We have a vendor who we would like to be able to send emails using our domain (example.com). They will be doing so by utilizing a 3rd party mass emailer. The two steps our vendor recommends is to add the IP address for the mass emailer to our SPF record and to add DKIM records. Scenario 1 (the way we want it to work):The mass emailer sends an email claiming to be from our domain.The receiving email server checks our SPF record to verify the mass emailer’s IP is allowed to send emails for us.The receiving email server sees the encrypted signature in the email header and checks the public key in our DKIM record to verify the email is legitimately from us.Scenario 2 (what I’m unsure about): A spammer/scammer signs up for a free trial with the mass emailer service and sends an email claiming to be from our domain (example.com). The receiving email server checks our SPF record to verify the mass emailer’s IP is allowed to send emails for us.The receiving email server does NOT see an encrypted signature in the email header since the spammer/scammer didn’t include one. Does the receiving email server simply let the email through without checking for a DKIM record (since no encrypted signature was found in the header), or does the receiving email server still check if a DKIM record exists and rejects/quarantines the email since there is no encrypted signature in the header?
That’s all handled through DNS and is not unique to Cloudflare. Try dmarcian.com and test your domain there. It will give you suggestions on how to tighten things up with DNS records.