DKIM Alignment

Please correct me if I’m wrong.

If I add the public key provided by a third party sender in my domain’s DNS zone how will it exactly help in DKIM alignment?
Since the private -public key pair is generated by the third party, and they create the DKIM-signature and the d=tag contains the domain name of the the third party sender.
While the header from address is the actual domain address of the company(attained by spoofing which is expected as the email is send on behalf of the company.)

So in this case the d tag domain and the header address do not match/align . How can it be resolved?


Typically when the DKIM is generated by the 3rd party they will associate it with your domain. If they did so using their domain, then it’s not correct for DKIM alignment. I’ll pass DKIM verification, but will fail for DKIM. they will need to make sure to set up DKIM to use your domain name (best way to do so is typically with CNAMES).

1 Like

Hi Shehzad,

Thank you so much for the reply!

I really appreciate the effort made by GCA to educate newbies in cybersecurity world.


Hi Shehzad,

I have another query related to DKIM alignment when it comes to email forwarding.
SPF alignment in this case would inevitably fail so could you please help me understand how to approach DMARC compliance using DKIM in this case?

Is it different from the DKIM alignment approach followed for a DMARC capable but DKIM unaligned domain?

Appreciate your guidance!

Alot of it depends on the system the email is being forwarded through.

If it were Google, they use ARC which preserves SPF and DKIM.

Other email service providers will just allow the pass through of DKIM (assuming the forwarding system/domain doesn’t have it’s own DKIM in place), which is why many recommend having DKIM in place with 3rd party vendors.