How do I whitelist another sender (e.g. Sendgrid) for DMARC?

authentication domain-name-system email sendgrid dmarc

Solution 1:

The DKIM signs with d=sendgrid.net and the envelope sender i.e. Return-Path is [email protected]. As both DKIM and SPF validations are using sendgrid.com, it's not aligned with your domain: that's the requirement for DMARC alignment.

Luckily, Sendgrid supports custom domain authentication for both custom DKIM selector and custom return path.

Although, if it wouldn't be a great drain on our reputation, I'd be happy to leave it at 'none'. 

DMARC is not about gaining a better reputation. It's about preventing someone else from using your domain in the From header, which could lead to bad reputation or worse.

Solution 2:

So this is definitely specifically for Sendgrid. Processes will vary depending on the particular 3rd party e-mail sender you're trying to use. And even Sendgrid is likely to change its UI.

  1. Be on app.sendgrid.com
  2. Go to Settings > Sender Authentication
  3. Click the "Authenticate Your Domain" button.
  4. Plug in your DNS host. In my case it's definitely not on the list, so I pick "Other Host" and just type it in. I'm also not getting into branding links - I don't care if the links in my automated account admin e-mails have "sendgrid" in the URLS.
  5. Put in the domain you send from, then check "Automated Security" and "Use a custom DKIM selector". [I must admit that I didn't try this process not using a custom selector. We send most of our e-mail out of our own server, and I was worried about messing up my existing setup.] For the DIKM selector, just make something up that you're not using, like maybe "sg" for Sendgrid.
  6. You'll be given a bunch of CNAME records to add to your DNS, like this:

Sendgrid: Install DNS Records

  1. Once those are added (you can use "Send To A Coworker" if you need to give a third party access to the proposed records), you click Verify. You can also check verification status back at the Sender Authentication page. In my case it only partially worked in the beginning - to successfully verify all three records took more than a day. I suspect you'll also have to actually manually try to verify. At least for me, it was a manual try a day or so later that finally worked.

  2. Verify that SPF, DKIM, and DMARC work for both e-mails sent by your server and by Sendgrid! Pop the champagne, if applicable. Move on to the next crisis, if not.

Related

SSMTP with Gmail (Google Apps) [closed]
Update KB4088849 is not applicable to the equipment, Windows Server 2016
Samba and Snow Leopard -- slow connects
Port based bandwidth shaping
Slow first login to a AD-joined Samba box
Routing based on the source ip
Automatically Blacklist Failed Auth Attempts Via htaccess?
ESXi Behind Virtual Machine
Help on configuring a switch to make 802.3ad link aggregation work
How do I add a URL prefix (/wiki) to MoinMoin running on uWSGI and nginx?
Computer disappeared from Workgroup
Moving a Debian Setup