We Keep Coding

DKIM validation warning when sending e-mail from Sendgrid API

I've bought a domain and I'm hosting Cloudflare as my DNS host. I mainly use this domain for sending emails.
I use Google workspace for receiving and sending emails, but I also use the Sendgrid API to send one automatic email a day from a simple python program (using Sendgrid's python library) I keep running.
I have correctly authenticated my domain in Sendgrid and added the CNAME records to Cloudflare as Sendgrid advises. I have also configured Google correctly with my domain using their info. I've tested both configurations with their tools.
I'm now in the process of adding extra security to my emails. I've configured SPF, DMARC and DKIM using the simple instructions Google provides. Added all the records once again to my DNS provider (Cloudflare) and started to observe my daily DMARC reports.
I'm using URIports (https://app.uriports.com/) to make sense of these reports :P
Apparently, everything is ok with the mails I send from Google. But not ok with the emails sent via Sengrid. The DMARC analysis is the following:
We have received the following report from google.com about 1 message that was received in the following timespan: 02-13 0:00 (24h). This email was received from IP address xxx.xxx.xxx.xxx with hostname something.outbound-mail.sendgrid.net supposedly from <user>#<mydomain>.
DKIM validation passed because at least one signature is valid
Signature 1 for domain <mydomain> passed. The message was signed, and the signature passed verification tests.
Signature 2 for domain sendgrid.info passed. The message was signed, and the signature passed verification tests but the DKIM signature domain sendgrid.info does not align with the Header-From domain <mydomain>.
SPF and DMARC validations are ok.
I confess I'm lost and I'm searching everywhere without success. Can anyone help me understading in what direction to go?
Can it be a problem with the python program?
Many thanks! Cheers!
Gil

To set your mind at ease, your setup is fine! Nothing to worry about.
DKIM is, among other things a reputation tool. SendGrid is adding two signatures to your emails, one for your domain, which will help pass DMARC authentication. And one for their domain / service. This second one is optional from the DMARC perspective, but may improve Inbox delivery.
There are many services that operate in a similar fashion, adding an additional DKIM signature to outbound emails.

Why don't we use FROM header in SPF

I was reading about SPF lately and got to know that SPF fails to identify spoofing when the spammer sends email with the envelope-from pointing to a domain that he/she controls and there is a completely different domain that the receiving client sees. I was just wondering why not do a check against the domain that the sender sees?
Thanks

Because SPF is about origin, not content, and the envelope sender doesn't need to be the same as the from address.
There is a mechanism for validating the From address and checking its alignment with the envelope sender, but it's not SPF, it's DMARC. Complete the trinity with DKIM, and you've got most of what you can reasonably control with email nailed down.

I asked one of my colleagues as well. According to him, although spoofers can take advantage of SPF's design. But, it still makes it a bit harder to do that. Given that at the time SPF was created, nothing was there , so even not-so-good SPF was something to cherish about. Regarding, why not use the message-from, it was done to avoid breaking of mail forwarding mechanisms currently in place.

DKIM and DMARC set up on dedicate 1and1 server

I am having a little trouble figuring out this process. I can manage to get the DNS records set up for the DMARC, DKIM and SPF. I get lost with what i am trying to do with the private key for the DKIM. Currently i am using a dedicated server offered by 1and1.com. if someone can give me a quick walk through i would really appreciate it.
The website i am currently making sends out scheduled emails plus emails on behalf of users. Some of them are being blocked by Hotmail and other email providers. I understand that adding these protocols will increase the likelihood that the emails reach their intended targets. If there are any other mechanisms that can accomplish this as well, i would greatly appreciate a heads up.
i use the built in php mail method to send emails (i do not want to incorporate a third party plugin to do something that php already does and works pretty well)
thanks

Yes, you can set DMARC on 1and1. Set:
Type: txt
Prefix: _dmarc
Value: v=DMARC1; p=none; sp=none; rua=mailto:yourmail#hotmail.com;
ruf=mailto:yourmail#hotmail.com; rf=afrf; pct=100; ri=86400;
Change the 2 emails

You can't set up DMARC or DKIM on 1&1 DNS, they don't allow underscores (_) in sub-domains in their DNS records.
Sorry for the bad news. They are the only hosting provider I know about that doesn't allow underscores (unless something changed recently)
DMARC is easy to set up just use this DMARC Wizard
DKIM is something that you need to set up with email software program you're using to send mail (which you didn't tell us what you're using) - I'm guessing postfix or exim?

Gmail thinks our email is NOT from the FROM domain and puts it in Spam Folder, how to solve this?

We have a website where we allow you to reset your password (say if you forget your password). This is standard on many websites. Basically you enter your email address which you've used to register on our website, then we send you an email containing an email reset link.
This is all standard stuff. However, the problem is: Gmail somehow thinks this email we send to the user is spam, and puts it in the Spam folder.
The specific message Gmail shows is:
Be careful with this message. Our systems couldn't verify that this message
was really sent by xyz.com. You might want to avoid clicking links or replying
with personal information.
Let me explain how we send the email. We use the company sendgrid.com to deliver
the emails. xyz.com is a domain we control. (xyz is a pseudo-name here.)
The email's from address is: do-not-reply#xyz.com
We have changed xyz.com's SPF record to include "sendgrid.com" (and "sendgrid.net" "sendgrid.me").
There's no website associated with xyz.com, however.
My question is: what else can we do to make Gmail believe the email is from the domain xyz.com? So it doesn't put the email in the spam folder?
Thank you.

Did you end up publishing DKIM with Sendgrid? Also, I have a feeling your SPF record isn't quite right as generally there's one official entry per email provider. You mention adding several. I'd recommend looking at their docs for exactly what they recommend publishing in your SPF. Do this for any provider you use for any kind of email.
Since you mentioned Sendgrid as your ESP, here are Sendgrid's instructions. Once you've done the DNS you have to ask Sendgrid to "sign" it. Since DKIM uses cryptography you'll need them to do their side.
DKIM's less complicated than it sounds. The DNS records you have to add will take a few minutes then presumably open a ticket to Sendgrid to have them do their side.
Also, as an aside, could you post what you have for your SPF record here? I don't mean your domain but what the value is? It's not directly causing the problem but it's a key component of email authentication.
Once you've completed SPF and DKIM, it is critical you validate them both. Do a search for SPF validates and DKIM validator to find online tools.

How to set up phpmailer?

I'd like to use phpmailer for sending emails, but, as far as I can see, it requires me to point out SMTP server. Since I don't know it, is there a way to just use it without configuring for that or maybe there are other plugins for the job?

Make sure you are not spamming the things.
If the mail is going-in to junk folder, this does not means that the your mail() function is not working. It has something to do with spam control activity done by mail reciever domain.
And in case you doing it for a valid purpose try signing your mail with dk/dkim signature and provide a SPF record to your domain.