DKIM: Better sign your emails and increase deliverability

Domain spoofing, phishing and spear phishing are now the order of the day, forcing more and more companies to equip themselves with email authentication systems in order to secure the best delivery rates, maintain a high reputation and get through spam filters.

In the recent past, we have had the opportunity to report how, alongside the historical SPF and DKIM methods, the use of DMARC has also become firmly established in recent years.

DMARC is based precisely on SPF and DKIM and helps those who send – the sender and often the brand, and those who receive – the receiver or mailbox provider, to determine whether a message has been sent legitimately.

For this reason, Send‘s functionality has long since been enhanced to provide the tools to achieve full adherence to the requirements that the DMARC protocol imposes and allow the full benefits of its adoption to be reaped.

In this article, we will look together at how the ways of selecting the DKIM to sign emails on Send ensure an increasingly effective DMARC alignment.

DKIM, DMARC and DMARC alignment

What is the DKIM protocol

DomainKeys Identified Mail is an email authentication standard that allows you to digitally sign messages and offer those who receive them, the ability to check:

  • The authenticity and thus that you are really authorised to send those emails.
  • The integrity, i.e. that the content has not been modify during the delivery.

How? When the email is received and before delivering the message, the recipient’s server verifies, thanks to an encrypted authentication, that the key in the header is the one associated with the sender’s domain. If so, the email ends up in the inbox.

The multi-DKIM

📣 In particular, Send allows you to manage on a single account, customised DKIMs on a domain-by-domain basis, guaranteeing their alignment with your sender domains, in the terms summarised below, talking about DMARC.

You can thus use different domains for different newsletters such as product mailings or commercial communications, and always be DMARC compliant and ensure maximum deliverability.

In addition, Send offers the possibility of setting 2048-bit keys for your account, confirming Contactlab as one of the first ESPs to propose such high security services at no extra cost.

How DMARC works

DMARC is a notification system that allows you to can gain visibility into the traffic of your domain as the sender. In addition to reporting the result of the check on SPF and DKIM, the implementation of this method creates a link between the domain visible to the sender (header FROM – RFC 5322) and the technical domains (Envelope From domain RFC 5321 and DKIM domain).

If the visible from domain is equal to the SPF or DKIM domain, then DMARC alignment occurs, or better the alignment condition that allows the email to be delivered correctly.


multi-dkim su Send


In the event, however, that DMARC detects a misalignment between domains, it is you the sender who tells the receiver mailbox provider – Gmail, Microsoft, Yahoo! – how to handle the misaligned email. And you can do this by using a progressive severity logic in which you request the mailbox provider to:

  • not to apply policies and thus take no specific action on the mismatched email: p=none
  • put the unaligned email in spam: p=quarantine
  • reject the email: p=reject

It is immediately apparent that as DMARC spreads, the customisation of the DKIM domain and its alignment with your sender domain becomes more and more necessary.

New ways of selecting DKIM on Send

To simplify, DMARC alignment occurs when the from domain and DKIM domain are identical.

In reality, however, the rule may require more articulation. Two domains lead to DMARC alignment when their organisational domains coincide, in which case we speak of relaxed alignment. The organisational domain is the main part of a domain.

Taking as an example, the organisational domain is The organisational domain is normally the corporate domain, or brand domain.

If we therefore consider this extended version of the rule, it is possible to have DMARC alignment, certainly in cases of perfect coincidence between domains, but also in other situations.

Example 1

Example 2

This opens up the possibility for you to set up a From whose domain does not necessarily coincide with one of the signed DKIM domains, but which nonetheless shares the organisational domain.

The recent innovations introduced in Send have considered the opportunity to adopt relaxed alignment when choosing the DKIM in order to meet your real needs, first and foremost, the desire to set the corporate domain in the From, without necessarily having to define a DKIM signature on it, with the need to delegate the top-level domain to Contactlab.


DMARC is becoming increasingly popular because it guarantees reputation and good visibility, also thanks to BIMI support, and because it prevents domain spoofing. To take full advantage of it, however, the alignment of the sender and signed domains must always be ensured when choosing the DKIM.

Thanks to the revised DKIM selection criteria on Send, you can fully guarantee compliance with this requirement, benefiting from:

  • Greater flexibility in using different domains for different newsletters.
  • No delegation to Contactlab of top-level domains.
  • Full compliance with DMARC and improved service provided by SPF and DKIM.
  • Highest levels of deliverability and reputation preservation.
  • Protection of your business.
  • GDPR compliance.
  • Openness to possible security developments.



changelog Guide Resources Support