Hiya. Hoping this is the right forum to place this.
In brief, is it possible to separate the SPF + DKIM domain linking with disroot services?
I want to link a custom domain to my disroot account. But I don’t want to add disroot’s servers to my SPF record. Instead what I’d like to have happen is the below mailflow. Effectively for outbound mail on my domain, I’d effectively be using disroot as a mail relay. Using foobar.net as an example/placeholder below
- My mail clients connects to my local, private mail server (foobar.net) to send outbound email via SMTP. (MailFrom of firstname.lastname@example.org)
- My mail server adds the DKIM signature + header to the mail (sig1._domainkey.foobar.net)
- My mail server relays the email to disroot (authenticating with my disoort.org account)
- Disroot takes the mail item and forwards it along to the destination (SMTP Return-Path of email@example.com)
Then when the receiver on the other end gets the mail message:
- They observe the Return-Path is firstname.lastname@example.org and SPF checks out as the originating IP address/host is valid for this domain (knopi.disroot.org)
- They complete the DKIM validation against sig1._domainkey.foobar.net and have that check out
- When evaluating with DMARC they find alignment using DKIM, allowing the mail to be authenticated
So that’s the idea in my head. Is this technically feasible when domain linking or must all mail (for purposes of Return-Path/SPF) must be the same as the MailFrom with the server setup disroot uses?