DKIM record for trusted forwarders?


I have been recently monitoring my domain in order to implement DMARC, and while checking the forwarders tab, something caught my attention :

I realised that for some trusted forwarders ( here Google, but also others like Apple ) where using a DKIM record named “mail” in the DNS of my domain.
As it pass DKIM and DMARC, it means that they do have the private key corresponding to this DNS record, and it is situated in my domain.

I was wondering if having this DKIM record was normal ? Is it something automaticaly deployed to ensure trusted forwarders can pass DMARC ? As it seems like a big security issue if this record’s private key would be leaked, by the fact that it is known by a lot of forwarders.

Thank you for your help

Hi Raphael!

In the case of forwarding, it does not mean they have the private key, it means the DKIM signature remained intact through the process of forwarding.

Automatic forwarding, like server based or mailbox based forwarding, will keep the original headers of the email, and prepending trace headers instead. There are 2 important headers in your use case.

From Header
DKIM Signature header

Since headers remain intact, the From address remains unchanged when received by the system the email was forwarded to. Same goes with the DKIM signature header. As long as the content the DKIM signature signs remain unchanged, it can still be verified and passing, which is the case here.

The return-path (RFC 5321Mail From) will typically be rewritten by the forwarder through SRS (Sender Rewriting Schemes). This helps you understand who was the intended recipient of email sent by your server. In your example, it was a address.

All in all, there is nothing to worry about here, this is typical and even behaving as designed! This way recipient who choose to forward emails received from your domain will have less issues doing so due to DKIM passing DMARC alignment.

I hope this helps!