How to get the correct detail for DKIM and SPF from vendor domain to add to TXT record for our domain so vendor can send as us and not be blocked as spam.

How to get the correct detail for DKIM and SPF from vendor domain to add to TXT record for  our domain so vendor can send as us and not be blocked as spam.
Hi. thanks for looking at this problem.
An external vendor does mail outs for us.
When they do mailouts their emails sent as name@ourdomain.com get blocked since it isn't our domain sending the email.
I understand we can add their DKIM information as a TXT record to our DNS to make their domain trusted to send as us.
Do you know what detail it needs?
I have found this article
https://support.symantec.com/en_US/article.TECH132756.html

I have gotten the vendor detail from the message header of an email they have sent as us.
I can do an nslookup like this:
nslookup -type=txt "vendorselector"._domainkey."vendordomain"
and it comes back with a text record like:
v=DKIM1: p=sdfasdfafasdfasdfasdf
but there is no K or H value.
the other TXT records I have seen for DKIM have at least a K value which seems to be mostly RSA

Does anyone know if I do this kind of NSLookup and it returns that TXT record, if that is all I have to put in our DNS?

Normally I would just ask the vendor for this detail, but they don't seem to have the will to gather it.

Thanks,
Shaun
shaunwoyAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

nociSoftware EngineerCommented:
those fields are optional, at least IF k=rsa it may be left out, if you use another value for k it might very well be that you are the only one that can validate the DKIM signing.   (and you need to implement the new encryption method.).

There are even more  options to be specified see RFC:
https://tools.ietf.org/html/rfc6376#page-53
0
shaunwoyAuthor Commented:
Thanks heaps noci.
So does that mean the TXT information that comes from an NSLookup on the vendor domain is all I need for the DKIM TXT record for our domain so the vendor domain can send email on our behalf?
The objective is that our email sent by the vendor isn't marked as spam.
0
nociSoftware EngineerCommented:
The mail sender system (to the internet at large)  signs a message, it's references must be used (it it also signs your domain).
Did you verify with the vendor domain what they require? it might be very well they require you to provide the privatekey as well.
And don't forget about the selector(s). your vendor may have many keys in use (one for each server f.e.) and possibly rotating signatures.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
shaunwoyAuthor Commented:
Thanks noci. The support from the vendor aren't coming back with answers so I will use the TXT result from nslookup. I appreciate your thoughts
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
AntiSpam

From novice to tech pro — start learning today.