SPF, DKIM, and DMARC for SendGrid: complete setup guide
A complete walkthrough for authenticating SendGrid so it signs as your domain instead of sendgrid.net. SendGrid's Domain Authentication wizard sets up CNAME-delegated DKIM and the return-path that makes SPF align too; DMARC ties it together.
TL;DR
- 1 SPF: SendGrid does not use a manual SPF include. Its return-path CNAME makes the envelope-from resolve to SendGrid's SPF automatically.
- 2 DKIM: run Domain Authentication in Settings -> Sender Authentication and publish the CNAMEs SendGrid generates (DKIM s1/s2 plus a return-path), or mail signs with d=sendgrid.net and never aligns.
- 3 DMARC: start at p=none with rua, watch reports, then ramp to p=quarantine and p=reject.
What it does
This guide authenticates SendGrid against your domain. By default SendGrid sends from sendgrid.net IPs and signs with d=sendgrid.net, so neither SPF nor DKIM aligns with your From and DMARC fails. Domain Authentication fixes both at once.
SendGrid's Domain Authentication wires up two CNAMEs for DKIM (s1._domainkey and s2._domainkey at your chosen sending subdomain) plus a bounce/return-path CNAME so the envelope-from is under your domain. After this, both SPF (via the return-path CNAME chain that resolves to SendGrid's SPF) and DKIM (signed with d=em####.yourdomain) align with your From: domain.
Step 1: Set up SPF for SendGrid
SendGrid does not ask you to add include:sendgrid.net to your apex SPF. Instead, the Domain Authentication wizard publishes a return-path (bounce) CNAME on your sending subdomain, so the envelope-from domain resolves to SendGrid's own SPF and SPF aligns through the subdomain.
-
1
Do not manually add a SendGrid include to your apex SPF record. SendGrid handles SPF through the return-path CNAME below.
-
2
If you already published include:sendgrid.net at the apex from an older setup, you can remove it once Domain Authentication is verified, to save a lookup.
-
3
Keep your existing apex SPF for your other senders (for example your mailbox provider). SendGrid's path is on the sending subdomain, not the apex.
Because SPF alignment runs through the sending subdomain's return-path CNAME, DKIM is the more important of the two to get right. DMARC passes as long as DKIM aligns even if SPF does not.
Step 2: Set up DKIM for SendGrid
SendGrid uses CNAME-delegated DKIM with two selectors (s1 and s2) under a sending subdomain. You do not paste a key; you publish CNAMEs that point at SendGrid-hosted records, and SendGrid signs on every send. The CNAME targets are account-specific.
Selector: s1._domainkey and s2._domainkey, under your sending subdomain (em####)
-
1
In SendGrid, go to Settings -> Sender Authentication -> Authenticate Your Domain, and click Get Started. (Confirm the current menu labels in your SendGrid dashboard.)
-
2
Pick a sending subdomain. SendGrid defaults to em#### but any short label works (mail, news, notifications). This subdomain keeps SendGrid's bounce reputation off your apex.
-
3
SendGrid generates the CNAMEs, including s1._domainkey.em####.yourdomain and s2._domainkey.em####.yourdomain, each pointing at a sN.domainkey.u<account-id>.wl<id>.sendgrid.net target unique to your account.
-
4
Publish all of the CNAMEs SendGrid shows (the two DKIM selectors, the return-path, and the link-branding CNAME if offered).
-
5
Return to SendGrid and click Verify. It does a live DNS lookup; the status flips to verified when the records resolve.
-
6
Set your From: to the sending subdomain (or a sub of it) and verify with the DKIM checker against s1._domainkey.em####.yourdomain.
The u<account-id>.wl<id> suffix is unique to your SendGrid account; copy the exact targets the wizard shows. Sending from the apex (@yourdomain) instead of the sending subdomain uses the unaligned d=sendgrid.net signature.
Step 3: Publish DMARC
-
1
With Domain Authentication verified and DKIM aligning, publish your DMARC record at _dmarc.yourdomain. Start at p=none so receivers report but take no action.
-
2
Add a rua address to collect daily aggregate reports.
-
3
Watch the reports for a couple of weeks. Confirm SendGrid mail (and your other senders) is passing and aligned.
-
4
Move to p=quarantine, then p=reject once the only remaining failures are unknown or spoofed sources. See the DMARC rollout playbook for the full ramp.
Example record
Common pitfalls
-
Publishing the CNAMEs but leaving From: as @yourdomain (apex). DKIM signing happens for em####.yourdomain only; sending from the apex still uses the unaligned d=sendgrid.net signature.
-
Using the same em#### subdomain for two SendGrid accounts. The CNAME chains conflict; one of the two will silently start sending unauthenticated.
-
Dedicated IPs without warming. SendGrid's shared IP reputation is generally fine; switching to a dedicated IP and blasting 50K mails on day one will land you in spam regardless of DMARC.
-
Link-tracking subdomain. SendGrid's click-tracking CNAME (url####.yourdomain) is a separate CNAME. You'll see DMARC fails attributed to it if you forget.
FAQ
Why does SendGrid fail DMARC by default?▾
Out of the box SendGrid signs with d=sendgrid.net and sends from sendgrid.net IPs, so neither DKIM nor SPF aligns with your From domain. Run Domain Authentication in Settings -> Sender Authentication and publish the CNAMEs it generates so SendGrid signs as your domain.
Do I need to add SendGrid to my SPF record?▾
No. SendGrid's Domain Authentication publishes a return-path CNAME on your sending subdomain, which makes the envelope-from resolve to SendGrid's own SPF and aligns SPF through that subdomain. You do not add an include to your apex SPF.
What DKIM selectors does SendGrid use?▾
Two selectors, s1._domainkey and s2._domainkey, published under your sending subdomain (em#### by default) as CNAMEs pointing at account-specific sendgrid.net targets. Copy the exact targets the wizard shows.
Should I send from the apex or a subdomain with SendGrid?▾
Send from the authenticated sending subdomain (em####.yourdomain or a sub of it). DKIM signing only happens for that subdomain, and sending from the apex falls back to the unaligned d=sendgrid.net signature.