How to Set Up SPF & DKIM for Sendgrid
Learn how to set up SPF and DKIM for SendGrid step-by-step. Improve email deliverability, authenticate your domain, and pass DMARC checks.
Email authentication is critical for deliverability, trust, and DMARC compliance.
Properly configuring Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) for SendGrid ensures recipients like Gmail, Outlook, and Yahoo correctly verify your sending domain improving inbox placement and protecting against spoofing.
Prerequisites:
You must have administrator access to your DNS provider
You must be logged in to your SendGrid account
You should only have one SPF record per (sub)domain
SPF Setup For SendGrid
SPF tells recipient mail servers which systems are allowed to send email on behalf of your domain.
Many SendGrid accounts use Automated Security, where SendGrid manages SPF using records on a dedicated subdomain. But if you want explicit SPF on your main domain, follow these steps:
If You Donβt Have an SPF Record
Create a TXT record on your DNS host with the following value:
v=spf1 include:sendgrid.net ~all
Your DNS record should look like:
Host
Type
Value
@ / your domain
TXT
v=spf1 include:sendgrid.net ~all
If You Already Have an SPF Record
Modify your existing TXT record that starts with v=spf1 to include SendGrid, ensuring the final record has only one SPF entry.
Example:
v=spf1 include:spf.protection.example.net include:sendgrid.net ~all
β Only one SPF TXT record per domain is allowed.
DKIM Setup For SendGrid
DKIM ensures your emails are cryptographically signed so receiving servers can verify they havenβt been altered in transit.
SendGrid generates DKIM records when you authenticate a domain through its UI
Step-by-Step: Authenticate Domain in SendGrid
- Log in to your SendGrid dashboard
- Navigate to Settings β Sender Authentication
- Under Domain Authentication, click Get Started or Authenticate Your Domain
- Choose your DNS host provider from the list and click Next
- Enter the domain you send mail from
Do not includewwworhttps://β just the base domain. - Click Next until you reach the final page that displays your CNAME records
- Copy all records and add them to your DNS provider exactly as shown
SendGrid typically provides three CNAME records β one for SPF (via return-path) and two for DKIM.
Record Name
Type
Value / Points To
emXXXXX.yourdomain.com
CNAME
<SendGrid generated host>.sendgrid.net
s1._domainkey.yourdomain.com
CNAME
s1.domainkey.<SendGrid host>.sendgrid.net
s2._domainkey.yourdomain.com
CNAME
s2.domainkey.<SendGrid host>.sendgrid.net
Verify DNS Changes
DNS propagation can take up to 48 hours. After publishing the records:
- Return to the SendGrid Sender Authentication page
- Click Verify next to your domain
- SendGrid will check your DNS records and confirm authentication
β once verified, SPF and DKIM will start signing your outgoing email
Why SPF & DKIM Matter
SPF and DKIM together with DMARC help:
- Prevent email spoofing and impersonation
- Improve inbox deliverability
- Remove βvia sendgrid.netβ branding in recipient mail clients
- Build domain trust with Gmail, Outlook, Yahoo, and others
Next Steps
Once SPF and DKIM are verified:
Configure DMARC to enforce policy and receive reports
Monitor deliverability and authentication status with tools like Dmarclytics
Need hands-on help?
Our team can walk you through this setup live β free on every plan.