Our organization is setting up an account with a third party cloud service that will be sending emails on our behalf. Our marketing department would like to eliminate the "via" or "on behalf of" bits that some clients show so that it looks like the emails came directly from us. Looking over the third party's help page on this subject, they request that we insert a DKIM record into our zone for their server. We currently implement SPF for our mail servers, but not DKIM.
- Is just a DKIM TXT record sufficient for allowing the third party to
send mail on behalf of our organization (without updating our SPF policy, or adding any other records referring to their server)? - Apart from the obvious that
we're allowing a third party to send legitimate email from our
domain, is there any impact on the rest of our system (security or
otherwise) from inserting this DKIM record?
Best Answer
If you have an SPF record that disallows your service provider's servers to send mail, any recipient which checks either SPF only or both SPF and DKIM will likely not take kindly to the SPF failure.
I would think that the service provider gives you an SPF
includedirective or similar to handle this as well.No, there shouldn't be. The DKIM keys are looked up based on the selector value associated with them; there is no general DKIM record for the domain as a whole, only for the specific selectors specified in the DKIM signed mail. Adding a DKIM record does not affect unsigned mail or mail signed with keys for other selectors.
The DKIM record only lets the holder of the key show with a reasonable level of certainty* that the mail they send is approved by the domain owner.
*) Unless the zone containing the DKIM record is DNSSEC signed, there is no way of validating the authenticity of the record data. Validating a signature based on a key that was fetched under such circumstances will obviously limit what was actually proven quite considerably.