When setting up email sending with a provider like SendGrid, it's common to encounter a requirement for two DomainKeys Identified Mail (DKIM) records, typically named s1._domainkey and s2._domainkey. This can seem counterintuitive at first, as one might assume a single key would suffice for authentication. I've heard this question come up quite often, and it leads to a deeper understanding of email security practices.
The reasoning behind SendGrid's approach, and indeed that of many sophisticated email service providers (ESPs), is rooted in best practices for cryptographic key management and enhancing deliverability. It's not about high availability in the traditional sense, but rather about strengthening security and enabling seamless operations behind the scenes.
This practice is a testament to SendGrid's commitment to robust email authentication and protecting sender reputation. By requiring two keys, they facilitate a crucial security measure known as key rotation, which is vital in mitigating potential risks associated with compromised cryptographic keys. This setup also provides a layer of redundancy and flexibility.
Let's explore the core reasons why this dual-key requirement is not just a preference, but a strategic necessity for modern email delivery.
Understanding DKIM and selectors
DKIM is an email authentication standard that uses cryptographic signatures to verify that an email was sent by the owner of the domain it claims to be from and that the content hasn't been tampered with in transit. It relies on a pair of keys: a private key, used by the sending server to sign the email, and a public key, published in the sender's Domain Name System (DNS) records, which receiving servers use to verify the signature. You can learn more about this standard by reading this Wikipedia article on DKIM.
A DKIM selector is a specific name used to locate the public key in your DNS records. When an email is sent, the DKIM signature in the email header includes the selector (e.g., s1). The receiving mail server then queries your DNS for a TXT record at selector._domainkey.yourdomain.com to retrieve the public key and verify the email's authenticity. This process is fundamental to preventing email spoofing and ensuring that your messages reach the inbox.
Multiple selectors mean a domain can have multiple valid DKIM keys published simultaneously. This is where the strategy for two keys comes into play. It provides flexibility for various scenarios, from using multiple email sending services on the same domain to enabling crucial security practices like key rotation, which we'll discuss next.
The primary reason: seamless key rotation
The primary reason SendGrid (and many other advanced ESPs) requires two DKIM records is to facilitate seamless cryptographic key rotation. Just like passwords, cryptographic keys should be changed regularly to minimize the risk of compromise. If a private key were to be stolen or exposed, an attacker could forge email signatures, impersonating your domain and potentially impacting your domain reputation.
With two selectors (e.g., s1 and s2), SendGrid can rotate your keys seamlessly without interrupting your email flow. For instance, they might be actively signing emails with the key associated with s1. When it's time to rotate, they can update the public key associated with s2, then gradually start signing new emails with the s2 key. After a grace period, the s1 key can be updated, and the cycle continues. This overlap ensures that emails signed with the old key are still verifiable while the new key propagates through DNS.
Without two distinct selectors, key rotation would be a much riskier and more complex process, potentially leading to deliverability issues during the transition. The seamless nature of this rotation is a key component of maintaining high email deliverability.
Enhanced security and resilience
Beyond routine key rotation, having two (or more) DKIM keys offers significant security and resilience benefits. If one of SendGrid's private keys were ever compromised, having a second, independent key allows them to quickly switch to the uncompromised key while the affected key is revoked and a new one generated. This significantly reduces the window of vulnerability and the potential for abuse.
Single DKIM key
Risk: A single point of failure means if the key is compromised, all email authentication for that domain is immediately at risk.
Rotation: Requires a disruptive process, potentially causing DMARC failures during updates.
Complexity: Managing key updates can be complex without a secondary key for seamless transitions.
Two DKIM keys (SendGrid's approach)
Risk mitigation: Provides a backup or alternative key if one is compromised, allowing for quick recovery.
Seamless rotation: Enables zero-downtime key updates by rotating between two active keys.
Resilience: Enhances the overall security posture and ensures continuous email authentication.
This practice also allows for more flexible management of shared sending infrastructure. While SendGrid utilizes separate keys for each domain (a highly secure approach), some ESPs might use a single domain key across multiple customers. SendGrid's method, while more complex to engineer, offers a higher level of security by isolating key management per domain. This design choice highlights a commitment to robust security measures for their users.
Another scenario where multiple DKIM keys are beneficial is when you use multiple ESPs for different types of email. Each ESP might require its own DKIM setup, potentially using different selectors, leading to multiple DKIM records on your domain. This is not overkill, but rather a necessary configuration to ensure all your sending streams are properly authenticated.
Practical implications and setup
When you set up domain authentication with SendGrid, it generates these two CNAME records for you. Instead of directly publishing TXT records with public keys, you point your DKIM selectors to SendGrid's key servers via CNAMEs. This allows SendGrid to manage the actual public keys and handle the rotation process automatically. This automation is incredibly convenient and reduces the administrative burden on domain owners.
Ensuring both CNAME records are correctly published in your DNS is critical for proper DKIM authentication. If these records are missing or misconfigured, your emails may fail DKIM checks, leading to them being sent to spam folders or even rejected by receiving mail servers. This also affects DMARC alignment, which relies on proper DKIM and SPF authentication.
It's always a good practice to verify your DNS records after making changes to ensure they have propagated correctly. Tools for checking DNS records can confirm if your s1 and s2 records are correctly pointing to SendGrid's servers. If you encounter issues like DKIM body hash mismatch failures, a misconfigured DKIM record is a common culprit.
Final thoughts
It appears the main reason for SendGrid requiring two domain keys is primarily for cryptographic key rotation. This practice allows for the continuous update of your DKIM keys without any disruption to your email sending, significantly enhancing the security of your email authentication. By constantly refreshing the keys, the window of opportunity for an attacker to exploit a compromised key is drastically reduced, ensuring your emails remain trusted.
This advanced approach to DKIM management is a hallmark of sophisticated email service providers like SendGrid. It underscores the importance of not just having email authentication in place, but also managing it dynamically to adapt to evolving security threats. Implementing these two CNAME records is a simple yet powerful step in securing your email communications and ensuring optimal deliverability.
Views from the trenches
Best practices
Implement automated key rotation for DKIM to reduce the risk of key compromise and maintain continuous email authentication.
Always set up all required DNS records, including both DKIM selectors, as specified by your email service provider.
Regularly monitor your domain's authentication status to catch any misconfigurations or issues promptly.
Common pitfalls
Neglecting to publish all required DKIM CNAME records, which can lead to authentication failures and deliverability issues.
Failing to understand the security benefits of key rotation, potentially overlooking critical protection for your domain.
Assuming one DKIM key is enough, when a dual-key setup facilitates smoother, more secure operations.
Expert tips
Consider using CNAME records for DKIM to allow your ESP to manage key rotation and updates automatically, simplifying your DNS management.
If using multiple ESPs, ensure each has its own unique DKIM selectors set up correctly to avoid conflicts.
Educate your team on the importance of DKIM authentication and the role of key rotation in email security.
Expert view
Expert from Email Geeks says that key rotation is the primary reason for multiple DKIM keys, especially when CNAMEs point to the ESP's key servers, as it significantly enhances security.
2020-04-08 - Email Geeks
Expert view
Expert from Email Geeks says that having multiple keys allows for a staggered rotation process, where one key can be updated while the other remains active, ensuring uninterrupted signing.
