Setup Guide

How to Set Up SPF, DKIM, and DMARC for SendGrid

SendGrid (now part of Twilio) is one of the most popular transactional and marketing email platforms. Whether you're using it for order confirmations, password resets, or marketing campaigns, proper email authentication is critical for deliverability.

SPF Configuration

SendGrid provides a straightforward SPF include for authorizing their sending infrastructure.

DNS Record:

Type:  TXT
Host:  @
Value: v=spf1 include:sendgrid.net ~all

If combining with other services:

v=spf1 include:_spf.google.com include:sendgrid.net ~all

Note: sendgrid.net nests one additional include (ab.sendgrid.net), consuming approximately 2 DNS lookups total. Verify with the SenderClarity SPF Checker.

DKIM Configuration

SendGrid uses automated DKIM setup through domain authentication (formerly "whitelabeling"). This process creates CNAME records that point to SendGrid's infrastructure, allowing them to manage key rotation automatically.

  1. In the SendGrid dashboard, go to Settings → Sender Authentication → Domain Authentication.
  2. Click Authenticate Your Domain.
  3. Select your DNS host and choose whether to brand the links and mail server.
  4. Enter your domain name.
  5. SendGrid will generate three CNAME records — two for DKIM and one for the return-path (envelope sender):
Type:  CNAME
Host:  s1._domainkey
Value: s1.domainkey.u12345678.wl123.sendgrid.net

Type:  CNAME
Host:  s2._domainkey
Value: s2.domainkey.u12345678.wl123.sendgrid.net

Type:  CNAME
Host:  em1234
Value: u12345678.wl123.sendgrid.net

The exact values will be unique to your account. Copy them from the SendGrid dashboard.

  1. Add the CNAME records to your DNS.
  2. Return to SendGrid and click Verify.

The third CNAME (the em record) handles return-path alignment for SPF. With this in place, SPF alignment will pass under DMARC even in relaxed mode.

DMARC Configuration

Start with monitoring mode:

Type:  TXT
Host:  _dmarc
Value: v=DMARC1; p=none; rua=mailto:your-address@reports.senderclarity.com; fo=1

Progress to enforcement after confirming all legitimate sources pass in your DMARC reports:

  1. p=quarantine; pct=25
  2. p=quarantine; pct=100
  3. p=reject

DMARC Considerations for SendGrid

  • Domain authentication is the single most important step: SendGrid's domain authentication process (formerly "whitelabeling") sets up DKIM signing and a return-path CNAME in one workflow. Until you complete this, SendGrid uses sendgrid.net for both, and nothing will align with your domain under DMARC. The em CNAME record is not optional — it's what enables SPF alignment.

  • Automated subuser provisioning can create gaps: If your organization uses SendGrid subusers for different applications or teams, each subuser can be configured with its own domain authentication. An unauthenticated subuser sending as your domain will produce DMARC failures. Audit all subusers before moving to enforcement.

  • Link branding affects tracking, not DMARC: During SendGrid's domain authentication setup, you're asked about link branding. This only affects click-tracking URLs in your emails — it has no impact on SPF, DKIM, or DMARC alignment. Don't confuse these two features when troubleshooting authentication issues.

Verification

  • Check your SPF record →
  • Use SendGrid's built-in Email Activity Feed to confirm authentication results
  • Send a test email and inspect headers for spf=pass, dkim=pass, dmarc=pass
  • Review DMARC reports in SenderClarity for any alignment issues

Common Issues

SPF passes but DMARC fails: This usually means SPF alignment is failing. By default, SendGrid uses its own return-path domain (sendgrid.net), which won't align with your From domain. Completing domain authentication (step above) fixes this by creating a return-path CNAME under your domain.

DKIM shows as "not verified" in SendGrid: DNS propagation can take up to 48 hours. If verification still fails, check that your DNS provider didn't add your domain as a suffix to the CNAME host (e.g., s1._domainkey.yourdomain.com.yourdomain.com).

Multiple SendGrid accounts: If your organization uses separate SendGrid accounts for transactional and marketing email, each account requires its own domain authentication. The SPF include only needs to appear once in your DNS.

SPF Lookup Impact

Include Estimated Lookups
sendgrid.net 2