SPF, DomainKeys and DKIM for alternate domain authenticaton
Solution 1:
As an email sender properly configuring your server goes a long way toward establishing credibility/trust. Almost all evaluation is automated now, and many organizations are selective on what they publish. A majority of the connections to my server is clearly spam.
1) Who generates the keys? example.com or example.org? (I am pretty sure that example.org would make the keys, then send us the public for DNS, but not sure)
You can use the existing key to sign for both domains. The trick is to sign the email using the correct signer. I extract the domain from the sender address and sign as that domain.
It is perfectly acceptable to have multiple active public keys with different selectors. During key replacement you will want the old and new keys active. Keys should be replaced periodically.
If you are acting as a relay server and example.org
are signing, they need to generate the key they use. Whoever is maintaining the DNS for the signing domain will need add the public key for the selector used to sign the messages.
It is safest to generate the key on the signing server. That will eliminate the need to have the private key anywhere else. The public key is public and will be published, so there is no need to secure it.
Many large organizations fail to publish their public keys. I commend you for your efforts to get it right.
2) Would I need both SPF and keys or would keys alone be enough to authenticate the other domain and allow it to pass authentication? ( I am in a position where I would like to use only keys)
Both SPF and DKIM are entirely optional, but they do help distinguish your server from a spambot. I recommend using SPF for all domains. This can be as simple as v=spf1 a mx -all
for domains sending email, v=spf1 a -all
for mail servers, and v=spf1 -all
for all other domains.
3) Which one is better to use in terms of provider checking? For example, are providers even checking keys as much as they are SPF?
SPF is more reliable, but I believe most large sites are checking both DKIM and SPF. A pass with a strict SPF policy is a good indicator that the email is valid. In my experience SPF is used by many organizations to evaluate messages.
For mail servers, I defer acceptance of messages unless: there is no SPF policy for either the mail server's domain or its parent; or SPF passes SPF valiation for its domain or its parent. Soft passes are are considered failures.
As I noted, many large organizations have failed to publish they DKIM public key. As a result I doubt failing DKIM on its own will cause much of an issue. A valid DKIM signature does seem to help establish credibility/trust. However, if you have published a DMARC record its policy may be applied.
Publishing a DMARC record for the domain allows you to make you SPF and DKIM signing policies available for automated validation. DMARC allows the receiving server to send you details on where email for your domains are arriving from, and how they were handled. Both Gmail and Yahoo send me reports. Start with a notify only policy until you are sure your mail is correctly signed, and SPF is working.