4 minutes reading time (787 words)

Set up Domain Authentication in SendGrid using DKIM and SPF

Guides

Saturday, 24 October 2020

8213 Hits

Step by step guide for admins on how to set up domain authentication in SendGrid using DKIM and SPF

What is DKIM?

DomainKeys Identified Mail (DKIM) adds a digital signature linked to your domain to outgoing emails, this helps to authenticate your emails and lets other email providers know that the message hasn't been modified. DKIM helps to prevent spammers from sending spoofed mail messages using a fake from address of your domain. Setting up both DKIM and SPF will help your reputation as a sender and improve email deliverability.

What is an SPF record?

An SPF record is a DNS TXT record that is used to identify all the valid sources of email for your domain. Other mail providers can look up your SPF record to see if the sender is permitted to send mail on your behalf.

In this example I'm setting up domain authentication using DKIM and SPF for SendGrid

Settings - sender authentication

Authenticate your domain - get started

DNS host: I'm not sure

Brank links: Yes

What is email link branding?

Email link branding improves deliverability by allowing click tracked images and links to be from your domain instead of sendgrid.net

If you are using SendGrid for email marketing campaigns then I'd recommend enabling link branding

You can read more about link branding here
https://sendgrid.com/docs/glossary/link-branding

Example: without email link branding

Example: with email link branding

From domain: yourdomain.com

Advanced settings:

Use automated security
SendGrid will automatically rotate the DKIM key

Use custom return path: bounces
Override the return path we create that tells mailbox providers where to find your SPF and DKIM records

What is a custom return path?

The Return-path header is the email source address used to process bounced email messages, for your messages to pass validation checks (in particular DMARC alignment) the email from address and return-path should be the same domain.

If you don't configure a custom return path then your email message headers will use SendGrids domain.

Recipients also use the return path to authenticate emails using DMARC which checks for alignment between the from domain and return path domain. Adding a custom return path means your emails will pass DMARC checks which will improve your email deliverability

This article isn't about DMARC so I won't go into too much detail, but here are some example message headers showing return-path and from address alignment

Example: Without custom return path configured
The from address and return path are different domains so they are not aligned

Example: With custom return path configured
The from address and return path are the same domain so they are aligned

Use custom DKIM selector
If the "s" DKIM selector is already in use by another service you can use one of your own choosing

This only needs to be changed if you have already used the DKIM selector "s" for something else. Check your existing DNS records to see if you have a record that looks like s1._domainkey.yourdomain.com

If you don't then leave "use a custom DKIM selector" unticked and let SendGrid automatically assign the default selector "s"