I use SendGrid and I have 2 dedicated IPs... My website sends its emails using SendGrid.
At the same time I use G Suite and I personally send my emails using G Suite (Google Workspace)
I want to setup DKIM and SPF records. SendGrid documentation has an option called Automated Security:
Automated security allows SendGrid to handle the signing of your DKIM and authentication of your SPF for your outbound email with CNAME records. This allows you to add a dedicated IP address or update your account without having to update your SPF record.
and later on...
When Automated Security is On, SendGrid generates 3 different CNAME records. In a later step of setting up domain authentication, you give these records to your DNS provider, and then you verify that they upload correctly.
If you select Off, we generate 1 MX record and 2 TXT records. In a later step of setting up domain authentication, you give these records to your DNS provider, and then you verify that they upload correctly.
So When Automated Security is ON I won't need to add any SPF and DKIM record, instead I have added the 3 CNAME records that is required for Automated Security...
On the other hand I am also using G Suite and G Suite wants me to add DKIM and the following SPF record:
v=spf1 include:_spf.google.com ~all
From what I understand, the above SPF record means that _spf.google.com is the only server that should be sending my emails...
So my question is: Is adding G Suite SPF record conflicting with SendGrid Automated Security? My SPF record is saying the My SendGrid's dedicated IPs are not allowed to send email?
Imagine Yahoo mail server receives an email from one of my dedicated IPs (SendGrid)... how would Yahoo know that I am using Automated Security and the SPF record is handled by SendGrid? Because If Yahoo checked the SPF record, the SPF record is telling it that only _spf.google.com is allowed to send my emails?
Just a note: Your question would probably do better at the Server Fault forum.
To answer you questions:
No the SPF record where you list G Suite is not conflicting with your SendGrid setup.
What is important to understand is: SPF says absolutely nothing about who is allowed to send emails FROM your domain. SPF authenticates the Return-Path address instead, and you're creating a subdomain for the bounce messages (what the Return-Path header is used for) with the CNAME delegation records in "Automated Security".
So, basically, Sendgrid is asking you to create a sub domain for them, e.g. em123.yourdomain.com by means of CNAME record. You delegate that subdomain over to them, targeting your personal Sendgrid tenant zone in DNS, where they create an SPF record and MX record at the root of that zone. A typical email from Sendgrid will then look like this:
from: [email protected], Return-Path: [email protected]
Thus, the receiving server will check the SPF record at em123.yourdomain.com to see if your IPs are allowed.
The other two CNAMEs are for the DKIM selector records. They point to TXT records that Sendgrid manages and rotates periodically.
So why not have Sendgrid use their domain in the Return-Path and not bother with the CNAME setup at all?
DMARC demands that your Return-Path domain aligns with your FROM domain, OR that the domain used in your DKIM signatures aligns with your FROM domain. Preferably both.