DMARC -spf and DKIM entries

I have a scenario with third party providers ... Our company has many third party postal services. I installed dmarc with p-none and the SPF records were updated with the known senders. Could you please clarify the statement I read on Dmarc.org about making third party Dmarc vendors compatible. 1. Either add third party server senders to our spf records 2. Or share your private DKIM key

My question: SPF verifies the envelope from the address, so when the seller sends emails on behalf of us, the address will be our company's address (for example, abc@companyname.com ) and the envelope will be the supplier's address (for example, abc@vendorname.com ). So how does SPF go? Will SPF check envelope dns server? Do I understand correctly?

Second, does DKIM check the address or the envelope from the address? How it works when we pass the private key to our provider.

+3


source to share


1 answer


SPF: You're right, the vendor will need to change the address envelope to align with your corporate domain. Some of them will make it very easy, others will be difficult, and some will not change the envelope at all. One important thing to keep in mind when you are using a third party envelope option is that in most cases this change should have blinded them to bounces - the third party needs bouncing for list hygiene, etc. which is a problem ... To avoid this, ask them to use a subdomain of your organizational domain and configure MX there. For example, if you are companyname.com and your third party is vendorname.com using them, use the envelope from vendor-bounces.company.com and then create an MX record back to vendorname.com for vendor bounces. company.com will resolve the issue accordingly.

DKIM: DKIM itself does not validate any address. If you look at the DKIM signature, you will see d equal to d = gmail.com. This domain is used to obtain the public key to validate the message. DKIM itself does not have such a requirement, but DMARC requires the d = domain in the DKIM signature to match the organization's domain in the from header. This is identifier alignment as described in Section 3.1 of RFC 7489. ( https://tools.ietf.org/html/rfc7489#section-3.1). On a practical level, you should publish the public key to your DNS namespace and the third party signer should use the private key to sign the message. By publishing pubkey to a specific DNS namespace, such as selector._domainkey.companyname.com, you are allowing anyone with the private key, such as vendorname.com, to send DMARC confirmation email to companyname.com.



One note: DMARC itself always uses the from header, which is what the user sees as the recording area. Identity alignment then requires being authenticated by separate authentication protocols such as SPF or DKIM envelope, and d = domain respectively - to align (mostly match) with the domain in the from header.

Does it help?

+4


source







All Articles