SPF(supported) (dedicated subdomain)
DKIM(Recommended)



This article covers the SPF and DKIM authentication processes for Sendgrid and how they are managed in Valimail Enforce. While only one of the two authentication methods is required for an email to pass DMARC, our recommendation is to configure both whenever possible.

Sendgrid typically uses a dedicated subdomain for DKIM and SPF configuration.



TABLE OF CONTENTS





Configuring DKIM authentication for your Sendgrid emails



1. Login to your SendGrid admin account.


2. In the SendGrid UI, select Settings -> Sender Authentication.


3. In the domain authentication section, click Get Started.


4. Next, add in information about your DNS host, and indicate whether you also want to set up link branding. Click Next.


5. Fill in the domain that you want to send from and add advanced settings as needed. Make sure that you only enter the name of your root domain. Do not include www or http://www in this field. Your domain needs to match the domain of your FROM address on the emails you are sending out. For example, if I am sending an email from example@sendgrid.com, I would set my domain authentication domain to be sendgrid.com. Click Next.

6. Next, you need to add the 2 CNAME DKIM records to Valimail Enforce and the 3rd CNAME record to your DNS host.


7. Once you publish the 2 DKIM keys in Valimail Enforce and the 3rd CNAME record in your DNS host, return to the Sender authentication page in the Sendgrid console and click Verify.



Note: It can take up to 24-48 hours for the records to verify after you upload them into Valimail Enforce and your DNS host, so you will likely have to come back later to verify.


You can find these instructions on how to setup DKIM for your domain in Sendgrid here.



Below is an example of the CNAME values under the HOST column as they are displayed and how you will need to enter them into your DNS management with one of these providers:


a. Record Name: em722.yourdomain.com

    Record Type: CNAME

    Record Value: u20722350.wl101.sendgrid.net


b. Record Name: s1

    Record Type: CNAME

    Record Value: s1.domainkey.u20722350.wl101.sendgrid.net


c. Record Name: s2

    Record Type: CNAME

    Record Value: s2.domainkey.u20722350.wl101.sendgrid.net



IMPORTANT: The entries made in the VALUE or POINTS TO field from the 2 DKIM keys are the ones that need to added in Valimail Enforce.

The records that look like the b and c ones, need to be added in Valimail Enforce - the one that looks like the a one, needs to be added in your DNS host.






Add a Sendgrid DKIM key in Enforce


1. Go to your domain's Configuration page in Valimail Enforce and publish the newly created DKIM key.


    a. Scroll down and add the two DKIM keys in your configuration, by clicking on Add a DKIM key

    b. Enter the selector name, CNAME target value, associate the keys with Sendgrid and then click Add.







Setup a custom DKIM key for your domain in Sendgrid


It is important to remember that the s1 and s2 DKIM key selectors are the default ones that Sendgrid issues.

Therefore, if your organization uses multiple Sendgrid instances or other services that use Sendgrid under the hood, you will need to set up a custom DKIM key that has a custom DKIM selector for those instances/services, if you already have one Sendgrid instance configured with s1 and s2 selectors on the DKIM keys.


You can find the instructions on how to set up a custom DKIM key in Sendgrid here.






Configuring SPF authentication for your Sendgrid emails


Once you establish that Sendgrid is an authorized sender for your domain, you will need to add the service in your Enabled Senders list in Enforce.


1. Please go to your domain's Configuration page in Enforce.

2. Click on the + sign from the Enabled Senders section:



3. Choose Sendgrid from the list of configurable senders and then click Enable:



Note: The Sendgrid ID and WL ID are optional but if they are given to you by the service, we recommend you add them as well. Usually, they are a part of the DKIM records' values.


We encourage you to use the comment section for any useful information about your sending service, such as the name of the service owner, change request ticket numbers, etc.





As always, if you have any questions, please don't hesitate to submit a ticket.