How to Set Up SPF and DKIM for SendGrid

Start in SendGrid, not in an old blog post

One copied DNS value can make valid SendGrid mail fail authentication. Use the records generated inside your own SendGrid account, because the host names and targets are tied to that account.

Open SendGrid, go to Settings, Sender Authentication, then Authenticate Your Domain. Choose your DNS host and enter the root domain you send from, such as example.com. Twilio SendGrid says subdomains do not inherit authentication from the parent domain, so authenticate the domain that matches your visible From address.

Leave Automated Security on unless your DNS host cannot publish the CNAME records SendGrid needs. SendGrid says Automated Security is on by default and lets SendGrid manage DKIM signing and SPF authentication through CNAME records. The setup screen may also show a DMARC TXT record. If you already have DMARC, do not publish a second DMARC record at the same name. Update the existing one instead.

• Copy each DNS host and value exactly from SendGrid.
• Expect SendGrid CNAME records for the branded return path and DKIM. Default DKIM selectors are commonly s1 and s2, shown under _domainkey.
• If another SendGrid account already uses those selectors, use SendGrid's custom DKIM selector option instead of overwriting live DNS.
• Click Verify in SendGrid after publishing DNS. Twilio says DNS verification can take up to 48 hours.

Set SPF without breaking other mail

SPF checks the envelope sender, also called MAIL FROM or Return-Path. That is often different from the From address people see.

With SendGrid Automated Security on, SendGrid normally handles SPF for its return-path subdomain through the CNAME it asks you to publish. Do not add include:sendgrid.net to your root SPF record unless your SendGrid setup or support path specifically tells you to. Adding extra includes can push SPF over the lookup limit and can break mail from Google Workspace, Microsoft 365, or another sender that already uses the same domain.

• Keep one SPF TXT record at each host name. RFC 7208 says multiple selected SPF records cause a permerror.
• Merge real senders into one SPF record when several services use the same host.
• Stay under the RFC 7208 limit of 10 DNS-querying SPF terms, including include, a, mx, ptr, exists, and redirect.
• Use ~all while you are still finding senders. Use -all only after every real sender is known and passing.
• Do not change your company MX records for normal inbound mail. A SendGrid MX record belongs only on the return-path host when SendGrid shows one, usually when Automated Security is off.

Protocol source: RFC 7208.

Make DKIM pass for the From domain

DKIM signs the message with a private key. Receivers use the selector in the DKIM-Signature header to find the public key in DNS.

Publish both SendGrid DKIM records exactly as shown. With Automated Security, they are CNAME records that point to SendGrid-controlled DNS. That lets SendGrid rotate or manage keys without asking you to edit DNS each time. After verification, send a real message to Gmail or Outlook and read the Authentication-Results header. DKIM should pass, and the d= domain should be your domain or an aligned subdomain.

• Do not paste only the first DKIM record. SendGrid can use both selectors.
• Watch DNS hosts that append your domain automatically. A value saved as s1._domainkey.example.com.example.com will fail.
• Use a custom DKIM selector for a second SendGrid account on the same domain.
• If a provider asks for a DKIM key length, follow the provider's current docs. Google requires at least 1024-bit DKIM for mail to personal Gmail accounts and recommends 2048-bit keys when supported.

Protocol source: RFC 6376.

Add DMARC before judging inbox placement

SPF and DKIM prove sources. DMARC checks whether at least one of them passes and aligns with the visible From domain.

Publish DMARC as a TXT record at _dmarc.example.com. A safe first policy is v=DMARC1; p=none; rua=mailto:dmarc@example.com. That collects aggregate reports without asking receivers to quarantine or reject failed mail. After SendGrid and your other senders pass and align, move toward p=quarantine and then p=reject if that fits your risk tolerance.

Gmail's sender guidelines say all senders to personal Gmail accounts need SPF or DKIM, and senders above Google's bulk threshold need SPF, DKIM, and DMARC. Microsoft also tells internet senders to configure SPF, DKIM, and DMARC, and its Outlook.com high-volume sender guidance adds enforcement for large senders. Check the current Google sender guidelines and Microsoft email authentication guidance before a large SendGrid launch.

• Check alignment as a separate step. SPF can pass for a SendGrid return-path domain and still fail DMARC if it does not align.
• Review rua reports before raising the DMARC policy. They reveal forgotten apps and spoofed mail.
• Check blocklists if authentication is clean but mail still goes to spam. Gmail says shared IP reputation and blocklists can affect delivery.
• Run a free InboxRadar domain check after DNS publishes to review SPF, DKIM, DMARC, MX, and blocklist status in one pass.

Protocol source: RFC 7489.