If you just want step-by-step setup instructions, see How to configure your outgoing email address instead.

When you complete your email setup with us, we provide you with three DNS records that you must configure in order for SendGrid, the service used by Sharetribe, to send emails on your behalf:

All of them are DNS records whose value is under SendGrid's control to manage the sending and bouncing of emails accordingly.

This means that for any DNS query regarding this record, SendGrid provides the answer from within their own DNS zone. You point a name in your domain at a name in theirs, and they manage what it resolves to.

In short: the first record (SPF) authorizes who may send on your behalf, and the two DKIM records let SendGrid cryptographically sign each message (and rotate those signing keys) without further changes on your side.

One of the DNS records we ask you to configure looks like em123.example.com, and its value is a name under SendGrid's control (something like u12345678.wl123.sendgrid.net).

The SPF standard uses DNS TXT records. The em123.example.com record, however, is a CNAME in your DNS zone, with a value such as u12345678.wl123.sendgrid.net.

CNAME (short for Canonical Name) means that for any DNS query, the value of that record is the name that should be checked instead. So in this case, a query for the TXT records of u12345678.wl123.sendgrid.net returns the actual SPF record:

That is the valid SPF record for this subdomain. The IP address listed there is the correct one used to send your email. (The exact value will differ for your setup).

SPF is a standard that validates the so-called SMTP envelope From address. This is not the "From" address in the email headers, which is what email clients typically display as the sender.

For email sent by Sharetribe via SendGrid, the envelope From address looks like this:

This is important: to check SPF, you need to look at the SPF record for the em123.example.com hostname, and not the SPF record for your entire domain (example.com).

While the SPF record authorizes which servers may send email on your behalf, DKIM (DomainKeys Identified Mail) proves that a message is authentic and was not tampered with in transit. SendGrid signs every outgoing email with a private cryptographic key, and the matching public key is published in your DNS. A receiving mail server fetches that public key, verifies the signature on the message, and, if it matches, knows the email was genuinely authorized by your domain and arrived unaltered.

The two DKIM records use the default selectors, flx and flx2, which produce the records:

Both are CNAME records pointing back to SendGrid-controlled names, for example:

This is the same delegation trick used by the SPF record: by pointing these names at SendGrid's DNS zone, you hand SendGrid control over what they resolve to.

The reason there are two records rather than one is key rotation.

SendGrid periodically rotates the signing keys between the flx and flx2 selectors automatically. Because the records are CNAMEs that delegate control to SendGrid, this happens without you ever having to touch your DNS again. If they were plain TXT records, you would have to update them by hand each time the key changed.

The CNAME delegation also allows SendGrid to respond with other types of DNS records for that name. For instance, SendGrid also sets an MX record, which allows email bounces to get back to SendGrid and be processed correctly.

Bounces are sent to the "Return-Path" given in the email, not to be confused with the "Reply-To" address.

You can find the SMTP envelope From address of an email by inspecting the raw email message in your email client. In Gmail, for example, select "Show original" from the message menu.

The exact format of the headers may differ between email providers, but you should be able to find something like: