Issue
I use SendGrid and I have 2 dedicated IPs... My website sends its emails using SendGrid.
At the same time I use G Suite and I personally send my emails using G Suite (Google Workspace)
I want to setup DKIM and SPF records. SendGrid documentation has an option called Automated Security:
Automated security allows SendGrid to handle the signing of your DKIM and authentication of your SPF for your outbound email with CNAME records. This allows you to add a dedicated IP address or update your account without having to update your SPF record.
and later on...
When Automated Security is On, SendGrid generates 3 different CNAME records. In a later step of setting up domain authentication, you give these records to your DNS provider, and then you verify that they upload correctly.
If you select Off, we generate 1 MX record and 2 TXT records. In a later step of setting up domain authentication, you give these records to your DNS provider, and then you verify that they upload correctly.
So When Automated Security is ON I won't need to add any SPF and DKIM record, instead I have added the 3 CNAME records that is required for Automated Security...
On the other hand I am also using G Suite and G Suite wants me to add DKIM and the following SPF record:
v=spf1 include:_spf.google.com ~all
From what I understand, the above SPF record means that _spf.google.com
is the only server that should be sending my emails...
So my question is: Is adding G Suite SPF record conflicting with SendGrid Automated Security? My SPF record is saying the My SendGrid's dedicated IPs are not allowed to send email?
Imagine Yahoo mail server receives an email from one of my dedicated IPs (SendGrid)... how would Yahoo know that I am using Automated Security and the SPF record is handled by SendGrid? Because If Yahoo checked the SPF record, the SPF record is telling it that only _spf.google.com
is allowed to send my emails?
Solution
Just a note: Your question would probably do better at the Server Fault forum.
To answer you questions:
No the SPF
record where you list G Suite is not conflicting with your SendGrid setup.
What is important to understand is: SPF
says absolutely nothing about who is allowed to send emails FROM
your domain. SPF
authenticates the Return-Path
address instead, and you're creating a subdomain for the bounce messages (what the Return-Path
header is used for) with the CNAME
delegation records in "Automated Security".
So, basically, Sendgrid is asking you to create a sub domain for them, e.g. em123.yourdomain.com
by means of CNAME record. You delegate that subdomain over to them, targeting your personal Sendgrid tenant zone in DNS, where they create an SPF record and MX record at the root of that zone. A typical email from Sendgrid will then look like this:
from: you@yourdomain.com
, Return-Path: bounces@em123.yourdomain.com
Thus, the receiving server will check the SPF
record at em123.yourdomain.com
to see if your IPs are allowed.
The other two CNAMEs are for the DKIM selector records. They point to TXT records that Sendgrid manages and rotates periodically.
So why not have Sendgrid use their domain in the Return-Path and not bother with the CNAME
setup at all?
DMARC
demands that your Return-Path
domain aligns with your FROM
domain, OR that the domain used in your DKIM
signatures aligns with your FROM
domain. Preferably both.
Answered By - Reinto Answer Checked By - Robin (PHPFixing Admin)
0 Comments:
Post a Comment
Note: Only a member of this blog may post a comment.