What DNS Records Should Be for SendGrid?

What DNS Records Should Be for SendGrid?

To send authenticated emails through SendGrid, you need to add SendGrid's servers to your SPF record using include:sendgrid.net, add SendGrid's DKIM record at the selector they provide (typically s1._domainkey.yourdomain.com), and configure DMARC for policy enforcement. These DNS records authenticate emails sent through SendGrid's infrastructure and prevent spam filtering.

Quick Answer

For SendGrid, add include:sendgrid.net to your SPF record, add SendGrid's DKIM record at s1._domainkey.yourdomain.com (or the selector SendGrid provides), and configure DMARC. These records authenticate emails sent through SendGrid's infrastructure and prevent spam filtering.

Understanding SendGrid DNS Records

SendGrid is a cloud-based email delivery service used for transactional and marketing emails. To ensure emails sent through SendGrid are properly authenticated and achieve maximum deliverability, you need to configure specific DNS records that authorize SendGrid's servers and verify email authenticity.

Required DNS Records for SendGrid

1. SPF Record (Sender Policy Framework)

What it does: The SPF record authorizes SendGrid's servers to send email on behalf of your domain. Without this, receiving servers may reject or filter emails sent through SendGrid.

How to configure:

1. Log into your DNS provider's dashboard (where you manage your domain)
2. Find your existing SPF record (TXT record for your domain)
3. Add SendGrid's include statement to your SPF record

Example SPF record with SendGrid:

If you only use SendGrid:

v=spf1 include:sendgrid.net ~all

If you use SendGrid with other services (like Gmail):

v=spf1 include:_spf.google.com include:sendgrid.net ~all

Important notes:

• You can only have one SPF record per domain
• If you already have an SPF record, add include:sendgrid.net to it
• Don't create a new SPF record—modify your existing one
• The ~all at the end means "soft fail" for unauthorized servers

2. DKIM Record (DomainKeys Identified Mail)

What it does: DKIM adds a digital signature to emails sent through SendGrid, proving they're authentic and haven't been tampered with during transit.

How to configure:

1. Log into your SendGrid account
2. Go to Settings → Sender Authentication → Domain Authentication
3. Click Authenticate Your Domain or select your existing domain
4. Follow SendGrid's domain authentication wizard
5. SendGrid will provide you with DKIM records (TXT records)
6. Add these records to your DNS at the locations SendGrid specifies (typically s1._domainkey.yourdomain.com and s2._domainkey.yourdomain.com)

Example DKIM record format:

v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC...

Important notes:

• SendGrid typically provides two DKIM selectors (s1 and s2) for redundancy
• SendGrid provides the exact DKIM record values—copy them exactly
• The records must be added at the exact subdomains SendGrid specifies
• Wait for DNS propagation (1-4 hours) before SendGrid can verify them
• SendGrid will verify the records are correctly configured in their dashboard

3. DMARC Record (Domain-based Message Authentication, Reporting & Conformance)

What it does: DMARC tells receiving servers how to handle emails that fail SPF or DKIM authentication and provides reporting on email authentication performance.

How to configure:

1. Create a DMARC record at _dmarc.yourdomain.com (TXT record)
2. Start with a monitoring policy (p=none) to see how your emails are performing
3. Gradually move to stricter policies (p=quarantine or p=reject) after monitoring

Example DMARC record:

v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; ruf=mailto:dmarc@yourdomain.com; fo=1

Important notes:

• Start with p=none to monitor without affecting delivery
• Set rua= to an email address where you want aggregate reports
• Set ruf= to an email address for forensic reports (optional)
• After monitoring for a few weeks, consider moving to p=quarantine or p=reject

4. MX Records (Mail Exchange)

What it does: MX records specify where to deliver incoming email. If you're only using SendGrid for sending emails (not receiving), you typically don't need to change MX records.

When to configure:

• Only if you're using SendGrid to receive email (uncommon)
• If you're using SendGrid alongside another email provider, keep your existing MX records

Step-by-Step Setup Guide

Step 1: Authenticate Your Domain in SendGrid

1. Log into your SendGrid account
2. Navigate to Settings → Sender Authentication → Domain Authentication
3. Click Authenticate Your Domain
4. Enter your domain name (e.g., yourdomain.com)
5. SendGrid will provide you with the DNS records you need to add

Step 2: Update Your SPF Record

1. Log into your DNS provider's dashboard
2. Find your existing SPF record (TXT record for your domain)
3. If you don't have an SPF record, create one:

   v=spf1 include:sendgrid.net ~all
   

4. If you already have an SPF record, add SendGrid to it:

   v=spf1 include:_spf.google.com include:sendgrid.net ~all
   

5. Save the changes

Step 3: Add DKIM Records

1. Copy the DKIM record values from SendGrid's domain authentication page
2. SendGrid typically provides two DKIM selectors (s1 and s2)
3. In your DNS provider's dashboard, create new TXT records for each selector
4. Set the hostname/subdomain to what SendGrid specifies (typically s1._domainkey and s2._domainkey)
5. Paste each DKIM record value exactly as provided
6. Save both records

