D
DKIM Creator

DKIM for SendGrid: Domain Authentication Setup Guide

How to set up DKIM for SendGrid. Step-by-step guide covering domain authentication, DNS record configuration, and verification for reliable email delivery.

Last updated: 2026-03-12

This guide is part of our Transactional and API series.

If your emails sent through SendGrid are landing in spam or getting rejected, missing DKIM authentication is likely the cause. SendGrid makes DKIM setup straightforward through its Domain Authentication feature, but you still need to add the right DNS records for everything to work. This guide walks you through the entire process, from the SendGrid dashboard to DNS verification.

SendGrid handles DKIM through "Domain Authentication" (formerly called "Domain Whitelabel"). When you authenticate a domain, SendGrid generates DKIM keys and provides CNAME records for your DNS. You don't need to generate keys yourself for standard SendGrid DKIM.

How SendGrid DKIM Works

SendGrid's Domain Authentication takes a different approach from services that ask you to paste TXT records. Instead of giving you raw DKIM keys, SendGrid uses CNAME records that point to SendGrid-hosted keys. This means:

  1. SendGrid generates and manages the DKIM key pair on their servers
  2. Your DNS contains CNAME records that redirect lookups to SendGrid's infrastructure
  3. SendGrid uses two selectors (s1 and s2) for redundancy and key rotation
  4. When a receiving server checks your DKIM signature, the CNAME redirects it to SendGrid's public key

This approach gives SendGrid control over key rotation without requiring you to update DNS records every time a key changes.

Setting Up SendGrid Domain Authentication

1

Open Sender Authentication settings

Log in to your SendGrid dashboard. Navigate to Settings > Sender Authentication. Click Authenticate Your Domain to start the process.

2

Select your DNS host

SendGrid asks which DNS provider you use. Select yours from the dropdown (e.g., GoDaddy, Cloudflare, Amazon Route 53). If yours isn't listed, select "Other Host." This helps SendGrid format the DNS instructions for your specific provider.

3

Enter your domain

Type the domain you send email from (e.g., example.com). If you also want to brand your tracking links, you can enable that option here, but it's not required for DKIM.

4

Copy the DNS records

SendGrid displays the CNAME records you need to add. You'll see three records total: two for DKIM (using selectors s1 and s2) and one for SPF (the em record). Copy all three - you need all of them for full domain authentication.

5

Add CNAME records to your DNS

Log in to your DNS provider and create the CNAME records exactly as SendGrid shows them. Make sure to copy the full hostnames and values without any extra spaces or characters.

6

Verify in SendGrid

Return to SendGrid and click Verify. SendGrid checks your DNS for the records. If verification fails, wait 15 - 30 minutes for DNS propagation and try again. Full propagation can take up to 48 hours in some cases.

SendGrid DNS Records

When you authenticate a domain, SendGrid provides three CNAME records. The DKIM records follow a consistent pattern:

FieldDKIM Record 1DKIM Record 2
TypeCNAMECNAME
Host`s1._domainkey``s2._domainkey`
Value`s1.domainkey.u######.wl###.sendgrid.net``s2.domainkey.u######.wl###.sendgrid.net`

The exact values contain unique identifiers tied to your SendGrid account. Always copy them directly from the SendGrid dashboard rather than using examples from documentation. Even a single wrong character will cause verification to fail.

SendGrid also provides a third CNAME record for SPF (the em subdomain). While this guide focuses on DKIM, you should add all three records to complete domain authentication. Full SendGrid domain authentication covers both DKIM and SPF in one process.

Need DKIM keys for other services?

Generate DKIM key pairs for email services that don't provide built-in key management.

Generate DKIM Keys

Understanding SendGrid Selectors

SendGrid uses two fixed selectors for every authenticated domain: s1 and s2. Unlike some email services that let you choose your own selector name, SendGrid assigns these automatically.

Why two selectors? SendGrid uses dual selectors for redundancy and key rotation. If one key needs to be rotated or is temporarily unavailable, the second selector ensures emails can still be authenticated. SendGrid manages the rotation schedule - you don't need to do anything once the CNAME records are in place.

This means your domain will have two _domainkey CNAME records:

  • s1._domainkey.yourdomain.com
  • s2._domainkey.yourdomain.com

Both records are required. Don't skip one thinking it's optional.

Custom DKIM Keys with SendGrid

For most users, SendGrid's automated domain authentication is sufficient. However, if you need to use your own DKIM keys - for example, to match a specific security policy or to maintain control over key material - you can configure custom DKIM.

Custom DKIM involves:

  1. Generating your own DKIM key pair using a tool like DKIM Creator
  2. Adding the public key as a TXT record in your DNS (instead of SendGrid's CNAME records)
  3. Configuring SendGrid to sign with your private key via API or support request

When to use custom DKIM

Custom DKIM is mainly useful for organizations with strict compliance requirements or those using multiple email services that need a unified DKIM strategy. If you're just sending through SendGrid, the standard domain authentication is simpler and handles key management for you.

To generate a custom key pair, use DKIM Creator to create 2048-bit DKIM keys. You can then add the public key to your DNS as a TXT record and work with SendGrid's support team to configure signing with your private key.

Troubleshooting SendGrid DKIM

Verification fails in SendGrid

  • Double-check that all three CNAME records are added (two DKIM + one SPF)
  • Confirm the hostnames don't include your root domain twice (some DNS providers auto-append the domain)
  • Wait at least 30 minutes before retrying - DNS propagation isn't instant

DKIM failing after successful verification

  • Check that no DNS changes have removed or overwritten the CNAME records
  • Verify the records still resolve by testing at dkimtest.com
  • Look for conflicting TXT records at the same _domainkey subdomains

Emails still going to spam

  • DKIM alone doesn't guarantee inbox delivery - you also need a valid SPF record and a DMARC policy
  • Check your SendGrid sender reputation in the dashboard
  • Make sure your From address domain matches the authenticated domain

Using SendGrid with other email services

  • SendGrid's s1 and s2 selectors won't conflict with selectors from other services (e.g., Google Workspace's google selector)
  • Each service uses its own selector, so you can have multiple DKIM configurations on the same domain
  • Add all required DNS records from each service

Related Articles

References

DKIM Creator helps you generate keys for services that need custom DKIM configuration beyond automated setup.

Generate DKIM keys instantly

Create DKIM key pairs for any email service. Free, secure, and generated in your browser.

Generate DKIM Keys