Twilio SendGrid SPF and DKIM setup

What you are setting up

SendGrid (now Twilio SendGrid) sends your application and marketing mail. Its Domain Authentication flow sets up SPF and DKIM together using CNAME records, so that SendGrid signs with your domain and routes bounces through a subdomain of yours. Both halves then align, and your mail passes DMARC. You publish a handful of CNAMEs; SendGrid manages the actual keys behind them.

Run Domain Authentication

In SendGrid, go to Settings > Sender Authentication > Domain Authentication and click Get Started. Choose your DNS host, enter your sending domain, and leave Automated Security on (the default). SendGrid then generates three CNAME records:

Type:  CNAME
Host:  em1234.yourdomain.com           (the mail / return-path subdomain)
Value: (copy the exact target SendGrid shows)

Type:  CNAME
Host:  s1._domainkey.yourdomain.com    (DKIM)
Value: (copy the exact target SendGrid shows)

Type:  CNAME
Host:  s2._domainkey.yourdomain.com    (DKIM)
Value: (copy the exact target SendGrid shows)

The em#### record provides an aligned return-path so SPF passes for your domain; the two s1 and s2 DKIM records let SendGrid sign as you and rotate keys without you touching DNS again. Copy the targets exactly as SendGrid shows them (they include account-specific numbers), then click Verify. Automated Security is what keeps the keys current, so leaving it on is the low-maintenance choice.

Want your tracked links and open-tracking images to come from your domain instead of sendgrid.net too? Set up Link Branding(Settings > Sender Authentication > Link Branding) as well. It is optional but good for deliverability, and it adds two more CNAMEs.

Add DMARC

Standard _dmarc TXT record, nothing SendGrid-specific. Start in monitor-only mode:

Type:  TXT
Host:  _dmarc
Value: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

SendGrid mail aligns under relaxed alignment (the default), so this record is all you need on the DMARC side. Build it with our DMARC builder and move past p=none once reports are clean.

The SendGrid gotcha

The classic SendGrid failure is the DNS host appending your domain to the record name. SendGrid even names the usual culprits: some hosts turn a CNAME for em1234.yourdomain.com into em1234.yourdomain.com.yourdomain.com. Enter only the host label your host expects, and check the saved record does not have your domain doubled on the end.

Two more things that bite. SendGrid's records use underscores (s1._domainkey), and a few DNS providers refuse underscores in CNAMEs; if yours does, you cannot use Automated Security and need the manual TXT path instead. And as general DNS advice (not a SendGrid-specific rule): if your DNS provider proxies records, such as Cloudflare's orange-cloud, set these CNAMEs to DNS-only so the proxy does not break resolution.

Confirm it worked

• Verify in SendGrid. The Domain Authentication page should show your domain as verified once all the records resolve.
• Send a test and read the headers. Send through SendGrid, open the message, and confirm the DKIM signature shows d=yourdomain.com and dmarc=pass. Our header analyzer reads it back in plain English.
• Watch the reports. SendGrid should appear as an aligned, passing source in your DMARC aggregate reports. trustyourinbox labels it as a known sender so you can tell your SendGrid traffic apart from anything else sending as you.