Source Guide: SendGrid
This guide describes the process for configuring SendGrid to send DMARC-compliant messages. You will need to configure this source, and others that send on your behalf, before advancing your DMARC policies to a more restrictive state (eg. quarantine and/or reject).
To bring this source into DMARC compliance, you will need access to SendGrid’s administrative account and the domain’s DNS management console.
From time to time, these instructions change with very little advance notice. Please always refer to documentation published by SendGrid for the most complete and accurate information.
SendGrid provides a platform to send transactional and marketing emails. Many areas in your organization may use this service, from marketing and sales to finance. It is often used to send B2C (business-to-consumer) emails. SendGrid can be used both directly and through a third-party service provider, which will impact how you configure this source to be DMARC compliant. See the note at the bottom of this article for more information. SendGrid supports DMARC compliance through SPF and DKIM alignment.
SPF & DKIM
To achieve DMARC compliance, you will configure SPF and DKIM at the same time.
Step 1: Navigate to Settings > Sender Authentication within the SendGrid user interface.
Step 2: Click Get Started.
Step 3: Add information about your DNS host and indicate whether you also want to set up link branding. Link branding is not necessary to configure domain authentication.
Step 4: Fill in the domain you want to send email from. Do not enter domains such as www.example.com or http://example.com. The domain name you enter must match the domain that appears on the right side of the @ symbol in the emails you wish to send. For example, if you are sending emails from firstname.lastname@example.org, then you would enter example.com in the domain field.
Step 5: A series of CNAME DNS records will be displayed on the screen. They need to be added to your domain’s DNS host. This process varies depending on the provider. For videos on how to add your CNAME to some popular DNS service providers, check out these videos. If you don’t have access, you will need to request assistance from a colleague that does. Follow any existing IT processes within your organization regarding adding new records in your domain’s DNS.
Note: If your DNS provider does not accept underscores in CNAME records, you will need to go into Advanced settings and turn off Automated Security to use MX and TXT records instead.
SendGrid can be used both directly and through a third-party service provider that uses SendGrid as an email platform. The latter means that you do not have access to a SendGrid account of your own, but must request assistance from the third party that uses it in order to configure Sender Authentication. Typically, this is represented in the dmarcian console when SendGrid appears as a source name, but the MAIL FROM and “d=” value are the third-party’s domain rather than sendgrid.net.
Another important note regarding DKIM records: By default, SendGrid will propose that you deploy the DKIM key record using a selector of S1 and S2. If you have multiple SendGrid accounts, either directly or through a third-party provider, you will need to configure each account to use unique DKIM keys. A DKIM selector can only be used for a single, unique key. This means if you have multiple SendGrid accounts, only one can be configured using the default, and the others must use a custom selector through the advanced settings. For more information, see Advanced settings.
Reference: SendGrid’s SPF & DKIM directions
If you have a dmarcian account, it may take a few days to see these changes reflected in the dmarcian platform. You can look in the Detail Viewer (shown below) to check SPF and DKIM alignment required for DMARC.
We’re Here to Help
With a team of email security experts and a mission of making email and the internet more trustworthy through domain security, dmarcian is here to help assess an organization’s domain catalog and implement and manage DMARC for the long haul.
Want to continue the conversation? Head over to the dmarcian Forum.