I'm making use of SendGrid to send automatic emails. First I went to the whole hassle of creating a DKIM record, before I recently discovered the whole record doesn't seem to be checked anyway, because SendGrid provides it's own DKIM record.
See: https://sendgrid.com/docs/Apps/dkim.html
How does this work? If I don't need to provide my own DKIM for the domain I'm sending from, how does this prevent me from just spoofing the email adress from some domain I don't own?
DKIM does not fully mitigate this kind of attacks, but plays an important role. By checking the DKIM signature it is possible to detect changes to the message on the transport from the original sender to the receiver. It is not possible for the receiver to find out if the message should have a DKIM signature, because the receiver does not know the selector to query the public key.
Also note that DKIM works on the message, not the envelope as SPF does. Both, DKIM and SPF, are necessary in conjunction for spoof-prevention (and DMARC which is based on both of them). As DKIM works on the message, you can have different sending servers with different keys and thus different selectors in DNS in parallel (your own and SendGrid's).
I think you want SPF Sender Policy Framework. By specifying the allowed sending servers in a TXT-Record for the domain, receiving servers can check if the sending server is in the list of allowed servers. In your case you have to add the IP's fo SendGrid's servers to your SPF record.
With an DMARC-Record you can additionally specify how receivers should handle violations of SPF and DKIM and get reports of abuse.
