DMARCdrift
DMARCdrift
Vendor setup

Configure SendGrid for DMARC alignment

Set up an authenticated sending domain in SendGrid, configure DKIM CNAME records, and avoid common SPF and DKIM alignment pitfalls with DMARC.

SendGrid passes DMARC through DKIM using its Authenticated Domain feature. SendGrid provides CNAME records to publish in your DNS; it manages the underlying DKIM keys and rotates them automatically.

Set up an authenticated domain in SendGrid

  1. Go to SendGrid > Settings > Sender Authentication.
  2. Click Authenticate Your Domain and select your DNS provider (or choose manual setup).
  3. Enter your domain and choose whether to add a custom subdomain for the Return-Path (recommended).
  4. SendGrid generates CNAME records to publish.

The records look like:

em1234.yourdomain.com         CNAME  u1234567.wl.sendgrid.net
s1._domainkey.yourdomain.com  CNAME  s1.domainkey.u1234567.wl.sendgrid.net
s2._domainkey.yourdomain.com  CNAME  s2.domainkey.u1234567.wl.sendgrid.net

The em1234 record sets the Return-Path subdomain for SPF alignment. The s1 and s2 records are the DKIM selectors. Publish all three, then return to SendGrid and click Verify.

How SendGrid DKIM works

SendGrid uses CNAME records rather than direct TXT records. The CNAMEs point to SendGrid's infrastructure where the actual DKIM public keys live. This lets SendGrid rotate keys automatically without requiring you to update your DNS each time.

After verification, outbound mail is signed with d=yourdomain.com using selectors s1 or s2. The DKIM check tool can verify both selectors resolve.

SPF alignment

The em1234.yourdomain.com Return-Path CNAME routes bounces through SendGrid and sets the envelope sender to em1234.yourdomain.com. This subdomain shares the organizational domain with yourdomain.com, so SPF alignment passes under relaxed mode.

SendGrid no longer recommends adding include:sendgrid.net to your SPF record when using Authenticated Domains — the Return-Path CNAME handles alignment. If you have an existing include:sendgrid.net in your SPF record, you can leave it or remove it; it won't break anything, but it uses one of your 10 SPF lookups unnecessarily.

Common alignment issues with SendGrid

Unverified senders: SendGrid also supports unverified "Single Sender Verification" for individual email addresses. Mail sent through a single sender verification (not an authenticated domain) will not produce DMARC alignment — it uses SendGrid's default signing domain, not yours. Use authenticated domains for production sending.

Subusers: SendGrid subusers can each have their own authenticated domains. If you have subusers, make sure each one sending on your domain has its own authenticated domain configured.

IP Warmup: During IP warmup, SendGrid may route some mail through shared IPs. DKIM alignment is unaffected by which IPs are used — alignment depends on the DKIM signing domain, not the sending IP.

What to expect in DMARCdrift

With Authenticated Domains configured:

  • Source: SendGrid IP ranges (dedicated or shared)
  • DKIM result: pass, d=yourdomain.com with selector s1 or s2
  • SPF result: pass via Return-Path CNAME alignment
  • DMARC result: pass

If you see DMARC failures for SendGrid traffic, the most likely cause is that the authenticated domain isn't verified or a subuser is sending without an authenticated domain configured.


Next: Amazon SES setup: DKIM Easy DKIM, BYODKIM, and SPF alignment.

See also: DKIM alignment: how DKIM signing passes DMARC. SPF alignment: how Return-Path subdomains provide SPF alignment.

Ask AI about this page:ClaudeChatGPT