Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How does Sendgrid's automated security works?

Tags:

sendgrid

dkim

spf

SendGrid's automated security automate SPF and DKIM by a CNAME record. It even allows to have our own SPF and DKIM records in place directly using Domain Registrar.

How do they do it without collusion with existing SPF and DKIM records in place of domain?

like image 336
jeffbRTC Avatar asked Feb 19 '21 15:02

jeffbRTC


1 Answers

Why use Automated Security

By using CNAME records provided by Sendgrid, you delegate the ownership of Sendgrid-specific SPF and DKIM records. Whenever they need to make a change (update SPF whitelisted hostname or rotate DKIM keys), they can do it without you having to touch DNS on your end.

It's convenient.

Below is my understanding of how it works for both types of records.

DKIM

You can have multiple DKIM records (public keys) as long as they use different selectors (host names).

Ex. you may already have a DKIM record for Google Workspace (G Suite):

TXT google._domainkey.yourdomain.com "v=DKIM1; k=rsa; t=s; p=MIGM..."

When setting Sendgrid Automated Security, they will provide you with 2 CNAMEs for DKIM managed by them. E.g.

CNAME s1._domainkey.yourdomain.com s1.domainkey.uXXX.wlXXX.sendgrid.net.
CNAME s2._domainkey.yourdomain.com s2.domainkey.uXXX.wlXXX.sendgrid.net.

Selectors do not conflict with Google's and can co-exist.

If you make a DNS lookup of the CNAME you will see a proper DKIM public key:

TXT s1._domainkey.yourdomain.com "v=DKIM1; k=rsa; t=s; p=MIGM..."

SPF

You can have only one SPF TXT record per (sub)domain. Note such record can list multiple IPs/hostnames that are authenticated. With Sendgrid Automated Security, you create a CNAME for a subdomain that points to SG servers. SPF record is hosted under that subdomain.

Ex. you may already have a SPF record for Google Workspace:

TXT yourdomain.com "v=spf1 include:_spf.google.com ~all"

Sendgrid will provide you with a CNAME similar to this:

CNAME em0000.yourdomain.com u0000000.wX0X0.sendgrid.net.

It does not conflict with your existing SPF record.

If you make a DNS lookup on that CNAME you will find a SPF record:

TXT em0000.yourdomain.com "v=spf1 include:sendgrid.net ~all"
like image 121
Max Ivanov Avatar answered Sep 21 '22 22:09

Max Ivanov