Can I have multiple DKIM txt records in single domain?

I have several cloud applications that send email. Each application has DKIM set up.

For example:

cloud app 1 : k=rsa; t=s; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDfl0chtL4siFYCrSPxw43fqc4zOo3N+Il220oK2Cp+NZw9Kuvg8iu2Ua3zfbUnZWvWK4aEeooliRd7SXIhKpXkgkwnAB3DGAQ6+/7UVXf9xOeupr1DqtNwKt/NngC7ZIZyNRPx1HWKleP13UXCD8macUEbbcBhthrnETKoCg8wOwIDAQAB
cloud app 2 : k=rsa; t=s; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDfl0chtL4siFYCrSPxw43fqc4zOo3N+Il220oK2Cp+NZw9Kuvg8iu2Ua3zfbUnZWvWK4aEeooliRd7SXIhKpXkgkwnAB3DGAQ6+/7UVXf9xOeupr1DqtNwKt/NngC7ZIZyNRPx1HWKleP13UXCD8macUEbbcBhthrnETKoCg8wOwIDAQAB

Can I add two separate TXT records to my DNS? Or should I combine both TXT records into one?

Please explain how to add multiple TXT records for a single domain.

Solution 1:

Yes you can. A DKIM signature looks like this:

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=example.com;
 s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version;
 bh=M1X/nttSCpN...ttSCpN=;
 b=SPso8U12ChySEQcnJcvm76...RAxjJFcBI=

During validation the selector and domain (selector1 and example.com above respectively) are both used to locate the TXT record with the public key. This is done by merging them with _domainkey in between:

selector1._domainkey.example.com

In your case you can use 2 different selectors (like cloudapp1 and cloudapp2), then each private key can have its own unique DNS record. The corresponding DNS entries would look something like:

cloudapp1._domainkey 3600 IN TXT "v=DKIM1; k=rsa; t=s; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDfl0chtL4siFYCrSPxw43fqc4zOo3N+Il220oK2Cp+NZw9Kuvg8iu2Ua3zfbUnZWvWK4aEeooliRd7SXIhKpXkgkwnAB3DGAQ6+/7UVXf9xOeupr1DqtNwKt/NngC7ZIZyNRPx1HWKleP13UXCD8macUEbbcBhthrnETKoCg8wOwIDAQAB"
cloudapp2._domainkey 3600 IN TXT "v=DKIM1; k=rsa; t=s; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDfl0chtL4siFYCrSPxw43fqc4zOo3N+Il220oK2Cp+NZw9Kuvg8iu2Ua3zfbUnZWvWK4aEeooliRd7SXIhKpXkgkwnAB3DGAQ6+/7UVXf9xOeupr1DqtNwKt/NngC7ZIZyNRPx1HWKleP13UXCD8macUEbbcBhthrnETKoCg8wOwIDAQAB"

Solution 2:

Yes, you can have multiple DKIM records, TXT or CNAME-typed, on a single domain.

Multiple DKIM selectors and private/public key pairs are usually created for these reasons:

1 a domain uses multiple email delivery services to send emails, in which case, multiple DKIM selectors and private/public key pairs must be used to separate these services.

For example, if you authorize both Mailchimp and Convertkit to send emails on behalf of you, you need to have at least (usually more) 1 for Mailchimp and 1 for Convertkit. This way, the signing/verification servers can locate the correct key pairs.

2 even you are using only one email delivery service, having multiple selectors/key pairs is a best practice due to security reasons. One needs to periodically change the key pairs to lower the risk of being compromised. This is known as “DKIM key rotation”.

When you create multiple DKIM records, you need to choose a selector that is unique across all DKIM records on that domain. This way, the use of a DKIM record doesn't interfere with that of another.

Refer to this post for more information: https://dmarcly.com/blog/what-is-dkim-selector-and-how-does-it-work-dkim-selector-explained

Solution 3:

Yes, you should have multiple TXT records, and you keep them separate by using DKIM selectors.

Read the following link for more information https://help.dreamhost.com/hc/en-us/articles/215029758