Skip to main content

Email Authentication (SPF/DKIM/DMARC)

Overview

Multiple authentication technologies are combined in modern email sending and receiving to prevent email spoofing (phishing and spam).

TechnologyPurpose
SPFValidates the IP address of the sending server
DKIMGuarantees email authenticity and integrity via digital signature
DMARCIntegrates SPF/DKIM results as policy and instructs recipients how to handle failures

Properly configuring these three technologies improves email deliverability and strengthens brand trust.

SPF (Sender Policy Framework)

How It Works

SPF publishes a list of authorized IP addresses for a given domain in DNS. The receiving server verifies the sender's legitimacy by looking up the SPF record for the domain in the Envelope From (Return-Path) of the email.

Example DNS TXT Record

v=spf1 include:sendgrid.net ~all
ElementDescription
v=spf1SPF version 1
include:sendgrid.netInclude SendGrid's IP address set in the allowed list
~allSoftFail for senders not in the list (treat as warning)
-allHardFail for senders not in the list (reject)
SPF Considerations
  • Only one TXT record per domain is valid for SPF. Multiple records will be invalidated.
  • Too many nested include lookups (more than 10) will cause DNS lookup errors.
  • SPF alone tends to break during email forwarding, so combining it with DKIM is important.

DKIM (DomainKeys Identified Mail)

How It Works

DKIM uses digital signatures to prove email authenticity. The sender (e.g., SendGrid) signs the email headers and body with a private key, and the receiver verifies it using the public key published in DNS.

Example DKIM Signature (Email Header)

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=example.com;
  s=s1; h=from:to:subject:date; bh=...; b=...
FieldDescription
d=Signing domain (used for DMARC Alignment)
s=Selector (used in DNS lookup path)
h=Header fields included in the signature
bh=Hash of the email body
b=Signature value

What Is a DKIM Selector?

A selector is a string used to uniquely identify a DKIM public key in DNS. It enables managing multiple key pairs for a single domain.

{selector}._domainkey.{domain}

For example, if SendGrid instructs you to use DKIM Selector: sgqcd, the DNS record name for looking up the public key becomes:

sgqcd._domainkey.example.com

Why Have Multiple Selectors?

Use CaseExample
Using multiple email sending servicesSendGrid: sgqcd, internal MTA: mail
Key rotation (transition period between old and new keys)Old key: v1, new key: v2
Environment isolation (production / staging)Production: prod, staging: stg
About SendGrid's Selector Names

Selector names like sgqcd from SendGrid are unique identifiers auto-generated by SendGrid. These names are determined by SendGrid's Automated Security and cannot be changed arbitrarily. When using CNAME records, the actual DNS entry looks like:

  • sgqcd._domainkey.example.comsgqcd.domainkey.u1234567.wl.sendgrid.net

(Use the actual CNAME value issued from the SendGrid dashboard.)

Example DNS TXT Record (Public Key)

For selector s1 and domain example.com:

s1._domainkey.example.com.  TXT  "v=DKIM1; k=rsa; p=MIGfMA0G..."

DMARC (Domain-based Message Authentication, Reporting & Conformance)

How It Works

DMARC integrates SPF and DKIM verification results as a policy and instructs receiving servers on how to handle them. It also provides reporting functionality, sending reports on authentication failures back to the sender.

Alignment Concept

What makes DMARC powerful is not just pass/fail authentication, but its requirement for Alignment — the match between the From header domain and the authenticated domain.

TechnologyWhat Is Checked for Alignment
SPF AlignmentEnvelope From (Return-Path) domain vs. From header domain
DKIM Alignmentd= tag in DKIM-Signature vs. From header domain

Example DMARC TXT Record

_dmarc.example.com.  TXT  "v=DMARC1; p=quarantine; rua=mailto:dmarc-report@example.com; pct=100"
TagDescription
v=DMARC1DMARC version
p=Policy (none / quarantine / reject)
rua=Email address for aggregate reports
ruf=Email address for individual forensic reports
pct=Percentage of messages to apply policy to (useful for gradual rollout)

DMARC Rollout Phases

PhasePolicyPurpose
Monitoringp=noneUnderstand current state (normal email delivery continues)
Gradual enforcementp=quarantine; pct=10Gradually increase the enforcement percentage
Full enforcementp=rejectFully block spoofed emails
Gradual DMARC Rollout

Starting with p=reject immediately risks blocking your own legitimate emails if misconfigured. Start with p=none, analyze reports, and gradually strengthen enforcement.

