Create a DKIM key to provide to a 3rd party so we can send as them?

in flag

We use o365/Exchange Online. All our SPF and DKIM configs are good for our domain (including 3rd party senders).

Say we have a partner who has domain (with their own mail servers) and they want us to be able to send as them (from our o365 Exchange).

So this is the opposite of what I've done in DKIM in the past, and can find no info on doing it in reverse.

How do I generate/obtain the 3rd-party DKIM signature (and selector) for our mail server, to provide them for the TXT record (for their DNS) to authorize us to spoof XYZ123.COM?

Paul avatar
cn flag
You use your server signing key and the sending domain owner adds your selector and public key records to the DKIM TXT record.
techie007 avatar
in flag
@Paul Thanks for the comment. That's my understanding, but where would I acquire my server's signing key, and how do I assign/choose the selector to tell them to use?
Ivan_Wang avatar
us flag
Maybe the following docs is the thing you want? **Use DKIM to validate outbound email** (
techie007 avatar
in flag
@Ivan_Wang Hi Ivan. In that doc is a section entitled "Set up DKIM so that a third-party service can send, or spoof, email on behalf of your custom domain". In the context of this question I'd be the "Bulk email service provider" and would be Where do I get the DKIM signature and selector to provide them?
pe flag

When you are the 3rd party mail delivery service provider from your partner's perspective, if they want you to send emails on behalf of them for the domain, you will need to setup CNAME delegation with them for DKIM to work.

  1. You choose 2 x selector for the DKIM public key DNS records (usually 2, but can be more). Selector string is arbitrary, can be anything that uniquely identity you in their DNS records. For example if your company name is "MailHostABC", you can choose to use these two selector strings: mailhostabc1 mailhostabc2

  2. Then you generate the DKIM key pairs for both selectors, each selector requires one key pair. Generation can be done with many tools such as ssh-keygen, Putty or many online generators.

  3. In your own domain's DNS records, create two TXT records like this (assuming your domain is

The TXT value of both records will contain the public key of both DKIM key pairs respectively. For example the first record would have value like this: "v=DKIM1; k=rsa; p=..." (public key is appended after the "=" sign)

Here is a TXT value with mocked up public key:

   "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCehqKMB6znGXo/pC83mGObm8OWo4daBYBb9wqqDaflz7Mf9KW1oaUm9j7hQq7af7jha'jfasdjLJDSFJA;IOUERLKJW/QVHqYKlPX3hvYUohBxg//T0u0rK3OSJss3OrpkoRqd150ynYxwwLymsjIwODT7Gf9WZPcL86rdboSRm/ost4mwIDAQAB"
  1. With each DKIM key pairs, you keep the private key and configure it on your MTA host so that it can use the private key to sign emails. You ask your partner (in this case your client) who manages the DNS records for to add the following 2 x CNAME records that point to the TXT records created above
   CNAME record 1:
   points to:

   CNAME record 2:
   points to:

With this setup, there is no ongoing maintenance to be done at your partner's end. When you rotate the DKIM keys, you only need to update your MTA host and your TXT records with new private and public keys.



Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.