Publish a DMARC policy to protect your domain when using SendGrid, ensuring that spoofed email is handled according to your policy.
TXT
_dmarc
v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1
Ensure SendGrid domain authentication is complete (SPF + DKIM aligned) before enforcing DMARC.
DMARC requires SPF or DKIM to pass with alignment. Complete SendGrid's domain authentication first, which sets up both SPF and DKIM with your domain.
Send a test email through SendGrid and check the email headers. The DKIM d= domain and SPF envelope sender should match your From domain.
Add a TXT record at _dmarc.yourdomain.com with your initial monitoring policy.
v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1Review DMARC aggregate reports for 2-4 weeks to confirm SendGrid emails are passing authentication.
After confirming alignment, move to p=quarantine and then p=reject.
After adding your DNS records, use our free DMARC checker to verify everything is configured correctly. DNS changes typically propagate within minutes, but can take up to 48 hours.
Yes. Domain authentication handles SPF and DKIM, but DMARC tells receivers what to do when those checks fail. DMARC is a separate DNS record that complements SPF and DKIM.
The most common cause is incomplete domain authentication. Without it, SendGrid sends with its own domain in the envelope sender and DKIM signature, causing alignment failure.
Yes. DMARC relies on domain alignment, not IP addresses. As long as domain authentication is complete, DMARC works with both shared and dedicated IPs.