How to Set Up DKIM and DMARC for SendGrid
To pass DMARC with SendGrid, enable domain authentication in the SendGrid dashboard: it adds three CNAME records that wire up both DKIM signing and SPF alignment to your domain in one step. Once those records verify, add a _dmarc TXT record at p=none to start collecting reports. If you're setting up email for a fresh domain, our email setup guide for new SaaS covers the full sequence.
Domain authentication in SendGrid
Log into your SendGrid dashboard and go to Settings then Sender Authentication. Click Authenticate Your Domain. You'll choose your DNS provider or select "Other" for manual DNS entry.
SendGrid generates three CNAME records. These are the key to alignment:
- Return-Path CNAME (sets the envelope sender to your domain). Name looks like
em1234.yourdomain.comand points tosendgrid.net. - First DKIM selector (signs the email with your domain). Name like
s1._domainkey.yourdomain.compointing tos1.domainkey.sendgrid.net. - Second DKIM selector (same signing domain, different key rotation). Name like
s2._domainkey.yourdomain.compointing tos2.domainkey.sendgrid.net.
All three are required. The Return-Path CNAME is what makes SPF alignment work: when a receiving server validates SPF, it checks the envelope sender (set by the Return-Path), not the From header. By pointing the Return-Path to your domain via that CNAME, SPF passes because the IP belongs to SendGrid but the domain belongs to you.
Copy all three CNAME records exactly. Add them to your DNS provider (Route53, Cloudflare, Namecheap, etc.). Then go back to SendGrid and click Verify. All three records must resolve before verification passes. If one fails, double-check the spelling and wait a few minutes for DNS propagation (usually <5 minutes).
Once verified, SendGrid will sign emails with your domain using both DKIM selectors. You now have:
- SPF alignment: the Return-Path subdomain passes SPF because it's pointed to SendGrid
- DKIM alignment: the email is signed with a key matching your domain
- DMARC-ready: as long as SPF or DKIM passes, DMARC passes
Do you need an SPF record?
When you use SendGrid's domain authentication with the Return-Path CNAME, SPF alignment happens automatically. The CNAME approach means you may not need to add SendGrid to your root-domain SPF record.
If all mail from your domain flows through SendGrid, you don't need include:sendgrid.net in your SPF record at all. The Return-Path points to a SendGrid subdomain that already has its SPF configured by SendGrid.
If you send from multiple sources (SendGrid + another ESP, or SendGrid + your own mail server), add SendGrid to your root-domain SPF:
v=spf1 include:sendgrid.net include:_spf.google.com ~all
Stacking several includes can push you past SPF's 10-lookup limit; if that happens, our SPF flattening guide explains how to fix it.
To check your current SPF, use the SPF Record Checker.
Create a DMARC record
Once DKIM alignment is confirmed, add a DMARC record at _dmarc.yourdomain.com. Start with p=none to monitor alignment without rejecting anything:
v=DMARC1; p=none; rua=mailto:reports@yourdomain.com
The three parts:
v=DMARC1: DMARC version (always this)p=none: monitor only; don't reject failing messagesrua=mailto:: where to send aggregate reports (optional, but recommended)
Use the DMARC Record Generator to build it interactively if you prefer.
Point reports to DMARCdrift
To get readable digests of your alignment and spoofing signals, change your rua= address:
v=DMARC1; p=none; rua=mailto:d-[your-domain-id]@in.dmarcdrift.com
Find your domain ID in your DMARCdrift dashboard under Domain Settings. Once the record is live, aggregate reports from mailbox providers (Gmail, Yahoo, Microsoft, etc.) will route to dmarcdrift. The first batch of reports arrives within 24–48 hours.
Verify alignment
After domain authentication is complete and your DMARC record is live, send a test email to yourself and check the headers. Open the email in a mail client that shows raw headers (Gmail: More actions → View message source).
Look for the Authentication-Results header. You should see:
Authentication-Results: mx.google.com;
dmarc=pass (p=NONE sp=NONE dis=NONE) ...
dkim=pass (2048-bit key; unprotected) header.d=yourdomain.com
spf=pass ...
The critical detail: dkim=pass and header.d=yourdomain.com. Your domain is the signing domain, not SendGrid's.
If DMARC fails, check:
- Did all three CNAME records verify in SendGrid? If one failed, go back to Sender Authentication and retry verification.
- Does the From header domain match your DMARC record domain? If you're sending from
noreply@yourdomain.com, your DMARC must be at_dmarc.yourdomain.com. - Is DKIM signing with your domain? Look for
header.d=yourdomain.comin the DKIM-Signature header.
Use the Email Header Analyzer to decode the full header and spot any misalignment.
A note on branded links
SendGrid's link tracking (click and open tracking) uses a different subdomain. This is separate from domain authentication. Tracking subdomains do not affect your DMARC policy on your main domain, so you can keep them enabled without breaking alignment. If you want to align tracking links with your domain too, SendGrid offers a separate setup for that, but it's optional.
Next steps
Once your emails pass DMARC, monitor the alignment for a few weeks using your DMARCdrift digest. When you're confident that no legitimate mail is failing, change your DMARC policy to p=quarantine or p=reject to block spoofers. But start with p=none and watch the reports. That's what most developers do.
Once your DMARC record is live, aggregate reports will start arriving within 24–48 hours. DMARCdrift turns the XML into a readable digest, free for one domain.
