We have a couple of domains in office 365. each have their spf record and dkim record published and enabled. There is an instance where we want to send as domainA from domainB. This ends up showing as a forward and gets blocked by dmarc after hitting a gmail, comcast ect. server. From my understanding I would have to generate dkim keys for domainB and publish them for domainA. Since office 365 manages that portion for you. Could you publish domainBs dkim records on domainAs public DNS to make this work? Any other ideas?
Does domainB use domainA or domainB in rfc5321.mailfrom when it sends on behalf of domainA? If it uses domainB, you get DMARC-SFP alignment errors, and these mails may be categorised as Forwarded by Dmarcian.
DKIM signatures in mail headers contain - among other information - a d= field. This field tells the receiving server where to look up the public s= DKIM signature key for making a raw DKIM check. If the signature is valid, the receiving server will then check for DMARC alignment between the sender domain in rfc5322.from, and the signing domain.
So, publishing domainB’s DKIM records on domainA’s DNS will not help, unless you can get domainB to sign messages using d=domainA when sending on behalf of a domainA address.
I’m curious to see other suggestions on how to achieve this