Implement DKIM with as many of your third parties as possible. Most have
now realised that they can do their own key-rotation if they simply
specify two CNAME records for you to put into your zone file (rather
than issue you a key, or have you issue them one). Third-party SPF will
generally not be reliable for DMARC purposes because it will usually
contain the service-provider's domain name rather than yours and
therefore not align for DMARC purposes, quite apart from the problem of
SPF record size that you've already encountered, and the maintenance
overhead (bear in mind that you'll have to discover service-provider IP
addresses changes by noticing failures in DMARC feedback, meaning that
you'll need long term automated monitoring).
- Roland
On 3/12/18 1:32 pm, T Nguyen via dmarc-discuss wrote:
SPF authentication only, no dkim just yet. As domain controller owner
we have issue with multiple third party application email senders,
which fail specifically our spf authentication. with too many third
party email applications that overwhelms our spf records. Since these
application email providers generate email on behalf of their
customers, how can they provide domain authentication to the receiving
ends? Appreciate all the insight.
___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss
NOTE: Participating in this list means you agree to the DMARC Note Well terms
(http://www.dmarc.org/note_well.html)
___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss
NOTE: Participating in this list means you agree to the DMARC Note Well terms
(http://www.dmarc.org/note_well.html)
