How to set up DKIM for SendGrid

DKIM (DomainKeys Identified Mail, RFC 6376) is the cryptographic signature attached to outgoing email so receivers can verify the message wasn't tampered with and that it actually came from a server authorized by your domain. To turn it on for SendGrid, you publish one or more DNS records at `<selector>._domainkey.<your-domain>` containing the public key matching the private key SendGrid uses to sign.

Most ESPs (including SendGrid) ask you to publish CNAME records that point at hosted keys they manage. This is preferable to publishing the raw key text yourself — when the provider rotates keys, your DNS keeps pointing to the rotated key and nothing breaks.

Publish these DNS records

Add the following record(s) to your domain's DNS zone. Most registrars (Cloudflare, Route 53, Namecheap, GoDaddy) accept values exactly as shown.

• Two selectors — `s1` and `s2`. Both are CNAMEs to SendGrid-hosted keys; SendGrid rotates between them, so omitting one will cause intermittent DKIM failures.
• `<NUM>` is the same SendGrid-issued account number used in the SPF CNAME.

Where in SendGrid

The DKIM configuration lives in SendGrid → Settings → Sender Authentication → Authenticate Your Domain.

Verify the records

After the records propagate, run the DKIM Checker against your domain with each selector to confirm the public key resolves and parses correctly.

Common pitfalls

• SendGrid's wizard sometimes fails to detect successful CNAME publication for several hours due to caching. If verification fails immediately, check `dig CNAME` from a different resolver before changing anything.
• For shared IP plans, you have no control over IP-level reputation — DKIM signing on your domain is what protects deliverability.
• SendGrid's free tier includes a `<random>.sendgrid.net` From: domain by default; only authenticated senders should ever use a real brand From: address.