How to Set Up SPF & DKIM for Sendgrid

Email authentication is critical for deliverability, trust, and DMARC compliance.

Properly configuring Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) for SendGrid ensures recipients like Gmail, Outlook, and Yahoo correctly verify your sending domain improving inbox placement and protecting against spoofing.

Prerequisites:
You must have administrator access to your DNS provider
You must be logged in to your SendGrid account
You should only have one SPF record per (sub)domain

SPF Setup For SendGrid

SPF tells recipient mail servers which systems are allowed to send email on behalf of your domain.

Many SendGrid accounts use Automated Security, where SendGrid manages SPF using records on a dedicated subdomain. But if you want explicit SPF on your main domain, follow these steps:

If You Don’t Have an SPF Record

Create a TXT record on your DNS host with the following value:

v=spf1 include:sendgrid.net ~all

Your DNS record should look like:

If You Already Have an SPF Record

Modify your existing TXT record that starts with v=spf1 to include SendGrid, ensuring the final record has only one SPF entry.

Example:

v=spf1 include:spf.protection.example.net include:sendgrid.net ~all

⚠ Only one SPF TXT record per domain is allowed.

DKIM Setup For SendGrid

DKIM ensures your emails are cryptographically signed so receiving servers can verify they haven’t been altered in transit.

SendGrid generates DKIM records when you authenticate a domain through its UI

Step-by-Step: Authenticate Domain in SendGrid

1. Log in to your SendGrid dashboard

2. Navigate to Settings → Sender Authentication

3. Under Domain Authentication, click Get Started or Authenticate Your Domain

4. Choose your DNS host provider from the list and click Next

5. Enter the domain you send mail from
   Do not include www or https:// — just the base domain.

6. Click Next until you reach the final page that displays your CNAME records

7. Copy all records and add them to your DNS provider exactly as shown

SendGrid typically provides three CNAME records — one for SPF (via return-path) and two for DKIM.

Verify DNS Changes

DNS propagation can take up to 48 hours. After publishing the records:

1. Return to the SendGrid Sender Authentication page

2. Click Verify next to your domain

3. SendGrid will check your DNS records and confirm authentication
   — once verified, SPF and DKIM will start signing your outgoing email

Why SPF & DKIM Matter

SPF and DKIM together with DMARC help:

• Prevent email spoofing and impersonation

• Improve inbox deliverability

• Remove “via sendgrid.net” branding in recipient mail clients

• Build domain trust with Gmail, Outlook, Yahoo, and others

Next Steps
Once SPF and DKIM are verified:

Configure DMARC to enforce policy and receive reports
Monitor deliverability and authentication status with tools like Dmarclytics