d= for data

A few ISPs use the d= value in the DKIM signature as a way to provide FBL and reputation data to senders. This has some good bits, in that senders can get FBLs and other information regardless of the IP address they’re using and whether or not they have sole access to it.

magician's hat with stars exploding out the top

There are also some challenges with using the d= as a data identifier. One of them is that ESPs may not be able to get a full picture of what their overall customer base is doing if their customers are signing with their own d= value.

Some ESPs have solved this by adding two DKIM signatures to the email. The first signature is with their own d= value, one that is shared across all their customers. The second is with the individual d= for that particular customer.

There are a couple questions that regularly come up when I discuss double DKIM signing with folks. One of them is how much weight is given to the shared DKIM signature? There is some, but if the domains are signed in the correct order, the ESP domain seems to fade into the background of reputation.

Another question of the questions related to double DKIM signing is will signing twice reveal information about the sending infrastructure to the receivers or the end users. The answer to this is not in the vast majority of cases. Most ESPs provide IP addresses for their customers to use. These IPs are identified as belonging to the ESP and ownership can be determined using standard tools. While many end users probably may not be able to easily figure out who the ESP is experts and ISPs can.

But what happens for ESPs that use one of the API based providers? For instance, an ESP that uses Sendgrid or Amazon SES may want to allow customers to sign with their own d= but also monitor all their customers. In this case, they should be able to sign with their own shared d= before handing the message off to the ESP. The ESP can then sign with their own key and then, finally, sign with the customer specific key.

There is theoretically no limit to the number of DKIM signatures you can add to a message. You just need to be careful about which of the headers you sign, to avoid having them altered during future steps. Of course in practice there are unlikely to be cases where quadruple DKIM signing is necessary. But I say that now and someone will point out a case where it makes sense.

In any case, there are no technical reasons to limit DKIM signatures to one or two. This is very helpful for those cases where DKIM is being used in ways unrelated to reputation.

Related Posts

A DKIM primer resurrected

I was looking for some references today back in old blog posts. This means I discover some old links are dead, blog posts are gone or moved, and information is lost.
In this case it’s a post by J.D. Falk on deliverability.com. The link is dead (it looks like the whole website is dead), but I found a copy of his post and am reproducing it here. I don’t have permission, because I can’t get permission from him, but the content is extremely useful and I don’t want it lost.

Read More

Ask Laura: Do I have to publish DMARC?

AskLaura_Heading3
 

Read More

Four things to check before your next mailing

Like many bits of technology, email is often set-and-forget. Everything is checked and rechecked during setup, and then no one goes back and looks at it again. But mail programs are not static, and people make changes. These changes don’t really break things, but over time they can create their own set of problems.
Setting aside some time every quarter or even every year to check and make sure all the bits of mail are configured correctly is a good idea.

Read More