Login/Register
How would SendGrid Automated Security handle SPF record? [closed]
Asked Answered
Solved emailsendgridspfdkim
S

1

4

I use SendGrid and I have 2 dedicated IPs... My website sends its emails using SendGrid.

At the same time I use G Suite and I personally send my emails using G Suite (Google Workspace)

I want to setup DKIM and SPF records. SendGrid documentation has an option called Automated Security:

Automated security allows SendGrid to handle the signing of your DKIM and authentication of your SPF for your outbound email with CNAME records. This allows you to add a dedicated IP address or update your account without having to update your SPF record.

and later on...

When Automated Security is On, SendGrid generates 3 different CNAME records. In a later step of setting up domain authentication, you give these records to your DNS provider, and then you verify that they upload correctly.

If you select Off, we generate 1 MX record and 2 TXT records. In a later step of setting up domain authentication, you give these records to your DNS provider, and then you verify that they upload correctly.

So When Automated Security is ON I won't need to add any SPF and DKIM record, instead I have added the 3 CNAME records that is required for Automated Security...

On the other hand I am also using G Suite and G Suite wants me to add DKIM and the following SPF record:

v=spf1 include:_spf.google.com ~all

From what I understand, the above SPF record means that _spf.google.com is the only server that should be sending my emails...

So my question is: Is adding G Suite SPF record conflicting with SendGrid Automated Security? My SPF record is saying the My SendGrid's dedicated IPs are not allowed to send email?

Imagine Yahoo mail server receives an email from one of my dedicated IPs (SendGrid)... how would Yahoo know that I am using Automated Security and the SPF record is handled by SendGrid? Because If Yahoo checked the SPF record, the SPF record is telling it that only _spf.google.com is allowed to send my emails?

Skurnik answered 19/4, 2021 at 5:21 Comment(1)
Try asking this on serverfault.com ; it's about server software configuration, not programming - AFAICT.Matzo
M
16

Just a note: Your question would probably do better at the Server Fault forum.

To answer you questions: No the SPF record where you list G Suite is not conflicting with your SendGrid setup.

What is important to understand is: SPF says absolutely nothing about who is allowed to send emails FROM your domain. SPF authenticates the Return-Path address instead, and you're creating a subdomain for the bounce messages (what the Return-Path header is used for) with the CNAME delegation records in "Automated Security".

So, basically, Sendgrid is asking you to create a sub domain for them, e.g. em123.yourdomain.com by means of CNAME record. You delegate that subdomain over to them, targeting your personal Sendgrid tenant zone in DNS, where they create an SPF record and MX record at the root of that zone. A typical email from Sendgrid will then look like this:

from: [email protected], Return-Path: [email protected]

Thus, the receiving server will check the SPF record at em123.yourdomain.com to see if your IPs are allowed.

The other two CNAMEs are for the DKIM selector records. They point to TXT records that Sendgrid manages and rotates periodically.

So why not have Sendgrid use their domain in the Return-Path and not bother with the CNAME setup at all? DMARC demands that your Return-Path domain aligns with your FROM domain, OR that the domain used in your DKIM signatures aligns with your FROM domain. Preferably both.

Mechling answered 20/4, 2021 at 7:26 Comment(4)
Thanks for your answer Reinto... I had changed the SPF record from: v=spf1 include:_spf.google.com ~all to v=spf1 include:_spf.google.com ip4:my.sendgrid.ip ~all i.e. added my both G Suite and SendGrid IPs in the SPF record? Is this not required? Should I remove this?Skurnik
If you configured the automated security feature, you don't need to add the IP for your SendGrid account to your SPF. You can check the headers to be sure, but the SPF will be checked on the sub domain for which you created the CNAME record. At the target, Sendgrid will maintain its own SPF record for your account.Mechling
Thanks for this... I have chosen SendGrid Automated Security. So do you mean SendGrid is holding the SPF record and that's why I don't need to include my SendGrid IP in my own SPF record? Are you able to explain where can I check the headers? Look for SPF in email source code?Skurnik
Yes, you can lookup the subdomain in DNS with type = TXT. dns.google.com/… where of course you replace the domain DNS name with your CNAME record name. For checking the headers, it depends on your email client. In Outlook you can open the properties of the email message (Internet Headers section). In Gmail you can click the 3 dottes in the top-right corner and choose "show original". Look for the Return-Path header and Authentication-Result header.Mechling

© 2022 - 2024 — McMap. All rights reserved.