Setting Up SendGrid Email Authentication

Complete guide to configuring SPF, DKIM, and DMARC for SendGrid transactional and marketing emails.

Setting Up SendGrid Email Authentication

SendGrid is a popular transactional and marketing email service. This guide covers setting up SPF, DKIM, and DMARC for SendGrid.

Prerequisites

  • SendGrid account
  • Domain verified in SendGrid
  • Access to your domain's DNS settings
  • MailSentinel account for DMARC monitoring

Overview

SendGrid requires:

  1. SPF - Authorize SendGrid to send emails
  2. DKIM - Sign emails with SendGrid's keys
  3. DMARC - Monitor and enforce authentication

Step 1: Add Domain to SendGrid

  1. Log in to SendGrid Dashboard
  2. Go to SettingsSender Authentication
  3. Click Authenticate Your Domain
  4. Enter your domain (e.g., example.com)
  5. Choose authentication method:
    • Domain Authentication (recommended)
    • Link Branding (for subdomains)

Step 2: Configure SPF for SendGrid

Get SendGrid SPF Include

SendGrid provides this SPF include:

include:sendgrid.net

Build Your SPF Record

If SendGrid is your only email service:

v=spf1 include:sendgrid.net -all

If you use other services (Google Workspace, etc.):

v=spf1 include:_spf.google.com include:sendgrid.net -all

Important: Only ONE SPF record per domain. Merge all includes into a single record.

Add SPF Record to DNS

DNS Record Details:

  • Type: TXT
  • Host: @ or leave blank (root domain)
  • Value: Your complete SPF record
  • TTL: 3600 (1 hour)

Verify SPF Setup

  1. In SendGrid dashboard, check domain status
  2. Use MailSentinel to verify SPF record
  3. Use MXToolbox SPF checker

Step 3: Configure DKIM for SendGrid

Get DKIM Records from SendGrid

SendGrid automatically generates DKIM keys:

  1. In SendGrid dashboard, go to SettingsSender Authentication
  2. Find your authenticated domain
  3. Click View Details or Edit
  4. You'll see DKIM records like:
Host: s1._domainkey
Type: TXT
Value: k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC...

Host: s2._domainkey
Type: TXT
Value: k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC...

Add DKIM Records to DNS

For each DKIM record:

  1. Add TXT record to your DNS:

    • Host: s1._domainkey (or s2._domainkey)
    • Type: TXT
    • Value: The complete DKIM value provided by SendGrid
    • TTL: 3600

  2. Repeat for all DKIM selectors (usually 2)

Verify DKIM Setup

In SendGrid Dashboard:

  • Status should show "Verified" or green checkmark
  • May take 15-60 minutes to verify

Manual Verification:

  1. Send test email through SendGrid
  2. Check email headers
  3. Look for DKIM-Signature header
  4. Verify signature is valid

Step 4: Configure DMARC for SendGrid

Get Your MailSentinel Report Address

  1. Log in to MailSentinel
  2. Add your domain
  3. Go to SettingsDMARC Configuration
  4. Copy report address: your-org-id@reports.mailsentinel.io

Create DMARC Record

Starting with monitoring:

v=DMARC1; p=none; rua=mailto:your-org-id@reports.mailsentinel.io

After monitoring (quarantine):

v=DMARC1; p=quarantine; rua=mailto:your-org-id@reports.mailsentinel.io; adkim=r; aspf=r

Full protection:

v=DMARC1; p=reject; rua=mailto:your-org-id@reports.mailsentinel.io; ruf=mailto:your-org-id@forensic.mailsentinel.io; adkim=r; aspf=r

Add DMARC Record to DNS

DNS Record Details:

  • Type: TXT
  • Host: _dmarc
  • Value: Your complete DMARC record
  • TTL: 3600

Verify DMARC Setup

  1. Use MailSentinel to check DNS
  2. Verify DMARC record is detected
  3. Wait 24-48 hours for first reports
  4. Monitor in MailSentinel dashboard

SendGrid-Specific Considerations

Domain Authentication:

  • Full domain authentication
  • Required for SPF/DKIM
  • Use for sending domain

Link Branding:

  • For click tracking links
  • Optional but recommended
  • Uses subdomain (e.g., click.example.com)

SendGrid IP Addresses

If you need to whitelist IPs:

