Issue
SendGrid's automated security automate SPF and DKIM by a CNAME record. It even allows to have our own SPF and DKIM records in place directly using Domain Registrar.
How do they do it without collusion with existing SPF and DKIM records in place of domain?
Solution
Why use Automated Security
By using CNAME records provided by Sendgrid, you delegate the ownership of Sendgrid-specific SPF and DKIM records. Whenever they need to make a change (update SPF whitelisted hostname or rotate DKIM keys), they can do it without you having to touch DNS on your end.
It's convenient.
Below is my understanding of how it works for both types of records.
DKIM
You can have multiple DKIM records (public keys) as long as they use different selectors (host names).
Ex. you may already have a DKIM record for Google Workspace (G Suite):
TXT google._domainkey.yourdomain.com "v=DKIM1; k=rsa; t=s; p=MIGM..."
When setting Sendgrid Automated Security, they will provide you with 2 CNAMEs for DKIM managed by them. E.g.
CNAME s1._domainkey.yourdomain.com s1.domainkey.uXXX.wlXXX.sendgrid.net.
CNAME s2._domainkey.yourdomain.com s2.domainkey.uXXX.wlXXX.sendgrid.net.
Selectors do not conflict with Google's and can co-exist.
If you make a DNS lookup of the CNAME you will see a proper DKIM public key:
TXT s1._domainkey.yourdomain.com "v=DKIM1; k=rsa; t=s; p=MIGM..."
SPF
You can have only one SPF TXT record per (sub)domain. Note such record can list multiple IPs/hostnames that are authenticated. With Sendgrid Automated Security, you create a CNAME for a subdomain that points to SG servers. SPF record is hosted under that subdomain.
Ex. you may already have a SPF record for Google Workspace:
TXT yourdomain.com "v=spf1 include:_spf.google.com ~all"
Sendgrid will provide you with a CNAME similar to this:
CNAME em0000.yourdomain.com u0000000.wX0X0.sendgrid.net.
It does not conflict with your existing SPF record.
If you make a DNS lookup on that CNAME you will find a SPF record:
TXT em0000.yourdomain.com "v=spf1 include:sendgrid.net ~all"
Answered By - Max Ivanov Answer Checked By - Dawn Plyler (PHPFixing Volunteer)
0 Comments:
Post a Comment
Note: Only a member of this blog may post a comment.