D
DMARC Creator

How to Set Up DMARC for SendGrid: Configuration and Alignment Guide

Configure DMARC for SendGrid with proper SPF and DKIM alignment. Covers domain authentication, custom return paths, and troubleshooting.

Last updated: 2026-01-28

SendGrid is one of the most popular transactional and marketing email platforms, used by businesses of all sizes to send everything from password resets to promotional campaigns. If you send email through SendGrid using your own domain, setting up DMARC is essential for protecting your sender reputation and meeting the authentication requirements that major inbox providers now enforce.

This guide covers DMARC configuration specifically for SendGrid users, with a focus on the alignment details that make or break your DMARC results.

How SendGrid Handles Email Authentication

Before diving into DMARC, it helps to understand how SendGrid authenticates email. SendGrid offers a feature called Domain Authentication (previously called "Whitelabeling") that sets up both SPF and DKIM for your sending domain.

SendGrid's Domain Authentication

When you authenticate a domain in SendGrid, the platform provides a set of DNS records to add to your domain. These typically include:

CNAME records for DKIM. SendGrid gives you two CNAME records that point to SendGrid's DKIM keys. When you publish these in your DNS, SendGrid can sign outgoing messages with DKIM using your domain name. This is critical for DMARC alignment.

A CNAME record for SPF (automated security). SendGrid's domain authentication also creates an SPF mechanism through a subdomain like em1234.yourdomain.com. This subdomain is used as the envelope sender (the Return-Path address), and it points to SendGrid's SPF records via CNAME. When a receiving server checks SPF, it looks up this subdomain and finds SendGrid's authorized IP addresses.

Link branding records. SendGrid also offers link branding, which replaces tracking links in your emails with your domain instead of SendGrid's. While this does not directly affect DMARC, it improves trust signals and click-through rates.

SendGrid's domain authentication is the foundation for DMARC compliance. If you have not completed domain authentication in SendGrid, do that first. Go to Settings > Sender Authentication in your SendGrid dashboard.

Understanding SPF and DKIM Alignment with SendGrid

DMARC requires that at least one of SPF or DKIM "aligns" with the From domain in your email. Alignment means the domain authenticated by SPF or DKIM matches the domain in the visible From header. For an in-depth look at how these protocols compare, see SPF vs DKIM vs DMARC. Here is how alignment works with SendGrid specifically.

DKIM Alignment

When SendGrid's domain authentication is set up, outgoing messages are signed with DKIM using your domain (like yourdomain.com). If your From address is hello@yourdomain.com, DKIM alignment passes because the signing domain matches the From domain.

This is the most reliable alignment method for SendGrid users. DKIM signatures survive email forwarding, so messages forwarded from one inbox to another will still pass DMARC through DKIM alignment.

SPF Alignment and the Envelope Sender

SPF alignment is where SendGrid gets tricky. Here is why:

The SPF check evaluates the envelope sender (Return-Path), not the From address. By default, SendGrid sets the envelope sender to a subdomain it created during domain authentication, like em1234.yourdomain.com. SPF checks the records for this subdomain, and since it points to SendGrid's infrastructure, SPF passes.

For DMARC SPF alignment under relaxed mode (the default), the envelope sender subdomain just needs to share the same root domain as your From address. Since em1234.yourdomain.com and yourdomain.com share the same root, relaxed SPF alignment passes.

Under strict alignment (aspf=s), the envelope sender must exactly match the From domain. In that case, em1234.yourdomain.com would not align with yourdomain.com. For most SendGrid users, relaxed alignment is the right choice.

For the strongest DMARC setup with SendGrid, rely on DKIM as your primary alignment mechanism. It is more reliable than SPF and is not affected by forwarding or envelope sender quirks.

Setting Up Your DMARC Record

With SendGrid's domain authentication complete (SPF and DKIM verified), you are ready to add your DMARC record.

1

Confirm SendGrid domain authentication is complete

In your SendGrid dashboard, go to Settings > Sender Authentication. Verify that your domain authentication is fully set up and validated. Both DKIM CNAME records and the SPF/Return-Path record should show as verified.

2

Generate your DMARC record

Start with a monitoring policy: v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; pct=100;. This collects reports so you can verify all your sending sources are passing before you enforce anything.

