Multiple DKIM Signatures Conflict (Double Signing and Priority Rules)

Messages may carry several DKIM-Signature headers when an internal gateway signs, then a mailing list wraps, then the ESP signs again for the customer domain. Receivers evaluate signatures independently, but DMARC alignment picks among them—and humans read headers expecting a single story. Conflicts appear when one signature verifies while another fails because a hop rewrote content, or when two selectors publish different keys for the same stream and rotation overlaps. The failure you care about might be the second signature, not the first. Untangling which layer owns remediation prevents bogus DKIM record edits. Many issues come down to a missing DKIM record or a selector mismatch in DNS.

Updated for 2026 to reflect current Gmail, Outlook, and Yahoo behavior.

If signatures fail, check the DKIM selector troubleshooting guide.

Learn the bigger picture in our Email Authentication Explained guide and compare SPF vs DKIM vs DMARC to understand how these protocols work together.

Quick answer

Each signature names its own d= and s=; alignment considers the set that verifies.
Breaking the inner signature does not always invalidate the outer if both still verify.
Mailing lists often invalidate earlier body hashes; outer signers must sign after transformation.
Testing tools sometimes display only the first header block.

One-Minute Fix

Enumerate every DKIM-Signature in order, verify which domain aligns to your DMARC From, disable redundant signing hops you control, and ensure the signature intended for alignment is calculated after the last content mutation.

Example multi-header outline

Email headers

DKIM-Signature: ...; d=listhost.example; s=listsel;
DKIM-Signature: ...; d=brand.com; s=prod1;

Decide which d= must satisfy alignment; only that signer’s validity matters for DMARC.

Run free check

Free live DNS check. No signup required.

Wrong vs correct setup

Chaotic pipeline

Plain text

Legacy appliance signs → ESP re-signs body still containing appliance footers → inner bh mismatch.

Two signers without coordinated canonicalization order guarantees repeated failures on inner tags.

Controlled pipeline

Plain text

Transform content first, then sign once for customer domain, then optionally add transport signatures that do not touch aligned fields.

Minimise layers or order them so the aligned signature covers the message consumers actually receive.

Why stacks accumulate signatures

Compliance appliances add branding, forwarding services inject tracking, and ESPs brand outbound—all well-intentioned, yet each hop is a signing opportunity. In practice it usually traces back to a missing selector or an invalid DKIM key in DNS.

Downstream confusion

Support teams rotate DNS for the wrong selector mentioned first in headers.
Analytics dashboards count DKIM pass if any signature passes—DMARC may disagree.
Forensic noise obscures which hop broke bh=.
Regression tests pass in staging without mailing-list equivalents.

Deliverability nuance

Receivers generally tolerate multiple valid signatures, but conflicting canonical bodies raise suspicion scores when inner failures pile up beside DMARC forensic volume. Providers tend to trust domains with a stable DKIM record and clean DKIM signatures far more than those with intermittent failures.

Typical causes

Appliance signing after marketing injects tracking pixels.
Vendor A and Vendor B both enabled ‘DKIM enhance’ accidentally.
Selector overlap during rotation windows.
List servers wrapping messages without compatible canonicalization.

What we checked

We inspect the primary organisational selector you configured in DNS. Multi-signature troubleshooting requires full headers from affected mail—bring those alongside single-selector checks.

Live DNS lookup. No login. No saved domains. No tracking.

FAQ

Can I delete older signatures?

If you control the mail pipeline, yes—strip redundant signers to simplify. If a third party adds one, negotiate their order or disable yours.

Which signature does Gmail align to?

Gmail evaluates eligible signatures and applies DMARC rules; you cannot rely on ordering alone—verify in Authentication-Results.

Does ARC help?

ARC chains document intermediates but do not replace DKIM correctness at each hop. Still fix canonicalization.

Next steps

Capture full raw messages representing each sending path.
Map signatures to organisational vs infrastructure domains.
Turn off unnecessary signing tiers and retest bh=.
Coordinate rotation so only the aligned selector changes at once.
Update DMARC monitoring filters to watch the intended d=.
Review the full troubleshooting guidance in the DKIM Hub.
Explore sender authorization issues in the SPF Hub.
Review alignment and policy issues in the DMARC Hub.