I'm working on an email marketing tool and so far we've been recommending our customers to set up an SPF-record (Sender-ID) and a DKIM-record, we also have our own SPF-record on the mail server and a shared DKIM-record for those who do not set up their own DKIM-record.

Those that do not set up their own DKIM-records still pass the DKIM-test, but with the notice that "identity doesn't match any headers" (according to port25), i.e, it doesn't match the textual sender domain.

But does anyone know if this "discrepancy" actually has any impact on spam scoring/probability, i.e, should we continue to recommend our customers to set up a DKIM-record (as opposed to just using our shared) or is just wasted effort?

  • 111
  • 3

2 Answers2


The mismatch should have an impact.

If it would not you could sign a mail for any domain with your key. That would make DKIM non-reliable.

Imagine a spammer, sending a mail with a faked domain, signing this mails with his own key.

Thomas Berger
  • 1,700
  • 12
  • 22
  • Yeah, I realize there probably aren't any hard facts to go by, and what you say seems reasonable. – Andreas Oct 13 '12 at 11:53

DKIM itself does not in fact have any link between the signing domain and the RFC5322.From address, nor any address listed in any of the mail headers. For proof of this, see for example section 4.1 of RFC 5585 as well as this blog post from FastMail where they mention they have been using their own domain to sign outgoing mail for their customers' domains.

Essentially, DKIM ties a reputation to the signing domain, which is a very important distinction to make.

Someone could sign spam that is forged to look like it's from example.com with his own domain of spammer.com, but the idea is that spammer.com would quickly have a bad reputation then. A good domain on the other hand that does not send spam would get a good reputation so that you could assign a higher level of trust to mail signed by this domain.

That said, in my own experience, I have only ever seen Microsoft/Hotmail diverting from the RFC here by interpreting a valid DKIM signature signed by another domain with a result of dkim=none. rather than with a dkim=pass which it should have been. So to fully answer the question, it should not, but in practice, it still may.

On a side-note, Author Domain Signing Practices (ADSP - sorry, I lack the reputation to link it) did set up a link between the signing domain and the author address, but it never gained widespread adoption and has been demoted to historic now.

Also, the upcoming DMARC (Domain-based Message Authentication, Reporting & Conformance) specification introduces the concept of "aligned identifiers" which also requires a DKIM signature of the same domain as that used in the RFC5322.From address.

Nick Groenen
  • 180
  • 4
  • This thread is a bit old to me personally, but you have solid information. Also, it's worth mentioning that Gmail DOES differentiate between sender-signed and signed, if the signing domain is NOT the from-address domain it is shown after the from-address (via example.com). Although I guess that isn't so strange considering Google is a big proponent of DMARC. – Andreas Dec 04 '13 at 16:00