DMARC -spf and DKIM entries

SPF: You're right, the vendor will need to change the address envelope to align with your corporate domain. Some of them will make it very easy, others will be difficult, and some will not change the envelope at all. One important thing to keep in mind when you are using a third party envelope option is that in most cases this change should have blinded them to bounces - the third party needs bouncing for list hygiene, etc. which is a problem ... To avoid this, ask them to use a subdomain of your organizational domain and configure MX there. For example, if you are companyname.com and your third party is vendorname.com using them, use the envelope from vendor-bounces.company.com and then create an MX record back to vendorname.com for vendor bounces. company.com will resolve the issue accordingly.

DKIM: DKIM itself does not validate any address. If you look at the DKIM signature, you will see d equal to d = gmail.com. This domain is used to obtain the public key to validate the message. DKIM itself does not have such a requirement, but DMARC requires the d = domain in the DKIM signature to match the organization's domain in the from header. This is identifier alignment as described in Section 3.1 of RFC 7489. ( https://tools.ietf.org/html/rfc7489#section-3.1). On a practical level, you should publish the public key to your DNS namespace and the third party signer should use the private key to sign the message. By publishing pubkey to a specific DNS namespace, such as selector._domainkey.companyname.com, you are allowing anyone with the private key, such as vendorname.com, to send DMARC confirmation email to companyname.com.

One note: DMARC itself always uses the from header, which is what the user sees as the recording area. Identity alignment then requires being authenticated by separate authentication protocols such as SPF or DKIM envelope, and d = domain respectively - to align (mostly match) with the domain in the from header.

Does it help?