SendGrid SPF, DKIM & DMARC Setup Guide

Overview

SendGrid (now part of Twilio) is one of the most popular transactional email platforms, handling billions of messages per month. Since Twilio's acquisition, the service is sometimes referenced as Twilio SendGrid in documentation and billing — the email infrastructure is the same regardless of which name you see. Its SPF record uses include:sendgrid.net, costing 1 DNS lookup. SendGrid is commonly paired with a primary email platform like Google Workspace or Microsoft 365, meaning its lookup cost stacks on top of whatever your business email already uses.

DKIM in SendGrid is configured through the Sender Authentication flow in the dashboard. SendGrid uses two selectors (s1 and s2) with 2048-bit RSA keys. The setup process asks you to publish three CNAME records — two for DKIM and one for the custom return-path (which enables SPF alignment with your domain rather than sendgrid.net).

DMARC alignment requires completing SendGrid's domain authentication process. Without it, messages are sent with a sendgrid.net return-path and signed with SendGrid's DKIM domain, causing alignment failures on both SPF and DKIM. This is the single most common misconfiguration with SendGrid.

Additional Setup Notes

Domain Authentication CNAME Records

SendGrid's domain authentication process creates CNAME records that delegate DKIM signing to SendGrid's infrastructure. The records follow the pattern s1._domainkey.yourdomain.com pointing to s1.domainkey.uXXXXXX.wl.sendgrid.net (where uXXXXXX is your SendGrid account ID). This lets SendGrid sign messages on your behalf while you maintain DNS control.

The third CNAME record handles the custom return-path, typically pointing a subdomain like em1234.yourdomain.com to a SendGrid bounce processing domain. All three records must be published before SendGrid considers domain authentication complete. If even one record is missing or incorrect, the authentication status in the dashboard will show as pending.

Lookup Budget and SPF Flattening

If you're using SendGrid alongside other email services and approaching the 10-lookup limit, consider SPF flattening. SendGrid's include:sendgrid.net resolves to additional nested lookups during SPF evaluation. Managed SPF can flatten these into direct IP references, freeing up lookup budget for other providers.

Dedicated IPs vs. Shared IPs

For high-volume senders, SendGrid also supports dedicated IP addresses. When using dedicated IPs, you can add them directly to your SPF record with ip4: mechanisms instead of the include:, which saves a DNS lookup — though you'll need to update the record if the IP changes. Dedicated IPs also give you full control over your sending reputation, which matters for deliverability at scale.

Shared IP senders (the default for most Twilio SendGrid plans) must use the include:sendgrid.net mechanism because the sending IP pool can change. The trade-off is one lookup spent, but you don't need to track IP assignments.

Subuser and Multi-Brand Configuration

SendGrid subusers (available on Pro and Premier plans) can authenticate separate domains, each with their own set of CNAME records. This is useful for organizations that send from multiple brands or domains through a single SendGrid account. Each authenticated domain requires its own three CNAME records, and each domain's include:sendgrid.net SPF entry covers all subusers — you don't need multiple SPF includes for multiple subusers.

If you're using Twilio SendGrid's subuser feature to separate transactional and marketing sends, both subusers share the same SPF include. You only need include:sendgrid.net once in your SPF record regardless of how many subusers send from that domain.

Troubleshooting

DMARC Alignment Failures After Setup

The most frequent issue with SendGrid is DMARC alignment failure despite having a valid SPF record. This happens when domain authentication is incomplete — specifically, when the custom return-path CNAME is missing or unverified. The SPF check may pass against sendgrid.net, but DMARC alignment requires the return-path domain to match the From header domain.

To verify alignment is working:

1. Send a test message to an address you control.
2. View the full message headers.
3. Check the Return-Path header — it should contain your domain (e.g., bounces@em1234.yourdomain.com), not sendgrid.net.
4. Check the DKIM-Signature header — the d= value should be your domain.

If either shows SendGrid's domain instead of yours, domain authentication is not complete.

DNS Propagation Delays

After publishing the three CNAME records, SendGrid's dashboard may show "Pending" for several hours. SendGrid periodically checks for the records, but the check isn't instant. If the status hasn't updated after 48 hours:

• Verify the CNAME records with a DNS lookup tool. Confirm the name and target match exactly what SendGrid provided.
• Check for trailing dots in the CNAME target — some DNS providers add them automatically, others require you to include them.
• Ensure Cloudflare proxy mode is off (grey cloud) for all three CNAME records. Proxied CNAMEs break SendGrid's verification.

Emails Landing in Spam Despite Valid Authentication

If SPF, DKIM, and DMARC all pass but messages still land in spam, the issue is likely reputation rather than authentication. Common causes:

• New IP warming — Dedicated IP addresses need a gradual ramp-up period. Sending high volume immediately on a new IP triggers spam filters.
• Content triggers — Authentication proves identity, not intent. Spam filters still evaluate content, links, and sending patterns.
• List hygiene — High bounce rates and spam complaints damage sender reputation regardless of authentication status.

Migrating Between SendGrid Plans

When upgrading or downgrading your Twilio SendGrid plan, your domain authentication records remain valid. The CNAME records don't change between plan tiers. However, if you switch from shared IPs to dedicated IPs (or vice versa), your SPF strategy should change accordingly — dedicated IPs can use ip4: mechanisms, while shared IPs require the include:sendgrid.net directive.

If you're migrating from a legacy SendGrid account (pre-Twilio acquisition) to a new Twilio SendGrid account, you'll need to re-authenticate your domain with fresh CNAME records. The old account's records won't work with the new account ID.