DKIM with same key but different domains

We are planning to sign with DKIM emails for multiple domains.

Each domain will have a CNAME to a DNS entry in a common domain where the keys are stored. If every domain sign with the same key, but off course using different domain and selector, all of them will created independent reputation?

If one domain is marked as spammer will affect the deliverability of the other domains?

They are completely different and uses a differnt selector. Just shared the key.


You can use the same key for multiple domains. Using different selectors for the same key won't help your reputation. It will also make signing more difficult. You can use the same selector for different keys as they will be published under different domains.

You will need to publish the selector DNS record for each sending domain. Sign the outgoing message with the matching private key.

In my experience, a high percentage of organizations either don't publish a DKIM record. Others publish an invalid record. Neither case adds credibility.

If you are sending from the same IP address, all domains will be marked as spam. Most blacklists are IP based, not domain based. As long as you are using a properly configured server, including DNS configuration it is unlikely your server will be flagged as spamming unless you send spam. Double opt-in should prevent that.

Do ensure your servers are not open relays. Open relays do get flagged and are commonly used to send spam. I do my best to ensure the spam gets left on the open relay as long as possible.


This solution is not very flexible and elegant (same selector) but it's work.

In opendkim.conf you can specify multiple domain without KeyTable/SigningTable just :

Domain    xxx.tld,yyy.tld,zzz.tld
Selector    default
KeyFile    /etc/opendkim/keys/default.private

In DNS zone of xxx.tld:

default._domainkey TXT "v=DKIM1;k=rsa;p=...."

In DNS Zone of yyy.tld:

default._domainkey CNAME default._domainkey.xxx.tld.

In DNS Zone of zzz.tld:

default._domainkey CNAME default._domainkey.xxx.tld.

ps: An advantage : if you must generate the key, you must only modify the DNS zone of xxx.tld

(sorry for my English)