Using Sender Rule - Sign DKIM on behalf of Client


Introduction

Sometimes you need to send an email with sender address not hosted by your server. In this case, you cannot set DKIM/DomainKeys signature for such email, as you don't have permission to deploy the public key to the domain not hosted by your DNS server.

The typical usage is email forwarding. For example, one remote email is delivered to your local user mailbox, but your local user set email forwarding to another remote address. With sender rule, you can re-sign DKIM by your domain and also change MAIL FROM to comply with SPF record.

If you don't send email from outside email address, or you don't need to sign the DKIM/DomainKeys for those emails, you can simply ignore this topic.


How to use Sender Rule

Here is the scenario. You own a domain "emailarchitect.net" and you have DKIM/DomainKeys for "emailarchitect.net" set on your server. There is no problem when you send emails with sender "*@emailarchitect.net", the email will be signed correctly. At the same time, your customer requested you to send emails with sender "*@adminsystem.com" and sign the DKIM/DomainKeys signature for outgoing emails. As "adminsystem.com" is your customer domain and you don't have permission to deploy the public key to "adminsystem.com" DNS server, you have to use sender rule.

sender_rule

To solve the problem, you can add a sender rule like the above screenshot. This rule means "If from address is *@adminsystem.com, then add a sender header (Sender: testuser@emailarchitect.net) to the message". And the email will be signed by "emailarchitect.net" based on the sender header.

With the above sender rule, the email will be signed by DomainKeys/DKIM signature with domain "emailarchitect.net". And the recipient email client will display "From: testuser@emailarchitect.net on behalf of *@adminsystem.com".


Use Reply-To header instead of Sender header

If you also check "Use Reply-To header instead of Sender header", And the recipient email client will display:
From: testuser@emailarchitect.net, Reply-To: *@adminsystem.com (original sender address)
We strongly suggest that you use this option for anti-spam policy.


Sign DKIM on behalf of Client Domain

In Sender Rule, you can also only input a domain name in Sender Address. In this case, DKIM plugin doesn't insert/change the email sender, but the email will be signed by specified domain with DKIM signature. If you only input a domain name (not recommended), then you cannot have "Also use this sender address in MAIL FROM command (return-path)" checked.


DKIM/DomainKeys Priority

DKIM/DomainKeys setting has higher priority than sender rule, which means if DKIM/DomainKeys setting is found for the email, this email will not be changed by sender rule. For example, if you set "emailarchitect.net" in DKIM/DomainKeys setting, and add a rule like this: "if From contains *@emailarchitect.net", then ...". Sender rule won't change the email sender from *@emailarchitect.net, the email will be simply signed by DKIM/DomainKeys with "emailarchitect.net".

>> Troubleshooting

See Also

Setup DomainKeys/DKIM
Deploy Public Key in DNS server
Test DomainKeys/DKIM signature
Troubleshooting
Using Selector
Server Core and Installer Command Arguments
Appendix - Set up SPF record in DNS server
Appendix - Set up DMARC record
Appendix - DKIM/SPF/DMARC Inbound Authentication in Exchange Server
Appendix - Use DkimPowerShell Module in PowerShell

Online

DKIM in IIS SMTP Service - Tutorial
DKIM in Exchange Server 2003 - Tutorial
DKIM in Exchange Server 2007/2010/2013 - Tutorial

Bulk Email Sender Guidelines