I’m having trouble with a DKIM configuration and need some help understanding how it works.
We use a third-party service (let’s call it ServiceX) that relies on another provider (MailProvider) to send bulk emails for our company. The setup uses our company domain in the FROM field but ServiceX’s domain in the ENVELOPE FROM field.
Currently, they sign emails with their own DKIM using ServiceX’s domain. When I asked about configuring DKIM with our domain, they said we need to modify our MX records to point to MailProvider. This won’t work since we’re running our own mail server.
My main questions:
Can’t ServiceX create DKIM signatures using our company domain instead of theirs?
Would this satisfy DKIM alignment requirements since the FROM header and DKIM d= parameter would match?
Does it matter that FROM and ENVELOPE FROM use different domains?
I feel like I’m missing something basic about how third-party email services handle DKIM authentication. Any insights would be helpful!
You’re using a third-party service (ServiceX) with MailProvider to send bulk emails. ServiceX signs emails using its own domain, and requesting DKIM signing with your company domain led them to suggest changing your MX records – a solution incompatible with your existing mail server. The core questions are: Can ServiceX sign with your domain? Will this satisfy DKIM alignment? Does the difference between the FROM and ENVELOPE FROM headers matter for DKIM?
Understanding the “Why” (The Root Cause):
The MX record suggestion from ServiceX is incorrect for DKIM. DKIM doesn’t involve changing MX records (which handle incoming mail). Instead, DKIM uses DNS TXT records to publish the public key used for verifying signatures. ServiceX should generate a DKIM key pair for your domain (yourdomain.com), provide you with the public key, and you’d then add a corresponding TXT record to your DNS. This way, emails sent from your domain (yourdomain.com in the FROM header) will be verifiable against the DKIM signature associated with your domain. The ENVELOPE FROM header (used internally by mail servers) is irrelevant to DKIM verification; only the FROM header matters in the DKIM alignment context.
Step-by-Step Guide:
Request the correct DKIM setup from ServiceX: Clearly explain that you need them to generate a DKIM key pair for your domain (yourdomain.com), not to change your MX records. Request the public key they generate for your domain. This is standard practice for any reputable email service.
Add the TXT record to your DNS: Once you receive the public key (it will look something like v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQ...), add a TXT record to your DNS. The record’s name will typically be in the format selector._domainkey.yourdomain.com, where selector is a value provided by ServiceX (often a short alphanumeric string). The record’s value is the public key you received. This process varies slightly depending on your DNS provider, but their documentation should provide clear steps.
Verify DKIM Setup: After propagating the DNS changes (this can take some time), use a DKIM checker tool (many are available online) to verify that your emails are properly signed with your domain’s DKIM key.
Common Pitfalls & What to Check Next:
DNS Propagation Time: DNS changes don’t take effect instantly. It might take several hours, or even longer, for the changes to propagate across the internet. Be patient and check again later.
Selector Mismatch: Ensure that the selector in the DNS record name exactly matches the selector value used by ServiceX in their DKIM signing process.
Incorrect Public Key: Double-check that the public key you added to your DNS record is precisely the one provided by ServiceX. Even a small typo will cause verification failures.
SPF and DMARC Alignment: While DKIM is handled, ensure your SPF and DMARC records are correctly configured to work in conjunction with your DKIM setup. This helps to prevent spoofing attempts.
Still running into issues? Share your (sanitized) config files, the exact command you ran, and any other relevant details. The community is here to help!
That MX record requirement is total nonsense for DKIM. ServiceX should generate a DKIM key pair for your domain and give you the public key to add as a TXT record (usually something like selector._domainkey.yourdomain.com). That’s how every decent email provider does it. The MX change request makes me think they either don’t understand DKIM or they’re trying to funnel your incoming mail through their servers for some reason. I’ve worked with tons of third-party email services and none ever needed MX changes for DKIM. I’d escalate this to their tech team or find a new provider if they won’t do standard DKIM setup.
totally! if they have DNS access, they can get DKIM going with ur domain. just need to add their public key in ur DNS TXT records. as long as ur header FROM matches the DKIM domain, ur alignment should be fine even with the envelope FROM being diff.
serviceX is mixin up DKIM and SPF records. MX changes don’t affect DKIM at all - that’s just for incoming mail. they can definitely sign emails with your domain. email services like mailchimp do this constantly.
You’re right - ServiceX can definitely sign emails with your domain instead of theirs. They’ll generate a DKIM key pair and give you the public key to add as a TXT record in your DNS. Pretty standard stuff for third-party email services. Yes on alignment too. When your FROM header domain matches the DKIM signature domain (d= parameter), you’ll get DKIM alignment for DMARC. The ENVELOPE FROM domain being different doesn’t matter - DKIM only cares about the signing domain and message integrity. Their MX record suggestion sounds fishy and could mess up your setup. DKIM doesn’t need MX changes at all - just DNS TXT records for the public key. I think they’re either mixing up DKIM with SPF configuration or trying to sell you something else.
Understanding the “Why” (The Root Cause):
Step-by-Step Guide:
Common Pitfalls & What to Check Next:
Still running into issues? Share your (sanitized) config files, the exact command you ran, and any other relevant details. The community is here to help!