In SendGrid, go to Settings > Sender Authentication > Domain Authentication. Enter your domain and SendGrid generates three CNAME records — two for DKIM and one for SPF branding. Add all three to your DNS. Once verified, SendGrid signs all email with your domain's DKIM key using automated security, which also handles key rotation.
DKIM for SendGrid: Setup Guide
Domain Authentication Setup
- Log into SendGrid and go to Settings > Sender Authentication
- Click Authenticate Your Domain
- Select your DNS provider from the list (or choose "Other")
- Enter your domain name
- SendGrid generates three CNAME records
Add the DNS Records
SendGrid provides records in this format:
| Record Type | Host | Value |
|---|---|---|
| CNAME | s1._domainkey.yourdomain.com | s1.domainkey.u12345.wl.sendgrid.net |
| CNAME | s2._domainkey.yourdomain.com | s2.domainkey.u12345.wl.sendgrid.net |
| CNAME | em1234.yourdomain.com | u12345.wl.sendgrid.net |
The exact values are unique to your account. Copy them from SendGrid's dashboard.
Practitioner note: SendGrid's domain authentication bundles DKIM and SPF branding in one setup. That third CNAME handles return-path alignment for SPF. Don't skip it — you need all three for full authentication.
Automated vs Manual Security
SendGrid offers two modes:
Automated security (recommended): Uses CNAME records so SendGrid can rotate DKIM keys without you touching DNS again. This is the default.
Manual security: Gives you TXT records. You manage key rotation yourself. Only use this if your DNS provider doesn't support CNAME records for these hostnames, or you need direct control.
Stick with automated security unless you have a specific reason not to.
Verify in SendGrid
After adding the DNS records, go back to Sender Authentication and click Verify. SendGrid checks all three records.
If verification fails:
- Wait for DNS propagation (can take up to 48 hours)
- Check for double-domain in hostnames (e.g.,
s1._domainkey.yourdomain.com.yourdomain.com) - Confirm CNAME records, not TXT records, are in DNS
Verify DKIM in Email Headers
Send a test email through SendGrid and check headers:
Authentication-Results: mx.google.com;
dkim=pass [email protected] header.s=s1
Practitioner note: SendGrid's default subdomain approach (em1234.yourdomain.com) trips people up with DMARC. If you're using relaxed alignment, the subdomain is fine. If you need strict alignment, configure SendGrid to use your root domain.
Multiple Domains and Subdomains
Each domain or subdomain sending through SendGrid needs its own domain authentication. If you're sending transactional email from app.yourdomain.com and marketing from mail.yourdomain.com, authenticate both.
For agencies managing multiple client domains through SendGrid, I can help architect authentication that scales cleanly.
Sources
- SendGrid: How to set up domain authentication
- SendGrid: Automated vs manual security
- RFC 6376: DomainKeys Identified Mail (DKIM) Signatures
- MXToolbox: DKIM Record Lookup
v1.0 · April 2026
Frequently Asked Questions
How do I set up DKIM in SendGrid?
Go to Settings > Sender Authentication > Domain Authentication. Enter your domain, add the CNAME records SendGrid provides to your DNS, then verify.
What is SendGrid automated security?
Automated security is SendGrid's default mode that handles DKIM key rotation automatically via CNAME records. It's recommended over manual security for most users.
How many DNS records does SendGrid need?
SendGrid requires three CNAME records for full domain authentication: two for DKIM (s1._domainkey and s2._domainkey) and one for SPF branding (em prefix or custom).
Can I use SendGrid with a subdomain?
Yes. SendGrid actually defaults to using a subdomain (like em1234.yourdomain.com) for authentication. You can customize the subdomain during setup.
Does SendGrid rotate DKIM keys?
Yes, when using automated security (the default). SendGrid rotates keys between s1 and s2 selectors automatically. Manual security requires you to handle rotation yourself.
Want this handled for you?
Free 30-minute strategy call. Walk away with a plan either way.