Charles Hurst
asked on
DKIM & DMARC Implementation On-Prem Exchange using Fortimail
Hi,
I've got a client who has approached me regarding implementing DKIM and DMARC. They are already running SPF.
I have implemented simple DKIM and DMARC projects previously however this has some complications which I would like a second opinion on.
They are implementing this using a Fortinet using Fortimail to apply the DKIM signing on outgoing mail.
I have the following complications which I would like a second opinion on.
Firstly, they have three Domains which I believe gives us two options we can either create a DKIM signing key pair for all three or we can use CNAME records to use one key pair. What is the recommended best practice, I'm inclined to think using three separate key pairs would be best?
Secondly, they have two external companies which send emails on their behalf using their Domain name (allowed spoofing to a degree). This is allowed using SPF as their IP is listed in the allowed senders however to my knowledge this will not work once DKIM and DMARC are implemented. Therefore, my thoughts are these companies need to relay the Emails via the on-prem Exchange Server at the clients site, this way the Emails leave via the Fortimail and have the signing applied. I believe this is fairly easy to do using receive connectors locked down to a specific IP address. Is this the best way around this issue?
Thanks
I've got a client who has approached me regarding implementing DKIM and DMARC. They are already running SPF.
I have implemented simple DKIM and DMARC projects previously however this has some complications which I would like a second opinion on.
They are implementing this using a Fortinet using Fortimail to apply the DKIM signing on outgoing mail.
I have the following complications which I would like a second opinion on.
Firstly, they have three Domains which I believe gives us two options we can either create a DKIM signing key pair for all three or we can use CNAME records to use one key pair. What is the recommended best practice, I'm inclined to think using three separate key pairs would be best?
Secondly, they have two external companies which send emails on their behalf using their Domain name (allowed spoofing to a degree). This is allowed using SPF as their IP is listed in the allowed senders however to my knowledge this will not work once DKIM and DMARC are implemented. Therefore, my thoughts are these companies need to relay the Emails via the on-prem Exchange Server at the clients site, this way the Emails leave via the Fortimail and have the signing applied. I believe this is fairly easy to do using receive connectors locked down to a specific IP address. Is this the best way around this issue?
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Anytime :-)
ASKER
That's massively helpful, seems like I was on the right track but there are other ways to perform this (better ways if we are being honest). I did lots of googling but didn't find any articles as good as those.