3

Our organization is setting up an account with a third party cloud service that will be sending emails on our behalf. Our marketing department would like to eliminate the "via" or "on behalf of" bits that some clients show so that it looks like the emails came directly from us. Looking over the third party's help page on this subject, they request that we insert a DKIM record into our zone for their server. We currently implement SPF for our mail servers, but not DKIM.

  1. Is just a DKIM TXT record sufficient for allowing the third party to send mail on behalf of our organization (without updating our SPF policy, or adding any other records referring to their server)?
  2. Apart from the obvious that we're allowing a third party to send legitimate email from our domain, is there any impact on the rest of our system (security or otherwise) from inserting this DKIM record?
glibdud
  • 273
  • 1
  • 11

2 Answers2

3

  1. If you have an SPF record that disallows your service provider's servers to send mail, any recipient which checks either SPF only or both SPF and DKIM will likely not take kindly to the SPF failure.
    I would think that the service provider gives you an SPF include directive or similar to handle this as well.

  2. No, there shouldn't be. The DKIM keys are looked up based on the selector value associated with them; there is no general DKIM record for the domain as a whole, only for the specific selectors specified in the DKIM signed mail. Adding a DKIM record does not affect unsigned mail or mail signed with keys for other selectors.
    The DKIM record only lets the holder of the key show with a reasonable level of certainty* that the mail they send is approved by the domain owner.

*) Unless the zone containing the DKIM record is DNSSEC signed, there is no way of validating the authenticity of the record data. Validating a signature based on a key that was fetched under such circumstances will obviously limit what was actually proven quite considerably.

Håkan Lindqvist
  • 33,741
  • 5
  • 65
  • 90
1

Every ESP has specific instructions for email authentication. Some will ask you to configure a subdomain for marketing, like em.example.com IN CNAME wl.sendgrid.net, others a combination of include: SPF.example.com for your SPF and a dkim text record.

Follow their specific directions, but be sure to stay compliant, for SPF it must be under 10 DNS lookups, for DKIM you can only have one key per selector.

Post your ESP and we can give you those specifics.

Jacob Evans
  • 7,636
  • 3
  • 25
  • 55