When configuring a custom email sender in Okta, administrators often request Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) records for Domain Name System (DNS) settings to secure the email domain. Okta uses SendGrid with Automated Security enabled, which means SendGrid automatically manages SPF and DKIM records without requiring manual configuration.
NOTE: This information does not apply to scenarios involving a self-managed email provider. Consult the documentation provided by the specific email provider for instructions on generating DKIM configuration data and identifying the IP addresses used for email delivery.
- Okta Identity Engine (OIE)
- Okta Classic Engine
- Sender Policy Framework (SPF)
- DomainKeys Identified Mail (DKIM)
- Custom Email Sender
- SendGrid
How are SPF and DKIM records managed for Okta custom email senders?
Okta uses SendGrid as the email service provider and enables the Automated Security feature during integration. SendGrid automatically manages SPF and DKIM records when Okta manages the email provider.
Review the three Canonical Name (CNAME) records that Okta generates during the email sender configuration process, which include the mail subdomain and the two domain key values.
subdomain.<domain.com>(The default subdomain is mail, but administrators can change this value when creating the email domain.)<value>._domainkey.<domain.com><value>2._domainkey.<domain.com>
Performing an SPF lookup on the first CNAME record reveals an existing SPF record for the sender that includes all the IP addresses SendGrid uses to send Okta emails. Similarly, performing a DKIM lookup on the last two CNAME records confirms the active DKIM configuration.
