Why do you sometimes see two DKIM signature on a single email?

You maybe already noticed on some emails received, when looking at the headers you can find 2 DKIM signatures, and 2 DKIM results, one using your own domain (bressier.fr on this example) and one using your ESP's domain (sendib.com on this example). Why the heck your ESP is doing that ?

Authentication-Results: mx.google.com;
       dkim=pass header.i=@bressier.fr header.s=mail header.b=xjAWgYt1;
       dkim=pass header.i=@sendib.com header.s=mail header.b=zNRqfud1;
       spf=pass (google.com: domain of noreply@sib.scanmy.email designates 212.146.215.142 as permitted sender) smtp.mailfrom=noreply@sib.scanmy.email;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=bressier.fr
DKIM-Signature: a=rsa-sha256; bh=Mi4Ptruf3aiF5LqQkgnB4ysAKkkkxo7wikG3Cc8o8SE=; c=relaxed/relaxed; d=bressier.fr; h=to:cc:from:reply-to:subject:date:mime-version:content-type:list-id:list-unsubscribe:x-csa-complaints:list-unsubscribe-post:message-id:sender:x-sib-id:x-mailin-client:x-mailin-campaign:feedback-id; q=dns/txt; s=mail; t=1618653372; v=1; b=xjAWgYt1qLwxzeO4C58+13pa9xUbhy7osvfEYNu9BxDHRAzdq6um9dUjbiGlyQZNVQGGWkxr LOqZAI782Tl0Jm8KhW2XOPXTM0tbyIeBCkaSBAur6A+xATnhqXCbmWYmOLPhYAinKPpgpH6RDsE rlA4CvDQtkEemLYEdpH9MdIE=
DKIM-Signature: a=rsa-sha256; bh=Mi4Ptruf3aiF5LqQkgnB4ysAKkkkxo7wikG3Cc8o8SE=; c=relaxed/relaxed; d=sendib.com; h=to:cc:from:reply-to:subject:date:mime-version:content-type:list-id:list-unsubscribe:x-csa-complaints:list-unsubscribe-post:message-id:sender:x-sib-id:x-mailin-client:x-mailin-campaign:feedback-id; q=dns/txt; s=mail; t=1618653372; v=1; b=zNRqfud1FiIa3SwHWVBTmpyr+qVOVtfmBskmAAwTG0joD9DFcexOf6BRCyTRao4GU+FKo8oU I7qru7U+/ZwqZvgWi0Eu2qh07obCYys3bnNrCMZ86UGSP+Oa4i09Sn046i9ve3JIFllaFsR1zb6 jIt74VPPNzYVPW42qpRS3AmY=

Signing the emails sent with your domain, is obviously done to let the recipient server know the email has not been altered between sending and reception, that's a fact, it is also done to let the server know you are the owner of this sending domain (as you've been able to sign with the private RSA key associated to the public key stored on the DNS zone of your domain, also called DKIM record) What is less obvious is that second signature, which is mostly performed on 2 destinations:

  • Gmail
  • VMG destinations (Verizon Media Group, including at least Yahoo, AOL)

Indeed, that destinations are not providing usual FBL programs (feedback loops, spam complaints programs) . Most of the FBL programs are IP based, meaning that the ESP needs to enroll all its sending IPs on the provider's FBL program. VMG and Gmail are providing FBLs based on DKIM domains, meaning the FBL spam complaints reported by recipients will only be sent back to the owner of the domain used to DKIM sign the message. If you have enrolled your domain on Google Postmaster Tools you'll be able to access the complaint rates of your emails, if you have enrolled your domain on VMG's FBL program you'll receive complaints on ARF format to the email address you've used to subscribe.

But your ESP also need to receive that complaints, as it is managing spam complaints for you, and usually blocking the involved recipients to prevent them from receiving new emails from you, that's why a second DKIM signature is added, with ESP's domain already enrolled on GPT and VMG FBL, to receive spam complaints reported by your recipients.

Both signatures are evaluated on recipient side, and if you do have a DMARC record on your sending domain, only the signature using your domain will be taken into consideration to compare the DKIM domains alignment.