Aligned Authentication method:
SPF - Yes - CNAME
DKIM - Yes CNAME records
Most SendGrid deployments use a dedicated subdomain. SendGrid does not host the subdomain on their DNS but they do host the SPF and DKIM info using CNAMEs. Some points to be aware of for SendGrid:
Do not have the customer use a Valimail SPF record. Use only the SPF record generated via the SendGrid UI. This will be a CNAME
Ensure that the subdomain for SendGrid is set to Single Sender
Since SendGrid publishes DKIM keys on the parent of the subdomain they use, it is important to always use customized DKIM selectors and not the default s1/s2. This is to ensure there are no selector conflicts since many third parties also use SendGrid under the hood. There are some third parties that do not expose the ability to customize the DKIM Selectors
If it is not possible to customize DKIM selectors, the next best approach is to use a sub-subdomain. For example, if the org domain is foo.com, the standard approach would be to create a subdomain in the SendGrid UI like em123.foo.com. This would result in DKIM keys on foo.com. In the sub-sub domain example, the approach should be to create, in SendGrid something like em123.email.foo.com. In this case, email.foo.com is dedicated to SendGrid. This would result in the SPF record being on em123.email.foo.com and the DKIM keys being on email.foo.com. In this example, DKIM can be delegated to Valimail for email.foo.com as an option or it can be done manually. Since this will be the only service using this subdomain, there is no need to delegate it to Valimail.
If the customer has dedicated IP addresses with hostnames in the customer’s DNS, there is no need to add Netblocks to the configuration for these IPs since the subdomain is set to Single Sender
If importing an existing SendGrid DKIM key, ensure that both keys are imported
Some old implementations of SendGrid use a single DKIM key using the m1 selector. Two things to remember in this situation when adding the DKIM key to the configuration:
When looking at the DMARC data for SendGrid, look at any other DKIM keys that are associated with the email. These can be clues as to whether this is a native SendGrid setup or a third party using SendGrid under the hood
When looking at the DMARC data for SendGrid, look at the PTR name. This can be a clue as to whether this is a native SendGrid setup or a third party using SendGrid under the hood
Do a DNS lookup of the SPF domain and see if there is a UID/WL ID embedded in the SPF CNAME or the MX record. If so, add this to the configuration when adding the service in the Enforce UI. This can be seen in the example below:
Some older instances of SendGrid will use the smtpapi DKIM selector.