Configure SendGrid for DMARC alignment
Set up an authenticated sending domain in SendGrid, configure DKIM CNAME records, and avoid common SPF and DKIM alignment pitfalls with DMARC.
SendGrid passes DMARC through DKIM using its Authenticated Domain feature. SendGrid provides CNAME records to publish in your DNS; it manages the underlying DKIM keys and rotates them automatically.
Set up an authenticated domain in SendGrid
- Go to SendGrid > Settings > Sender Authentication.
- Click Authenticate Your Domain and select your DNS provider (or choose manual setup).
- Enter your domain and choose whether to add a custom subdomain for the Return-Path (recommended).
- SendGrid generates CNAME records to publish.
The records look like:
em1234.yourdomain.com CNAME u1234567.wl.sendgrid.net
s1._domainkey.yourdomain.com CNAME s1.domainkey.u1234567.wl.sendgrid.net
s2._domainkey.yourdomain.com CNAME s2.domainkey.u1234567.wl.sendgrid.netThe em1234 record sets the Return-Path subdomain for SPF alignment. The s1 and s2 records are the DKIM selectors. Publish all three, then return to SendGrid and click Verify.
How SendGrid DKIM works
SendGrid uses CNAME records rather than direct TXT records. The CNAMEs point to SendGrid's infrastructure where the actual DKIM public keys live. This lets SendGrid rotate keys automatically without requiring you to update your DNS each time.
After verification, outbound mail is signed with d=yourdomain.com using selectors s1 or s2. The DKIM check tool can verify both selectors resolve.
SPF alignment
The em1234.yourdomain.com Return-Path CNAME routes bounces through SendGrid and sets the envelope sender to em1234.yourdomain.com. This subdomain shares the organizational domain with yourdomain.com, so SPF alignment passes under relaxed mode.
SendGrid no longer recommends adding include:sendgrid.net to your SPF record when using Authenticated Domains — the Return-Path CNAME handles alignment. If you have an existing include:sendgrid.net in your SPF record, you can leave it or remove it; it won't break anything, but it uses one of your 10 SPF lookups unnecessarily.
Common alignment issues with SendGrid
Unverified senders: SendGrid also supports unverified "Single Sender Verification" for individual email addresses. Mail sent through a single sender verification (not an authenticated domain) will not produce DMARC alignment — it uses SendGrid's default signing domain, not yours. Use authenticated domains for production sending.
Subusers: SendGrid subusers can each have their own authenticated domains. If you have subusers, make sure each one sending on your domain has its own authenticated domain configured.
IP Warmup: During IP warmup, SendGrid may route some mail through shared IPs. DKIM alignment is unaffected by which IPs are used — alignment depends on the DKIM signing domain, not the sending IP.
What to expect in DMARCdrift
With Authenticated Domains configured:
- Source: SendGrid IP ranges (dedicated or shared)
- DKIM result: pass,
d=yourdomain.comwith selectors1ors2 - SPF result: pass via Return-Path CNAME alignment
- DMARC result: pass
If you see DMARC failures for SendGrid traffic, the most likely cause is that the authenticated domain isn't verified or a subuser is sending without an authenticated domain configured.
Next: Amazon SES setup: DKIM Easy DKIM, BYODKIM, and SPF alignment.
See also: DKIM alignment: how DKIM signing passes DMARC. SPF alignment: how Return-Path subdomains provide SPF alignment.
Configure Resend for DMARC alignment
Configure DKIM and SPF for Resend by verifying a custom domain, so your transactional emails pass DMARC alignment and appear correctly in reports.
Configure Amazon SES for DMARC alignment
Configure Amazon SES with Easy DKIM or BYODKIM, set up verified sending domains, and fix common SPF and DKIM alignment issues in DMARCdrift.