ESP guide

DMARC for SendGrid: domain authentication that actually aligns

SendGrid sends from sendgrid.net IPs by default and signs with d=sendgrid.net — neither aligns with your From. You need to set up Domain Authentication so SendGrid signs with d=yourdomain via CNAME-delegated DKIM.

TL;DR

  • 1 Default SendGrid sends sign as d=sendgrid.net — DMARC fails alignment.
  • 2 Set up Domain Authentication in Settings → Sender Authentication. Three CNAMEs to publish.
  • 3 Use a subdomain (em####.yourdomain) so SendGrid's bounces don't pollute your apex's reputation.

What it does

SendGrid's Domain Authentication wires up two CNAMEs for DKIM (s1._domainkey and s2._domainkey at your sending subdomain) plus a bounce/return-path CNAME so the envelope-from aligns too. After this, both SPF (via the CNAME chain that resolves to SendGrid's SPF) and DKIM (signed with d=em####.yourdomain) align with your From: domain.

How it works

  1. 1

    In SendGrid: Settings → Sender Authentication → Domain Authentication. Click Get Started.

  2. 2

    Pick a subdomain you'll use as the sending zone — em1234 is SendGrid's default, but any short label works (newsletter, mail, notifications).

  3. 3

    SendGrid generates 3 CNAMEs: em####.yourdomain → u####.wl###.sendgrid.net, s1._domainkey.em####.yourdomain → s1.domainkey.u####.wl###.sendgrid.net, s2._domainkey.em####.yourdomain → s2.domainkey.u####.wl###.sendgrid.net.

  4. 4

    Publish all three in your DNS.

  5. 5

    Return to SendGrid, click Verify. SendGrid does a live DNS lookup; if all three resolve, status flips to Verified.

  6. 6

    Switch your From: domain to use the em####.yourdomain or any sub of it. Test by sending one message and reading auth-results.

Common pitfalls

  • Publishing the CNAMEs but leaving From: as @yourdomain (apex). DKIM signing happens for em####.yourdomain only; sending from the apex still uses the unaligned d=sendgrid.net signature.

  • Using the same em#### subdomain for two SendGrid accounts. The CNAME chains conflict; one of the two will silently start sending unauthenticated.

  • Dedicated IPs without warming. SendGrid's shared IP reputation is generally fine; switching to a dedicated IP and blasting 50K mails on day one will land you in spam regardless of DMARC.

  • Link-tracking subdomain. SendGrid's click-tracking CNAME (url####.yourdomain) is a separate CNAME — you'll see DMARC fails attributed to it if you forget.