D
DKIM Test

How to Set Up DKIM for SendGrid

Step-by-step guide to configure DKIM authentication for SendGrid. Learn how to authenticate your domain, add DNS records, and verify your transactional email setup.

Last updated: 2026-01-28

SendGrid is one of the most popular transactional email services. Properly configuring DKIM ensures your order confirmations, password resets, and notifications reach your users' inboxes reliably.

Why Authenticate Your Domain with SendGrid

Without domain authentication:

  • Emails may be flagged as suspicious
  • Deliverability suffers, especially at scale
  • Your "From" domain doesn't match the signing domain
  • You won't meet Google and Yahoo's sender requirements

With DKIM and domain authentication:

  • Emails are signed with your domain
  • Better inbox placement
  • Improved sender reputation
  • Full compliance with authentication requirements

Before You Start

You'll need:

  • A SendGrid account
  • Access to your domain's DNS settings
  • The domain you want to send from

SendGrid calls this process "Sender Authentication" or "Domain Authentication." It sets up both DKIM and a custom return path (for SPF alignment) in one process.

Step-by-Step Setup

1

Access Sender Authentication

Log into SendGrid. Go to SettingsSender Authentication.

2

Start domain authentication

Click Authenticate Your Domain or Get Started in the Domain Authentication section.

3

Select your DNS host

SendGrid will ask which DNS provider you use (GoDaddy, Cloudflare, etc.). This helps format the instructions, but you can select "Other" if yours isn't listed.

4

Enter your domain

Enter the domain you'll send from (e.g., example.com).

Advanced settings:

  • Use automated security: Keep enabled (recommended)
  • Custom DKIM selector: Optional—lets you specify a custom selector instead of SendGrid's default (s1, s2)
5

Copy the DNS records

SendGrid generates several CNAME records. You'll typically see:

DKIM Records:

  • s1._domainkey.yourdomain.coms1.domainkey.u12345678.wl123.sendgrid.net
  • s2._domainkey.yourdomain.coms2.domainkey.u12345678.wl123.sendgrid.net

Return Path (for SPF):

  • em1234.yourdomain.comu12345678.wl123.sendgrid.net

The exact values include your SendGrid account identifiers.

6

Add records to your DNS

Log into your DNS provider and add the CNAME records exactly as shown.

  • Type: CNAME
  • Host/Name: The subdomain part (e.g., s1._domainkey)
  • Value: The full target SendGrid provided
7

Verify in SendGrid

Return to SendGrid and click Verify. If the records are found, your domain will show as authenticated.

Verify Your Setup

After authentication completes, verify the DKIM records are publicly accessible.

Test both:

  • s1._domainkey.yourdomain.com
  • s2._domainkey.yourdomain.com

SendGrid DKIM Selectors

SendGrid uses s1 and s2 as default selectors. If you configured a custom selector during setup, use that instead.

The two selectors allow SendGrid to rotate keys without disrupting your email flow—when s1's key is rotated, s2 continues working, and vice versa.

Common Issues and Solutions

"Pending" status after adding records

Cause: DNS hasn't propagated or records are misconfigured.

Solutions:

  • Wait 15-30 minutes and click Verify again
  • Double-check the CNAME values match exactly (including the account-specific parts)
  • Verify the host doesn't accidentally include your domain twice

"CNAME not found" errors

Cause: The record wasn't created correctly.

Solutions:

  • Ensure you created a CNAME record, not a TXT record
  • Check that the host field is just the subdomain (e.g., s1._domainkey), not the full domain
  • Some DNS providers need a trailing dot on the target—try adding it if verification fails

Emails still fail DKIM

Cause: Your application might be modifying emails after SendGrid signs them.

Solutions:

  • Check for middleware or proxies that modify email content
  • Ensure your email-sending code isn't adding headers after the SendGrid API call
  • Review SendGrid's Activity Feed for authentication results

Check your implementation

Send a test email and check the headers. Look for dkim=pass in the Authentication-Results header. If you see dkim=fail, the signature is being broken somewhere.

Custom DKIM Selectors

If you need a custom selector (for example, to distinguish SendGrid emails from other services), you can configure this during domain authentication:

  1. In the domain authentication wizard, expand Advanced Settings
  2. Check Use a custom DKIM selector
  3. Enter your preferred selector name

This is useful if you're already using s1 for another service.

Link Branding

SendGrid also offers "Link Branding" to customize tracked links in your emails. While not directly related to DKIM, it's part of complete domain authentication:

  • Links appear as links.yourdomain.com instead of sendgrid.net
  • Improves trust and click-through rates
  • Requires additional DNS records

Complete Your Email Authentication

SendGrid's domain authentication process handles DKIM and provides a custom return path for SPF alignment. To complete your setup:

Verify SPF: SendGrid's return path CNAME creates SPF alignment, but verify at spfrecordcheck.com.

Add DMARC: Set up a DMARC policy for your domain. Check at dmarcrecordchecker.com.

Related Articles

Monitor Your DKIM Records

Checking once is good. Monitoring continuously is better. The Email Deliverability Suite watches your SPF, DKIM, DMARC, and MX records daily and alerts you when something breaks.

Never miss a DKIM issue

Monitor your SPF, DKIM, DMARC and MX records daily. Get alerts when something breaks.

Start Monitoring