Envelope From (Return-Path) vs. From Header

Emails have multiple "sender" addresses. Understanding this distinction is critical for DMARC configuration.

┌─────────────────────────────────────────────────────────┐
│  SMTP Envelope                                           │
│  Envelope From: bounce@sendgrid.net  ← Return-Path (bounce destination) │
│                                                          │
│  ┌────────────────────────────────────────────────────┐ │
│  │  Email Headers                                      │ │
│  │  From: sender@yourdomain.com  ← From address visible to users │
│  │  To: recipient@example.com                         │ │
│  │  Subject: ...                                      │ │
│  └────────────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────┘
ItemRoleDMARC Alignment
Envelope From (Return-Path)Bounce return address. Used in SMTP communicationSPF verification target
From HeaderSender address shown in email clientsDMARC reference domain
DKIM d= TagDomain that created the signatureDKIM Alignment verification target

In SendGrid's default configuration, the Envelope From becomes a SendGrid domain like bounce.xxx.sendgrid.net. Sender Authentication must be configured to unify this under your custom domain.

SendGrid Domain Authentication (Sender Authentication)

Overview

This configuration allows emails sent via SendGrid to pass SPF/DKIM authentication using your own domain (e.g., example.com). It works by adding CNAME records to your DNS.

With SendGrid's Automated Security, there is no need to add TXT records directly to DNS — SendGrid manages authentication automatically via CNAME.

CNAME Record Structure

Automated Security generates the following 3 CNAME records:

PurposeDNS Name (Host)Points To (Value)
Mail subdomain (Envelope From)em1234.example.comu1234567.wl.sendgrid.net
DKIM public key (1st)s1._domainkey.example.coms1.domainkey.u1234567.wl.sendgrid.net
DKIM public key (2nd)s2._domainkey.example.coms2.domainkey.u1234567.wl.sendgrid.net
info

The above values are samples. Use the actual CNAME records generated from the SendGrid dashboard.

Setup Steps

  1. Log in to the SendGrid dashboard

    • Navigate to Settings → Sender Authentication → Click "Authenticate Your Domain"

  2. Enter domain information

    • Select your DNS host (e.g., AWS Route 53, Cloudflare, etc.)
    • Enter the domain to authenticate (e.g., example.com)
    • Confirm that "Use automated security" is checked

  3. CNAME records are generated

    • Note down the 3 CNAME records displayed

  4. Register CNAMEs with your DNS provider

    • Add the 3 CNAME records to your DNS management console
    • DNS propagation may take up to 48 hours

  5. Run Verify in SendGrid dashboard

    • Navigate to Settings → Sender Authentication → Click "Verify" for the target domain
    • Authentication is complete when all 3 records show checkmarks

Troubleshooting Verify Failures

CauseResolution
CNAMEs not yet propagated to DNSWait a few hours up to 48 hours, then retry
Typo in CNAME valueRecheck records in your DNS management console
Conflict with existing DKIM recordsDelete old TXT records
Long TTL settingReduce TTL to speed up propagation

Email Sending Flow After Configuration

Summary

ConfigurationDNS Record TypeEffect
SPFTXT record (replaced by CNAME with Automated Security)Proves legitimacy of sending server IP
DKIMTXT record (replaced by CNAME with Automated Security)Proves integrity via email signature
DMARCTXT record (_dmarc. prefix)Applies integrated SPF/DKIM policy
SendGrid Sender Authentication3 CNAME recordsUnifies Envelope From and DKIM signing domain under custom domain
Practical Advice
  1. Start by enabling DMARC with p=none and analyze reports to understand current authentication status
  2. Using SendGrid's Automated Security simplifies SPF/DKIM management significantly
  3. Regularly review reports arriving at the rua= address to check for unauthorized senders
  4. Ultimately set p=reject to fully block spoofed emails