SendGrid (now part of Twilio) is one of the most popular transactional and marketing email platforms. Whether you're using it for order confirmations, password resets, or marketing campaigns, proper email authentication is critical for deliverability.
SPF Configuration
SendGrid provides a straightforward SPF include for authorizing their sending infrastructure.
DNS Record:
Type: TXT
Host: @
Value: v=spf1 include:sendgrid.net ~all
If combining with other services:
v=spf1 include:_spf.google.com include:sendgrid.net ~all
Note: sendgrid.net nests one additional include (ab.sendgrid.net), consuming approximately 2 DNS lookups total. Verify with the SenderClarity SPF Checker.
DKIM Configuration
SendGrid uses automated DKIM setup through domain authentication (formerly "whitelabeling"). This process creates CNAME records that point to SendGrid's infrastructure, allowing them to manage key rotation automatically.
- In the SendGrid dashboard, go to Settings → Sender Authentication → Domain Authentication.
- Click Authenticate Your Domain.
- Select your DNS host and choose whether to brand the links and mail server.
- Enter your domain name.
- SendGrid will generate three CNAME records — two for DKIM and one for the return-path (envelope sender):
Type: CNAME
Host: s1._domainkey
Value: s1.domainkey.u12345678.wl123.sendgrid.net
Type: CNAME
Host: s2._domainkey
Value: s2.domainkey.u12345678.wl123.sendgrid.net
Type: CNAME
Host: em1234
Value: u12345678.wl123.sendgrid.net
The exact values will be unique to your account. Copy them from the SendGrid dashboard.
- Add the CNAME records to your DNS.
- Return to SendGrid and click Verify.
The third CNAME (the em record) handles return-path alignment for SPF. With this in place, SPF alignment will pass under DMARC even in relaxed mode.
DMARC Configuration
Start with monitoring mode:
Type: TXT
Host: _dmarc
Value: v=DMARC1; p=none; rua=mailto:your-address@reports.senderclarity.com; fo=1
Progress to enforcement after confirming all legitimate sources pass in your DMARC reports:
p=quarantine; pct=25p=quarantine; pct=100p=reject
Verification
- Check your SPF record →
- Use SendGrid's built-in Email Activity Feed to confirm authentication results
- Send a test email and inspect headers for
spf=pass,dkim=pass,dmarc=pass - Review DMARC reports in SenderClarity for any alignment issues
Common Issues
SPF passes but DMARC fails: This usually means SPF alignment is failing. By default, SendGrid uses its own return-path domain (sendgrid.net), which won't align with your From domain. Completing domain authentication (step above) fixes this by creating a return-path CNAME under your domain.
DKIM shows as "not verified" in SendGrid: DNS propagation can take up to 48 hours. If verification still fails, check that your DNS provider didn't add your domain as a suffix to the CNAME host (e.g., s1._domainkey.yourdomain.com.yourdomain.com).
Multiple SendGrid accounts: If your organization uses separate SendGrid accounts for transactional and marketing email, each account requires its own domain authentication. The SPF include only needs to appear once in your DNS.
SPF Lookup Impact
| Include | Estimated Lookups |
|---|---|
sendgrid.net |
2 |