each service's emails will be verified against its specific key.
Services That Need Custom Keys
Some services don't provide DKIM or require you to bring your own:
- Self-hosted applications (custom code sending via SMTP)
- Older on-premise software
- Some CRM and ticketing systems
- Custom marketing automation
For these, use DKIM Creator to generate keys, then configure the service with the private key.
DMARC Alignment with Multiple Senders
DMARC requires alignment—the domain in the DKIM signature must match the From header domain.
Check alignment mode:
relaxed(default): Subdomains are allowedstrict: Exact match required
Subdomain strategy:
Some organizations use subdomains for clarity:
| Service | From Address | DKIM Domain |
|---|---|---|
| Marketing | `marketing@mail.yourdomain.com` | `mail.yourdomain.com` |
| Transactional | `noreply@yourdomain.com` | `yourdomain.com` |
| Support | `support@help.yourdomain.com` | `help.yourdomain.com` |
This isolates reputation—marketing issues don't affect transactional delivery.
Monitoring Multiple Services
With multiple DKIM keys, monitoring becomes essential:
DMARC reports show which services are passing or failing:
<record>
<source_ip>198.51.100.1</source_ip>
<policy_evaluated>
<dkim>pass</dkim>
</policy_evaluated>
<auth_results>
<dkim>
<domain>yourdomain.com</domain>
<selector>mailchimp</selector>
<result>pass</result>
</dkim>
</auth_results>
</record>
Per-service monitoring:
- Track bounce rates per sending source
- Monitor DKIM pass rates in email analytics
- Set alerts for authentication failures
Troubleshooting Multi-Service DKIM
One service failing, others passing
- Check that specific service's selector and DNS record
- Verify the service is configured to use your domain
- Check if the service requires domain verification
DMARC failures despite DKIM pass
- Alignment issue: DKIM domain doesn't match From domain
- Check if the service is signing with their domain instead of yours
- Some services require explicit custom domain configuration
Duplicate selector conflict
- Two services can't use the same selector
- Rename one (most services let you customize the selector)
- Or use subdomains to separate them
Best Practices
- Maintain a selector registry — Document which service uses which selector
- Use descriptive selectors —
marketing2024,support,appare better thankey1,key2 - Plan for rotation — Include version or date in selectors for easier rotation
- Separate by subdomain when sensible — Isolates reputation and simplifies management
- Monitor DMARC reports weekly — Catch issues before they impact deliverability
Related Articles
Managing DKIM across multiple services? Generate custom keys when you need them.
Generate custom DKIM keys
Create key pairs for services that don't provide their own. Browser-based, secure, and free.
Generate DKIM Keys