  • SendGrid uses shared IP pools
  • Don't add individual IPs to SPF
  • Use include:sendgrid.net instead

SendGrid Subaccounts

If using subaccounts:

  • Each subaccount can use same domain
  • SPF/DKIM/DMARC apply to all
  • No additional configuration needed

SendGrid Webhooks

For DMARC monitoring:

  • SendGrid doesn't send DMARC reports
  • Use MailSentinel for DMARC monitoring
  • SendGrid sends via receiving servers

Common SendGrid Configurations

SendGrid Only

SPF:

v=spf1 include:sendgrid.net -all

DKIM: Configure in SendGrid dashboard

DMARC:

v=DMARC1; p=none; rua=mailto:your-org-id@reports.mailsentinel.io

SendGrid + Google Workspace

SPF:

v=spf1 include:_spf.google.com include:sendgrid.net -all

DKIM: Configure both Google Workspace and SendGrid DKIM

DMARC: Same as above, covers both services

SendGrid + Multiple Services

SPF:

v=spf1 include:_spf.google.com include:sendgrid.net include:servers.mcsv.net -all

DKIM: Configure for each service

DMARC: Single DMARC policy covers all

Troubleshooting SendGrid Issues

Issue 1: SPF Not Working

Symptoms:

  • Emails failing SPF check
  • SendGrid shows authentication errors

Solutions:

  1. Verify SPF record includes include:sendgrid.net
  2. Check only one SPF record exists
  3. Verify DNS propagation (wait 15-60 minutes)
  4. Use SPF checker to validate

Issue 2: DKIM Not Signing

Symptoms:

  • No DKIM signature in headers
  • SendGrid shows DKIM not verified

Solutions:

  1. Verify DKIM records are published in DNS
  2. Check selector matches SendGrid's expectation
  3. Wait for DNS propagation
  4. Verify domain is authenticated in SendGrid
  5. Check for typos in DNS records

Issue 3: DMARC Failures

Symptoms:

  • DMARC reports show failures
  • Emails going to spam

Solutions:

  1. Verify SPF alignment
  2. Verify DKIM alignment
  3. Check From: domain matches authenticated domain
  4. Review DMARC reports for details
  5. Fix underlying SPF/DKIM issues

Issue 4: Domain Not Verifying

Symptoms:

  • SendGrid shows domain not verified
  • DNS records not detected

Solutions:

  1. Wait 15-60 minutes for DNS propagation
  2. Verify DNS records are at correct location
  3. Check for typos in records
  4. Ensure nameservers are correct
  5. Try removing and re-adding domain

Best Practices for SendGrid

1. Use Dedicated Subdomain

For Transactional Email:

  • Use subdomain like mail.example.com
  • Isolates reputation
  • Easier to manage

SPF for Subdomain:

mail.example.com  TXT  "v=spf1 include:sendgrid.net -all"

2. Monitor Authentication

Key Metrics:

  • SPF pass rate (target: 95%+)
  • DKIM pass rate (target: 95%+)
  • DMARC pass rate (target: 95%+)
  • Bounce rate (target: <5%)

3. Regular Audits

Quarterly Reviews:

  • Check SPF includes still needed
  • Verify DKIM keys are valid
  • Review DMARC reports
  • Update records as needed

4. Test Before Production

Before Going Live:

  • Send test emails
  • Verify authentication headers
  • Check DMARC passes
  • Test with multiple providers

5. Use MailSentinel for Monitoring

Benefits:

  • Centralized DMARC monitoring
  • Alerts for authentication failures
  • Detailed reporting
  • Progress tracking

SendGrid API Integration

Sending Emails via API

Authentication:

  • SendGrid API uses same domain authentication
  • SPF/DKIM/DMARC apply to API emails
  • No additional configuration needed

Webhook Configuration

For Bounce/Spam Tracking:

  • Configure SendGrid webhooks
  • Monitor bounce rates
  • Track spam complaints
  • Keep spam rate below 0.3%

Next Steps

After setting up SendGrid authentication:

  1. Monitor DMARC Reports - Track authentication status
  2. Set Up Alerts - Get notified of issues
  3. Review Best Practices - Optimize deliverability
  4. Troubleshoot Issues - Fix any problems

Additional Resources