I've been looking into the way large email marketing platforms manage DKIM for each of their customer's domains.
Mailchimp seems to go down the route of using the same private and public DKIM keys for all of their customers, whereas other email marketing platforms like MailGun, SendGrid etc. all seem to generate DKIMs independently per each customer, per domain.
My main concern is security, but suprisingly MailChimp seems to be doing just fine with using the same public and private key for all of their customers. My worry with doing it that way is that if some dirty hacker somehow gets their hands on that one private key, all of my customers domains are vulnerable to having spam emails sent on their behalf.
I'm also thinking though, that no matter which way I do it, if the hacker can get their hands on either the 1 key or several keys, then I'm going to be in the same position either way.
You can see the dilemma I'm having here.
Which (if any) is the safer option? Why is it safer? What are the pros and cons of each?
Cheers
This is entirely normal. MailChimp signs as an intermediary (i.e. using their domain, not yours) which cannot vouch for everything within the message, and using your own DKIM signature, which can. My own email marketing service does exactly the same, and the DKIM validator project I maintain validates them both.
There is nothing significant to be gained by having a per-domain intermediary signature, because as an intermediary they are not capable of vouching for your domain, only their own. That is why anyone signing this way requires some kind of DNS configuration to back it up, either via a CNAME or a named selector.
Worrying about server-side keys like that also applies to TLS and SSH in exactly the same way – if hackers obtain any of your private keys, you have much bigger problems than the integrity of your email.