Hello Peter,
I agree that usually this process is not an easy one but if you will have patience I’ll try to guide step-by-step through this it.
Before starting please:
1/ let’s clarify for what domain we’ll have to follow the procedure (if you could not share here we could give it a code name like my.domain.tld but this will definitely interfere with the process, like checking some specific DNS records from my side)
2/ let’s clarify the public IP address / addresses used to send message for that domain
3/ please have at hand access to openssl (for example via Windows Subsystem for Linux or on a Linux virtual instance of your choice)
4/ please have at hand the procedure and credentials for managing the domain DNS
5/ in case you didn’t already find our relevant documentation (from here) please read it so we’ll have a common base of the steps to be followed
After confirming all of the above we could start “our journey”.
HTH,
Ioan