Actually, DNS query to look up the key is constructed from the Signing Domain ID field of the signature ("d" tag) and the Selector ("s" tag), both of which are configured in the DKIM Signing Profile. So, you *can* publish a single key, and sign messages with From addresses from different domains, using a DKIM key of just one domain.

However, should you ever want to implement DMARC as well, messages signed in this way will fail DMARC verification. So, to be future-proof, best bet is to create separate signing profiles and publish separate public key records in the DNS. You can still use the same keypair in all the profiles.

Thanks Harry! I conflated DKIM and DMARC... I knew that there was a reason I did mine with profiles for each domain.

Ken

Hello,

we would like to activate DKIM (signing) for one (or more) sender domains (e.g. domainA.de )and NOT activate DKIM for other domains (e.g. domainB.de )  which will arrive our ESA from the same host (there is an Exchange hosting domainA.de and domainB.de and the ESA is the internet mailgateway). If i active DKIM signing in the Mailflow Policy for the Exchange Host and my domain domainB.de is not DKIM ready....would it be a problem? Is it possible to route a "non DKIM domain like domainB.de" with an "DKIM sign enabled" Mailflow Policy?

Thanks a lot!

Michael

Hello,

The ESA will only DKIM Sign emails based on the domain listed within the 'Domain Name' field in the DKIM Signing Profile. It's recommend to create the Signing Profile and setup the DNS record prior to enabling DKIM Signing in the Mail Flow Policy, or else you'll run into verification failures.

Thanks!
-Dennis M.

Hello Dennis, thank you for this clarification. Now it makes sense for me ;-)