3

Add the DMARC record to your DNS

Log in to your DNS provider and add a new TXT record. Set the name to _dmarc and the value to your DMARC record string. The full hostname will be _dmarc.yourdomain.com.

4

Save and wait for propagation

Save the record. DNS propagation typically takes a few minutes to a couple of hours. You can track propagation by checking your domain periodically.

5

Verify the record

Check your record at dmarcrecordchecker.com. Confirm the record is valid, shows your policy, and includes your reporting address.

Recommended DMARC Record for SendGrid Users

For most SendGrid users, this starting record works well:

v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; adkim=r; aspf=r; pct=100;

The adkim=r and aspf=r tags explicitly set relaxed alignment for both DKIM and SPF. While relaxed is the default even without these tags, including them makes your intent clear and avoids any ambiguity.

After monitoring with p=none for at least two weeks and confirming all legitimate sources pass, move toward enforcement:

Soft enforcement: v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@yourdomain.com; pct=25;

Full enforcement: v=DMARC1; p=reject; rua=mailto:dmarc-reports@yourdomain.com; pct=100;

Troubleshooting SendGrid DMARC Alignment Failures

DKIM Alignment Failing

If your DMARC reports show DKIM failures for SendGrid messages, check:

  • Domain authentication is fully verified. Go to SendGrid's Sender Authentication and confirm both CNAME records for DKIM are verified. If they show as pending, the DNS records may be missing or incorrect.
  • The CNAME records are still in your DNS. DNS migrations or provider changes can accidentally remove SendGrid's records. Verify they are still present.
  • Your From address matches the authenticated domain. If you authenticated yourdomain.com but send from other.com, DKIM alignment will fail.

SPF Alignment Failing

SPF alignment failures with SendGrid are usually caused by:

  • The automated SPF subdomain is not verified. Check that the Return-Path CNAME record SendGrid provided is published and verified.
  • Strict alignment mode in your DMARC record. If you set aspf=s, the envelope sender subdomain (em1234.yourdomain.com) will not align with yourdomain.com. Switch to aspf=r (relaxed) or remove the tag entirely since relaxed is the default.
  • A custom return path is misconfigured. If you set up a custom Return-Path through SendGrid, verify it resolves correctly and includes SendGrid's SPF mechanism.

Multiple Sending Services

If you use SendGrid alongside other email services (your primary email provider, a helpdesk, another marketing tool), each needs its own authentication. Your SPF record must include all of them, and each should have DKIM configured. Review your DMARC aggregate reports to identify any service that is failing and fix its authentication before tightening your policy.

Do not move to p=reject until every legitimate sending source passes DMARC. For businesses using SendGrid plus two or three other services, this means verifying authentication for each one individually. One misconfigured service can cause customer-facing emails to get blocked.

SendGrid-Specific Best Practices

Always use domain authentication. Never send through SendGrid without completing domain authentication. Unauthenticated sending uses SendGrid's shared domain, which means no alignment with your From domain and guaranteed DMARC failure. Developers integrating SendGrid via API should also review our DMARC for developers guide for implementation patterns.

Set up link branding. While it does not affect DMARC directly, link branding replaces SendGrid tracking domains with your own domain in email links. This builds trust and avoids triggering spam filters that flag third-party tracking domains.

Monitor your sender reputation. SendGrid provides reputation metrics in its dashboard. A dropping reputation can indicate authentication issues, spam complaints, or other deliverability problems that may relate to your DMARC setup.

Use a subaccount for each sending purpose. If you use SendGrid for both transactional and marketing email, consider separate subaccounts. Each can have its own authentication and reputation, making it easier to troubleshoot DMARC issues when they arise.

Complete your authentication stack

DMARC works alongside SPF and DKIM. Build a comprehensive SPF record at spfcreator.com that includes SendGrid and all your other senders. Generate DKIM keys at dkimcreator.com for any services that need them.

Related Articles

Monitor Your DMARC Record

You've created your DMARC record — now make sure it keeps working. The Email Deliverability Suite watches your SPF, DKIM, DMARC, and MX records daily and alerts you when something breaks.

Never miss a DMARC issue

Monitor your SPF, DKIM, DMARC and MX records daily. Get alerts when something breaks.

Start Monitoring