How to Set Up DMARC for SendGrid

Overview

This guide walks you through setting up email authentication for domains that send through SendGrid (now part of Twilio). By the end, you’ll have properly configured SPF, DKIM, and DMARC records that authenticate your outbound email and remove the “via sendgrid.net” warning.

SendGrid offers two authentication methods: Automated Security (recommended) using CNAME records, or manual setup using TXT records. This guide covers both approaches, with emphasis on the automated method.

What You’ll Configure

Protocol	Purpose	SendGrid Method
SPF	Authorizes SendGrid to send email for your domain	CNAME (automated) or TXT (manual)
DKIM	Adds cryptographic signature to verify message integrity	CNAME records (s1 and s2 selectors)
DMARC	Tells receivers how to handle authentication failures	TXT record (you configure this)

Prerequisites

Before you begin, make sure you have:

• SendGrid account access with permission to manage Sender Authentication settings
• DNS access to create CNAME and TXT records at your domain registrar or DNS provider
• A verified sending domain in SendGrid (or you’ll verify it during this process)
• About 30 minutes for initial setup, plus 24-48 hours for DNS propagation

Step 1: Start Domain Authentication in SendGrid

1. Log in to your SendGrid dashboard
2. Navigate to Settings → Sender Authentication
3. Click Authenticate Your Domain (or Get Started if this is your first domain)
4. Select your DNS host from the dropdown (Cloudflare, GoDaddy, AWS Route 53, etc.)
   • If your provider isn’t listed, select Other Host
5. For “Would you also like to brand the links for this domain?” select No for now (you can add this later)
6. Click Next

Step 2: Enter Your Domain

1. Enter the domain you want to authenticate (e.g., example.com)
   • Use your root domain, not a subdomain
2. Leave Use automated security enabled (recommended)
3. Click Next

SendGrid will generate your DNS records.

Step 3: Configure DNS Records

SendGrid provides three CNAME records. Add all of them to your DNS.

Understanding the Records

With automated security enabled, you’ll receive records like these:

Type	Host/Name	Value/Points To
CNAME	em1234.example.com	u12345678.wl123.sendgrid.net
CNAME	s1._domainkey.example.com	s1.domainkey.u12345678.wl123.sendgrid.net
CNAME	s2._domainkey.example.com	s2.domainkey.u12345678.wl123.sendgrid.net

The first record handles SPF authentication via subdomain delegation. The s1 and s2 records are your DKIM selectors.

Adding Records to Common DNS Providers

Cloudflare:

1. Go to your domain → DNS → Records
2. Click Add record
3. Select CNAME as the type
4. Enter the host (without your domain, e.g., just em1234)
5. Enter the target value
6. Important: Turn OFF the orange proxy cloud (set to DNS only)
7. Click Save
8. Repeat for all three records

GoDaddy:

1. Go to My Products → DNS
2. Click Add under Records
3. Select CNAME as the type
4. Enter the host and target from SendGrid
5. Set TTL to 1 hour
6. Click Save

AWS Route 53:

1. Go to your hosted zone
2. Click Create record
3. Enter the record name (subdomain portion only)
4. Select CNAME as the type
5. Enter the value from SendGrid
6. Click Create records

Record Entry Tips

• Some DNS providers automatically append your domain. If SendGrid shows em1234.example.com, you may only need to enter em1234
• Remove any trailing dots if your provider adds them automatically
• TTL of 3600 (1 hour) or lower is fine for initial setup

Step 4: Verify Domain Authentication

1. Return to SendGrid’s domain authentication page
2. Click Verify
3. SendGrid will check your DNS records

If verification fails:

• Wait 15-30 minutes for DNS propagation
• Double-check record values for typos
• Ensure proxy/CDN is disabled for CNAME records (Cloudflare users)
• Try the I would like to verify later option and return in a few hours

Once verified, you’ll see green checkmarks next to each record. The “via sendgrid.net” warning will disappear from your emails within 24-48 hours.

Step 5: Set Up DMARC

SendGrid’s domain authentication handles SPF and DKIM. You still need to configure DMARC separately.

Create Your DMARC Record

Add a TXT record to your domain’s DNS:

Type	Host/Name	Value
TXT	_dmarc	v=DMARC1; p=none; rua=mailto:[email protected]

Replace [email protected] with an email address where you want to receive DMARC reports.

