Score:0

Server

Create a DKIM key to provide to a 3rd party so we can send as them?

techie007

3/1/23, 5:19 PM

We use o365/Exchange Online. All our SPF and DKIM configs are good for our domain (including 3rd party senders).

Say we have a partner who has domain XYZ123.com (with their own mail servers) and they want us to be able to send as them (from our o365 Exchange).

So this is the opposite of what I've done in DKIM in the past, and can find no info on doing it in reverse.

How do I generate/obtain the 3rd-party DKIM signature (and selector) for our mail server, to provide them for the TXT record (for their DNS) to authorize us to spoof XYZ123.COM?

283

0 + 0

exchange

dkim

microsoft-office-365

Paul

3/1/23, 7:30 PM

You use your server signing key and the sending domain owner adds your selector and public key records to the DKIM TXT record.

techie007

3/1/23, 7:36 PM

@Paul Thanks for the comment. That's my understanding, but where would I acquire my server's signing key, and how do I assign/choose the selector to tell them to use?

Ivan_Wang

3/2/23, 7:37 AM

Maybe the following docs is the thing you want? **Use DKIM to validate outbound email** (https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/use-dkim-to-validate-outbound-email?view=o365-worldwide#steps-to-create-enable-and-disable-dkim-from-microsoft-365-defender-portal)

techie007

3/2/23, 2:43 PM

@Ivan_Wang Hi Ivan. In that doc is a section entitled "Set up DKIM so that a third-party service can send, or spoof, email on behalf of your custom domain". In the context of this question I'd be the "Bulk email service provider" and XYZ123.com would be Contoso.com. Where do I get the DKIM signature and selector to provide them?

Score:1

Server

Johnmen

4/14/24, 3:13 AM

When you are the 3rd party mail delivery service provider from your partner's perspective, if they want you to send emails on behalf of them for the domain XYZ123.com, you will need to setup CNAME delegation with them for DKIM to work.

You choose 2 x selector for the DKIM public key DNS records (usually 2, but can be more). Selector string is arbitrary, can be anything that uniquely identity you in their DNS records. For example if your company name is "MailHostABC", you can choose to use these two selector strings: mailhostabc1 mailhostabc2
Then you generate the DKIM key pairs for both selectors, each selector requires one key pair. Generation can be done with many tools such as ssh-keygen, Putty or many online generators.
In your own domain's DNS records, create two TXT records like this (assuming your domain is mailhostabc.com)

   selector1-XYZ123._domainkey.mailhostabc.com
   selector2-XYZ123._domainkey.mailhostabc.com

The TXT value of both records will contain the public key of both DKIM key pairs respectively. For example the first record would have value like this: "v=DKIM1; k=rsa; p=..." (public key is appended after the "=" sign)

Here is a TXT value with mocked up public key:

   "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCehqKMB6znGXo/pC83mGObm8OWo4daBYBb9wqqDaflz7Mf9KW1oaUm9j7hQq7af7jha'jfasdjLJDSFJA;IOUERLKJW/QVHqYKlPX3hvYUohBxg//T0u0rK3OSJss3OrpkoRqd150ynYxwwLymsjIwODT7Gf9WZPcL86rdboSRm/ost4mwIDAQAB"

With each DKIM key pairs, you keep the private key and configure it on your MTA host so that it can use the private key to sign emails. You ask your partner (in this case your client) who manages the DNS records for XYZ123.com to add the following 2 x CNAME records that point to the TXT records created above

   CNAME record 1: selector1._domainkey.XYZ123.com
   points to: selector1-XYZ123._domainkey.mailhostabc.com

   CNAME record 2: selector2._domainkey.XYZ123.com
   points to: selector2-XYZ123._domainkey.mailhostabc.com

With this setup, there is no ongoing maintenance to be done at your partner's end. When you rotate the DKIM keys, you only need to update your MTA host and your TXT records with new private and public keys.

Regards.

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Create a DKIM key to provide to a 3rd party so we can send as them?

TH: สร้างคีย์ DKIM เพื่อมอบให้กับบุคคลที่สามเพื่อให้เราสามารถส่งเป็นพวกเขาได้หรือไม่

RO: Creați o cheie DKIM pentru a o furniza unei terțe părți, astfel încât să putem trimite ca ei?

RU: Создать ключ DKIM для предоставления третьему лицу, чтобы мы могли отправить его?

VI: Tạo khóa DKIM để cung cấp cho bên thứ 3 để chúng tôi có thể gửi cho họ?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.