0

We use o365/Exchange Online. All our SPF and DKIM configs are good for our domain (including 3rd party senders).

Say we have a partner who has domain XYZ123.com (with their own mail servers) and they want us to be able to send as them (from our o365 Exchange).

So this is the opposite of what I've done in DKIM in the past, and can find no info on doing it in reverse.

How do I generate/obtain the 3rd-party DKIM signature (and selector) for our mail server, to provide them for the TXT record (for their DNS) to authorize us to spoof XYZ123.COM?

techie007
  • 1,894
  • 17
  • 25
  • You use your server signing key and the sending domain owner adds your selector and public key records to the DKIM TXT record. – Paul Nov 01 '21 at 19:30
  • @Paul Thanks for the comment. That's my understanding, but where would I acquire my server's signing key, and how do I assign/choose the selector to tell them to use? – techie007 Nov 01 '21 at 19:36
  • Maybe the following docs is the thing you want? **Use DKIM to validate outbound email** (https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/use-dkim-to-validate-outbound-email?view=o365-worldwide#steps-to-create-enable-and-disable-dkim-from-microsoft-365-defender-portal) – Ivan_Wang Nov 02 '21 at 07:37
  • @Ivan_Wang Hi Ivan. In that doc is a section entitled "Set up DKIM so that a third-party service can send, or spoof, email on behalf of your custom domain". In the context of this question I'd be the "Bulk email service provider" and XYZ123.com would be Contoso.com. Where do I get the DKIM signature and selector to provide them? – techie007 Nov 02 '21 at 14:43

1 Answers1

1

When you are the 3rd party mail delivery service provider from your partner's perspective, if they want you to send emails on behalf of them for the domain XYZ123.com, you will need to setup CNAME delegation with them for DKIM to work.

  1. You choose 2 x selector for the DKIM public key DNS records (usually 2, but can be more). Selector string is arbitrary, can be anything that uniquely identity you in their DNS records. For example if your company name is "MailHostABC", you can choose to use these two selector strings: mailhostabc1 mailhostabc2

  2. Then you generate the DKIM key pairs for both selectors, each selector requires one key pair. Generation can be done with many tools such as ssh-keygen, Putty or many online generators.

  3. In your own domain's DNS records, create two TXT records like this (assuming your domain is mailhostabc.com)

   selector1-XYZ123._domainkey.mailhostabc.com
   selector2-XYZ123._domainkey.mailhostabc.com

The TXT value of both records will contain the public key of both DKIM key pairs respectively. For example the first record would have value like this: "v=DKIM1; k=rsa; p=..." (public key is appended after the "=" sign)

Here is a TXT value with mocked up public key:

   "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCehqKMB6znGXo/pC83mGObm8OWo4daBYBb9wqqDaflz7Mf9KW1oaUm9j7hQq7af7jha'jfasdjLJDSFJA;IOUERLKJW/QVHqYKlPX3hvYUohBxg//T0u0rK3OSJss3OrpkoRqd150ynYxwwLymsjIwODT7Gf9WZPcL86rdboSRm/ost4mwIDAQAB"
  1. With each DKIM key pairs, you keep the private key and configure it on your MTA host so that it can use the private key to sign emails. You ask your partner (in this case your client) who manages the DNS records for XYZ123.com to add the following 2 x CNAME records that point to the TXT records created above
   CNAME record 1: selector1._domainkey.XYZ123.com
   points to: selector1-XYZ123._domainkey.mailhostabc.com

   CNAME record 2: selector2._domainkey.XYZ123.com
   points to: selector2-XYZ123._domainkey.mailhostabc.com

With this setup, there is no ongoing maintenance to be done at your partner's end. When you rotate the DKIM keys, you only need to update your MTA host and your TXT records with new private and public keys.

Regards.

Johnmen
  • 26
  • 1