How do I whitelist another sender (e.g. Sendgrid) for DMARC?

Solution 1:

The DKIM signs with d=sendgrid.net and the envelope sender i.e. Return-Path is [email protected]. As both DKIM and SPF validations are using sendgrid.com, it's not aligned with your domain: that's the requirement for DMARC alignment.

Luckily, Sendgrid supports custom domain authentication for both custom DKIM selector and custom return path.

Although, if it wouldn't be a great drain on our reputation, I'd be happy to leave it at 'none'. 

DMARC is not about gaining a better reputation. It's about preventing someone else from using your domain in the From header, which could lead to bad reputation or worse.

Solution 2:

So this is definitely specifically for Sendgrid. Processes will vary depending on the particular 3rd party e-mail sender you're trying to use. And even Sendgrid is likely to change its UI.

  1. Be on app.sendgrid.com
  2. Go to Settings > Sender Authentication
  3. Click the "Authenticate Your Domain" button.
  4. Plug in your DNS host. In my case it's definitely not on the list, so I pick "Other Host" and just type it in. I'm also not getting into branding links - I don't care if the links in my automated account admin e-mails have "sendgrid" in the URLS.
  5. Put in the domain you send from, then check "Automated Security" and "Use a custom DKIM selector". [I must admit that I didn't try this process not using a custom selector. We send most of our e-mail out of our own server, and I was worried about messing up my existing setup.] For the DIKM selector, just make something up that you're not using, like maybe "sg" for Sendgrid.
  6. You'll be given a bunch of CNAME records to add to your DNS, like this:

Sendgrid: Install DNS Records

  1. Once those are added (you can use "Send To A Coworker" if you need to give a third party access to the proposed records), you click Verify. You can also check verification status back at the Sender Authentication page. In my case it only partially worked in the beginning - to successfully verify all three records took more than a day. I suspect you'll also have to actually manually try to verify. At least for me, it was a manual try a day or so later that finally worked.

  2. Verify that SPF, DKIM, and DMARC work for both e-mails sent by your server and by Sendgrid! Pop the champagne, if applicable. Move on to the next crisis, if not.