Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How does Sendgrid's automated security works?

Tags:

sendgrid

dkim

spf

SendGrid's automated security automate SPF and DKIM by a CNAME record. It even allows to have our own SPF and DKIM records in place directly using Domain Registrar.

How do they do it without collusion with existing SPF and DKIM records in place of domain?

like image 336
jeffbRTC Avatar asked Feb 19 '21 15:02

jeffbRTC

1 Answers

Why use Automated Security

By using CNAME records provided by Sendgrid, you delegate the ownership of Sendgrid-specific SPF and DKIM records. Whenever they need to make a change (update SPF whitelisted hostname or rotate DKIM keys), they can do it without you having to touch DNS on your end.

It's convenient.

Below is my understanding of how it works for both types of records.

DKIM

You can have multiple DKIM records (public keys) as long as they use different selectors (host names).

Ex. you may already have a DKIM record for Google Workspace (G Suite):

TXT google._domainkey.yourdomain.com "v=DKIM1; k=rsa; t=s; p=MIGM..."

When setting Sendgrid Automated Security, they will provide you with 2 CNAMEs for DKIM managed by them. E.g.

CNAME s1._domainkey.yourdomain.com s1.domainkey.uXXX.wlXXX.sendgrid.net.
CNAME s2._domainkey.yourdomain.com s2.domainkey.uXXX.wlXXX.sendgrid.net.

Selectors do not conflict with Google's and can co-exist.

If you make a DNS lookup of the CNAME you will see a proper DKIM public key:

TXT s1._domainkey.yourdomain.com "v=DKIM1; k=rsa; t=s; p=MIGM..."

SPF

You can have only one SPF TXT record per (sub)domain. Note such record can list multiple IPs/hostnames that are authenticated. With Sendgrid Automated Security, you create a CNAME for a subdomain that points to SG servers. SPF record is hosted under that subdomain.

Ex. you may already have a SPF record for Google Workspace:

TXT yourdomain.com "v=spf1 include:_spf.google.com ~all"

Sendgrid will provide you with a CNAME similar to this:

CNAME em0000.yourdomain.com u0000000.wX0X0.sendgrid.net.

It does not conflict with your existing SPF record.

If you make a DNS lookup on that CNAME you will find a SPF record:

TXT em0000.yourdomain.com "v=spf1 include:sendgrid.net ~all"
like image 121
Max Ivanov Avatar answered Sep 21 '22 22:09

Max Ivanov
Sign in to Comment

Related questions

Is there a tool to help me figure out why my emails are getting flagged as spam?
Including SendGrid breaks compile
How to add CC to SendGrid mail using C#
How to email multiple recipients in sendgrid v3 node.js
Sendgrid Authenticate with API Keys
Problems with email delivery rates through SendGrid
SendGrid (PHP library) with attachments
errors while validating whitelabel in sendgrid [closed]
How to specify the ip address SendGrid uses to send Webhook Events from
Sendgrid character encoding Header with X-SMTPAPI in C#
Laravel: Expecting response 250 but got "" with message ""
Sending email with attachments
sendgrid giving error sendgrid.Email is not a constructor
How to authenticate Inbound Mail? With SendGrid specifically?
Sendgrid sending mail with attachment using web api v3
How to parse form data using Azure Functions
Sendgrid Inbound Parse Webhook Emails are not received on Sendgrid
dynamic_template_data doesn't work with sendgrid and azure function integration

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!