Login/Register
How does Sendgrid's automated security works?
Asked Answered
Solved sendgridspfdkim
P

1

12

SendGrid's automated security automate SPF and DKIM by a CNAME record. It even allows to have our own SPF and DKIM records in place directly using Domain Registrar.

How do they do it without collusion with existing SPF and DKIM records in place of domain?

Principality answered 19/2, 2021 at 15:38 Comment(0)
E
10

Why use Automated Security

By using CNAME records provided by Sendgrid, you delegate the ownership of Sendgrid-specific SPF and DKIM records. Whenever they need to make a change (update SPF whitelisted hostname or rotate DKIM keys), they can do it without you having to touch DNS on your end.

It's convenient.

Below is my understanding of how it works for both types of records.

DKIM

You can have multiple DKIM records (public keys) as long as they use different selectors (host names).

Ex. you may already have a DKIM record for Google Workspace (G Suite):

TXT google._domainkey.yourdomain.com "v=DKIM1; k=rsa; t=s; p=MIGM..."

When setting Sendgrid Automated Security, they will provide you with 2 CNAMEs for DKIM managed by them. E.g.

CNAME s1._domainkey.yourdomain.com s1.domainkey.uXXX.wlXXX.sendgrid.net.
CNAME s2._domainkey.yourdomain.com s2.domainkey.uXXX.wlXXX.sendgrid.net.

Selectors do not conflict with Google's and can co-exist.

If you make a DNS lookup of the CNAME you will see a proper DKIM public key:

TXT s1._domainkey.yourdomain.com "v=DKIM1; k=rsa; t=s; p=MIGM..."

SPF

You can have only one SPF TXT record per (sub)domain. Note such record can list multiple IPs/hostnames that are authenticated. With Sendgrid Automated Security, you create a CNAME for a subdomain that points to SG servers. SPF record is hosted under that subdomain.

Ex. you may already have a SPF record for Google Workspace:

TXT yourdomain.com "v=spf1 include:_spf.google.com ~all"

Sendgrid will provide you with a CNAME similar to this:

CNAME em0000.yourdomain.com u0000000.wX0X0.sendgrid.net.

It does not conflict with your existing SPF record.

If you make a DNS lookup on that CNAME you will find a SPF record:

TXT em0000.yourdomain.com "v=spf1 include:sendgrid.net ~all"
Eelworm answered 19/2, 2021 at 20:21 Comment(3)
This is basically the SendGrid instructions, but it doesn't answer the question. How is the em0000.yourdomain.com CNAME correlated and checked against email received from yourdomain.com?Telega
This answer explains how SPF works in this case - the key is that SPF authenticates the Return-Path, NOT the sender domain: https://mcmap.net/q/831868/-how-would-sendgrid-automated-security-handle-spf-record-closedTelega
I've added Sendgrid Automated Security to an existing account. Everything configured properly and verified. I also tried a few emails and they worked. We had 0 spam reports and very high reputation (99%). Then I sent a normal newsletter to our customers and more than 30% of the emails were bounced / blocked, mainly by Gmail. Now the deliverability is completely destroyed for no reason...Robeson

© 2022 - 2024 — McMap. All rights reserved.