Step 4: Configure DMARC (Recommended)

1. In your DNS provider's dashboard, create a new TXT record
2. Set the hostname to _dmarc
3. Add the DMARC record value:

   v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com
   

4. Replace dmarc@yourdomain.com with your email address
5. Save the record

Step 5: Verify Configuration

1. Wait 1-4 hours for DNS propagation
2. Return to SendGrid's domain authentication page
3. Click Verify to check if your records are configured correctly
4. Use MailMoxie's DNS Record Checker to verify all records are present

Common Configuration Scenarios

Scenario 1: SendGrid Only

If you only use SendGrid for email sending:

SPF:

v=spf1 include:sendgrid.net ~all

DKIM: Use SendGrid's provided records (typically s1 and s2)

DMARC:

v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

Scenario 2: SendGrid + Gmail/Google Workspace

If you use SendGrid for transactional emails and Gmail/Google Workspace for regular email:

SPF:

v=spf1 include:_spf.google.com include:sendgrid.net ~all

DKIM: Add both Google's DKIM and SendGrid's DKIM records

DMARC:

v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

MX Records: Keep your Google Workspace MX records

Scenario 3: SendGrid + Multiple Services

If you use SendGrid with other email services (Mailchimp, Klaviyo, etc.):

SPF:

v=spf1 include:_spf.google.com include:sendgrid.net include:servers.mcsv.net ~all

Important: You can only have one SPF record, so combine all services using multiple include: statements.

Verifying Your Configuration

After adding DNS records, verify they're working correctly:

1. Use MailMoxie's DNS Record Checker: Enter your domain to see all DNS records
2. Check in SendGrid: SendGrid's domain authentication page will verify your records
3. Send a test email: Send a test email through SendGrid and check the authentication headers
4. Review DMARC reports: Check your DMARC report email for authentication statistics

Common Questions

Q: Do I need to add SendGrid to my SPF record if I already have other services?

A: Yes, you need to add include:sendgrid.net to your existing SPF record. You can only have one SPF record per domain, so combine all services using multiple include: statements.

Q: How long does it take for DNS records to work with SendGrid?

A: DNS changes typically take 1-4 hours to propagate, but can take up to 48 hours. After adding records, wait a few hours before verifying in SendGrid.

Q: Can I use SendGrid without adding DNS records?

A: Technically yes, but your emails will have poor deliverability and may be filtered into spam. DNS records are essential for proper email authentication and inbox placement.

Q: Why does SendGrid provide two DKIM selectors?

A: SendGrid provides two DKIM selectors (s1 and s2) for redundancy and to support different sending scenarios. Both should be added to your DNS for maximum deliverability.

Q: What if SendGrid can't verify my DKIM records?

A: Double-check that you copied the DKIM records exactly as provided by SendGrid, including the subdomain/hostname. Make sure you added both s1 and s2 selectors. Wait for DNS propagation and try verifying again. Use MailMoxie's DNS Record Checker to confirm the records are present.

Q: Do I need DMARC for SendGrid?

A: DMARC is highly recommended but not strictly required. It provides additional authentication and reporting that helps improve deliverability and protect your domain from spoofing.

Q: What happens if I have multiple SPF records?

A: Having multiple SPF records will cause authentication failures. You must combine all services into a single SPF record using multiple include: statements.

Q: Can I use SendGrid with Office 365 or other email providers?

A: Yes, you can use SendGrid alongside any email provider. Just add include:sendgrid.net to your existing SPF record and keep your existing MX records for your primary email provider.

Q: How do I know if my SendGrid DNS records are working?

A: After DNS propagation, SendGrid's domain authentication page will show verification status. You can also send a test email and check the email headers for SPF and DKIM pass results.

Q: What if I'm using a subdomain for SendGrid?

A: If you're using a subdomain (e.g., mail.yourdomain.com), add the DNS records to that subdomain instead of your main domain. SendGrid supports subdomain authentication.

Q: Can I use SendGrid for both transactional and marketing emails?

A: Yes, SendGrid supports both transactional and marketing emails. The same DNS records authenticate both types of emails sent through SendGrid.

Key Takeaways

• Add include:sendgrid.net to your SPF record to authorize SendGrid's servers
• Add SendGrid's DKIM records at the subdomains they specify (typically s1._domainkey.yourdomain.com and s2._domainkey.yourdomain.com)
• Configure DMARC for additional authentication and reporting
• You can only have one SPF record—combine all services using multiple include: statements
• Wait 1-4 hours for DNS propagation before verifying in SendGrid
• Use MailMoxie's DNS Record Checker to verify all records are configured correctly
• Proper DNS configuration is essential for SendGrid email deliverability and inbox placement
• Start with DMARC policy p=none to monitor, then gradually move to stricter policies