DMARC Policy Progression

Start with monitoring, then increase enforcement as you verify legitimate senders:

Week 1-2: Monitoring only

v=DMARC1; p=none; rua=mailto:[email protected]

Week 3-4: Quarantine 10% of failures

v=DMARC1; p=quarantine; pct=10; rua=mailto:[email protected]

Week 5-6: Quarantine all failures

v=DMARC1; p=quarantine; pct=100; rua=mailto:[email protected]

Week 7+: Reject all failures (full enforcement)

v=DMARC1; p=reject; rua=mailto:[email protected]

Manual Setup (Without Automated Security)

If your DNS provider doesn’t support underscores in CNAME records, or you prefer manual control, disable automated security during setup. SendGrid will provide:

• 1 MX record for return path handling
• 2 TXT records for DKIM (s1 and s2 selectors)

You’ll also need to add SendGrid to your SPF record manually:

If you have no existing SPF record:

v=spf1 include:sendgrid.net ~all

If you have an existing SPF record, add include:sendgrid.net before the ~all or -all:

v=spf1 include:_spf.google.com include:sendgrid.net ~all

Note: With manual setup, you must update DNS records whenever SendGrid rotates DKIM keys or you add new IP addresses.

Using SendGrid with Multiple Domains

If you send from multiple domains through SendGrid:

1. Authenticate each domain separately in SendGrid
2. Each domain needs its own set of CNAME records
3. Each domain needs its own DMARC record
4. Consider using the same rua address to consolidate DMARC reports

Advanced: Custom Return Path

By default, SendGrid uses a subdomain like em1234.example.com for the return path (bounce handling). To customize this:

1. During domain authentication, check Use custom return path
2. Enter your preferred subdomain (e.g., mail or bounce)
3. SendGrid will adjust the CNAME records accordingly

This is useful for branding consistency or if you need a specific subdomain for compliance reasons.

Verifying Your Configuration

After setup, verify everything is working:

Check SPF

Use a DNS lookup tool to query your subdomain:

dig txt em1234.example.com

You should see an SPF record in the response.

Check DKIM

Query your DKIM selectors:

dig cname s1._domainkey.example.com
dig cname s2._domainkey.example.com

Both should resolve to SendGrid’s servers.

Check DMARC

Query your DMARC record:

dig txt _dmarc.example.com

You should see your DMARC policy.

Send a Test Email

1. Send an email from SendGrid to a Gmail or Yahoo account
2. Open the email and view the original message headers
3. Look for:
   • spf=pass
   • dkim=pass
   • dmarc=pass

Troubleshooting

”Domain not verified” after adding records

• DNS propagation can take up to 48 hours
• Verify record values match exactly (no extra spaces or characters)
• Check that CNAME proxy is disabled (Cloudflare users)
• Some registrars cache DNS records; try clearing cache or waiting longer

Emails still show “via sendgrid.net”

• Domain authentication may not be complete
• Check SendGrid dashboard for verification status
• Allow 24-48 hours after verification for the change to take effect

SPF PermError or too many lookups

If adding SendGrid causes you to exceed 10 SPF lookups:

• Consider using an SPF flattening service
• With automated security, SendGrid’s SPF is handled via subdomain delegation (doesn’t count against your limit)

DKIM signature not appearing

• Ensure both s1 and s2 CNAME records are published
• Verify records point to the correct SendGrid values
• Wait for DNS propagation

DMARC reports show failures from SendGrid

• Confirm domain authentication is verified in SendGrid
• Check that you’re sending from the authenticated domain (not a subdomain)
• Review if you have multiple sending sources that need authentication

What’s Next

Once your SendGrid domain authentication is complete:

1. Monitor DMARC reports for 2-4 weeks to identify any legitimate senders you missed
2. Gradually increase DMARC policy from p=none to p=quarantine to p=reject
3. Authenticate other sending sources (your email provider, other ESPs, CRM systems)
4. Set up DMARC report monitoring to track authentication rates and catch issues early

---

Need help monitoring your DMARC reports or coordinating with SendGrid support? Verkh provides guided remediation and vendor-ready reports. Start free