SendGrid Email Authentication Setup

Twilio SendGrid is a cloud-based transactional and marketing email platform. This guide covers the complete email authentication stack for SendGrid: SPF, DKIM, and DMARC. Each section gives you the exact DNS records, step-by-step instructions, common pitfalls, and how to verify your setup.

Jump to a Protocol

SPF

Authorize which servers can send email for your domain.

DKIM

Cryptographically sign your outgoing email so receivers can verify it.

DMARC

Tell receivers what to do when SPF or DKIM fail.

SPFTest with our SPF Checker →

How to Set Up SPF for SendGrid

Authorize SendGrid to send email on behalf of your domain by adding the correct SPF include or by completing domain authentication.

Quick Answer — The Record You Need

Type

TXT

Host / Name

Value

v=spf1 include:sendgrid.net ~all

If using SendGrid domain authentication (recommended), SPF is handled automatically via a CNAME record. Manual SPF include is the alternative.

Step-by-Step Setup

Log in to SendGrid

Go to app.sendgrid.com and sign in to your account.

Start domain authentication

Navigate to Settings > Sender Authentication > Domain Authentication. Click "Authenticate Your Domain". SendGrid recommends domain authentication over manual SPF.

Select your DNS host and enter your domain

Choose your DNS provider from the dropdown and enter your sending domain. SendGrid will generate the DNS records you need.

Add DNS records

SendGrid will provide CNAME records that handle SPF automatically. If you prefer a manual SPF include instead, add include:sendgrid.net to your SPF record.

v=spf1 include:sendgrid.net ~all

Verify in SendGrid

Click "Verify" in SendGrid. The platform will check your DNS records and confirm authentication is complete.

Before & After

Before

v=spf1 include:_spf.google.com ~all

After

v=spf1 include:_spf.google.com include:sendgrid.net ~all

SPF Gotchas

SendGrid's domain authentication uses CNAME records that handle SPF automatically. If you use domain authentication, you do not need a separate include:sendgrid.net in your SPF record.
If you choose manual SPF, the include is sendgrid.net (not app.sendgrid.com or email.sendgrid.com).
SendGrid domain authentication was previously called "whitelabel". Documentation using the old term still applies.

SPF FAQ

What SPF record do I need for SendGrid?

If using manual SPF, add include:sendgrid.net to your SPF record. If using SendGrid domain authentication (recommended), SPF is handled via CNAME records and no manual SPF include is needed.

Should I use domain authentication or manual SPF with SendGrid?

SendGrid recommends domain authentication. It uses CNAME records that automatically handle SPF and DKIM, and it gives you better control over your sender reputation.

Can I use SendGrid and Google Workspace SPF together?

Yes. Combine both includes in a single SPF record: v=spf1 include:_spf.google.com include:sendgrid.net ~all.

DKIMTest with our DKIM Checker →

How to Set Up DKIM for SendGrid

Configure DKIM for SendGrid by publishing CNAME records that allow SendGrid to sign outgoing email with your domain.

Quick Answer — The Record You Need

Type

CNAME

Host / Name

s1._domainkey

Value

s1.domainkey.u12345678.wl12345.sendgrid.net

You need two CNAME records: s1._domainkey and s2._domainkey. The exact values are generated in your SendGrid account during domain authentication.

Step-by-Step Setup

Log in to SendGrid

Go to app.sendgrid.com and sign in to your account.

Navigate to domain authentication

Go to Settings > Sender Authentication > Domain Authentication. Click "Authenticate Your Domain".

Enter your domain details

Select your DNS host, enter your domain, and optionally customize the DKIM selector prefix (default is s1 and s2).

Add the CNAME records to your DNS

SendGrid will display the CNAME records. Create both CNAME records in your DNS provider.

s1._domainkey.yourdomain.com  CNAME  s1.domainkey.u12345678.wl12345.sendgrid.net
s2._domainkey.yourdomain.com  CNAME  s2.domainkey.u12345678.wl12345.sendgrid.net

Verify in SendGrid

Click "Verify" in SendGrid. Once DNS records propagate, SendGrid will confirm DKIM is active and begin signing outgoing email.

DKIM Gotchas

SendGrid DKIM uses CNAME records, not TXT records. The CNAMEs point to SendGrid-hosted keys.
The s1 and s2 selectors are SendGrid defaults. The exact CNAME values are unique to your account and cannot be guessed -- you must copy them from the SendGrid dashboard.
If you have an existing DKIM TXT record at the same selector, it may conflict with the CNAME. Remove the old TXT record before adding the CNAME.

DKIM FAQ

What are the DKIM selectors for SendGrid?

SendGrid uses s1 and s2 as default DKIM selectors. The records are published as CNAME records at s1._domainkey.yourdomain.com and s2._domainkey.yourdomain.com.

Does SendGrid rotate DKIM keys?

SendGrid manages the DKIM keys on their end. Because the records are CNAMEs, SendGrid can update the underlying keys without requiring DNS changes from you.

Can I customize the DKIM selector for SendGrid?

Yes. During domain authentication setup, you can choose a custom selector prefix instead of the default s1/s2.

DMARCTest with our DMARC Checker →

How to Set Up DMARC for SendGrid

Publish a DMARC policy to protect your domain when using SendGrid, ensuring that spoofed email is handled according to your policy.

Quick Answer — The Record You Need

Type

TXT

Host / Name

_dmarc

Value

v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1

Ensure SendGrid domain authentication is complete (SPF + DKIM aligned) before enforcing DMARC.

Step-by-Step Setup

Complete SendGrid domain authentication

DMARC requires SPF or DKIM to pass with alignment. Complete SendGrid's domain authentication first, which sets up both SPF and DKIM with your domain.

Verify alignment

Send a test email through SendGrid and check the email headers. The DKIM d= domain and SPF envelope sender should match your From domain.

Create the DMARC record

Add a TXT record at _dmarc.yourdomain.com with your initial monitoring policy.

v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1

Monitor reports

Review DMARC aggregate reports for 2-4 weeks to confirm SendGrid emails are passing authentication.

Enforce the policy

After confirming alignment, move to p=quarantine and then p=reject.

DMARC Gotchas

SendGrid emails will only align with DMARC if you have completed domain authentication. Without it, the envelope sender and DKIM d= domain will be sendgrid.net, not your domain.
If you use SendGrid alongside other email providers, ensure all providers are authenticated before moving to p=reject.
SendGrid link tracking can affect DKIM alignment if not configured correctly. Ensure link branding is set up alongside domain authentication.

DMARC FAQ

Do I need DMARC if I use SendGrid domain authentication?

Yes. Domain authentication handles SPF and DKIM, but DMARC tells receivers what to do when those checks fail. DMARC is a separate DNS record that complements SPF and DKIM.

Why are my SendGrid emails failing DMARC?

The most common cause is incomplete domain authentication. Without it, SendGrid sends with its own domain in the envelope sender and DKIM signature, causing alignment failure.

Can I use DMARC with SendGrid's shared IP addresses?

Yes. DMARC relies on domain alignment, not IP addresses. As long as domain authentication is complete, DMARC works with both shared and dedicated IPs.

Verify Your SendGrid Setup

Once your SPF, DKIM, and DMARC records are in place, run a full domain scan to confirm everything is configured correctly. DNS changes typically propagate within minutes but can take up to 48 hours.

Setup Guides for Other Providers

Google Workspace Microsoft 365 Mailchimp Mailgun Amazon SES Postmark HubSpot Zendesk Zoho Mail Salesforce Brevo Constant Contact All Guides →