DKIM to 3rd Party Sender

We have several contributers, who are using our mail server to send thorugh emails.
SPF record modified to be listed their IP address.
We are told, to make these 3rd Party Sender, DKIM compliance.
In EasyDmarc portal what need to be fill in?

Which records need to be placed in our and their DNS?

I don’t find any article, which cover this process.

Hi Tamas Nemeth, and welcome to the dmarcian forums!

Your screenshot refers to a tool developed by EasyDMARC for generating a DKIM key pair to implement on an email server.

DKIM (DomainKeys Identified Mail) uses a cryptographic key pair: a private key, which the sending email server uses to sign emails, and a public key record, which the receiving server uses to validate the signature added by the sending server. The tool creates both a private key and a corresponding public key record.

The intent is for you to add the private key to your sending server and the public key record to your domain’s DNS. This requires access to both the sending email servers and your domain’s DNS management – a process known as manual DKIM configuration setup.

In this case, the public key record is added in the following format:

  • DNS record type: TXT
  • Host name: [selector]._domainkey
  • Value: The value of the public record, starting with “v=DKIM1”.

The configuration of the private key on the email server varies depending on the mail transfer agent technology used.

However, manual DKIM configuration is now rarely necessary. Most email sending services are hosted or managed by third parties, such as Microsoft Exchange Online, Sendgrid, Mailchimp,, etc. If a third-party service supports DKIM, it typically includes a straightforward configuration process within their user interface, with steps unique to that service.

For instance, consider Microsoft 365, which uses Exchange Online for email sending. Let’s refer to the dmarcian sender database to review their capabilities:

Microsoft 365 DKIM Instructions

Their instructions make it clear that specific steps are required to configure DKIM within their environment. The same applies to Sendgrid:

Sendgrid DKIM Instructions

Each service has its own specific steps.

I recommend discussing with the person or team that supports your email service to identify and implement the necessary changes. Depending on the service, this might involve steps you complete with an administrator or a support request for the third party to configure on your behalf.

I hope this provides context on managing DKIM and assists you in your DMARC deployment efforts. Good luck!

1 Like

Hi Tamas Nemeth
If your contributors use your mail server to send out mail on your organisations behalf, then they use the same infrastructure as all other users, and no extra configuration should be neccessary. I.e. there is no need to modify neither SPF nor DKIM to cater for them.

If, however, you have contributors sending on your behalf from other servers, then provisions should be made in SPF, and a separate DKIM record should be set up per provider. As Asher says, many providers have this automated so they generate the keys and provide you with a DKIM record for your DNS.

That is the safer way to do DKIM key generation as only the party signing mails knows the private key, and you as domain owner authorize their use by publishing the public key as the DKIM record, for as log as your agreement lasts.

(Manual) key generation should only be done by those who will be using the private key(s), or special care must be taken when communicating the private keys, keeping them secret.