SendGrid requires special configuration actions outside of Valimail Enforce. Please follow these steps to complete the configuration for SendGrid, and then return to Valimail Enforce to complete the setup need.

1. It is not necessary to add SendGrid as an 'Enabled Senders' because the service uses a dedicated subdomain that will be delegated to SendGrid servers. SendGrid will then publish an SPF record on that subdomain.

2. Sign in to your SendGrid account and generate CNAME records for SPF and DKIM by following these steps:

  • In the SendGrid UI, navigate to Settings->Sender Authentication
  • In the domain authentication section, click Get Started
  • Pick your DNS host from the list, enter your domain and click Next
  • Three CNAME records will be generated, one is used for delegating SPF to SendGrid for the chosen subdomain, and two DKIM keys

Note: You can find more detailed information about the setup process here:

3. Publish the first CNAME record in your DNS, this will allow SendGrid to publish an SPF record for the selected subdomain.

4. Add the two DKIM keys in Valimail Enforce, by clicking 'Add a DKIM key' from the DKIM Keys section. Enter the selector name, CNAME target value, and associate the keys with SendGrid.

5. Go back to the SendGrid dashboard, navigate to Settings->Sender Authentication->Domain Authentication, click on your selected subdomain and verify the records.

6. Once you have completed these steps, you can begin sending authenticated emails using SendGrid.

Additional Information


Aligned Authentication method:


DKIM - Yes CNAME records

Most SendGrid deployments use a dedicated subdomain. SendGrid does not host the subdomain on their DNS but they do host the SPF and DKIM info using CNAMEs. Some points to be aware of for SendGrid:

  • Do not have the customer use a Valimail SPF record. Use only the SPF record generated via the SendGrid UI. This will be a CNAME

  • Ensure that the subdomain for SendGrid is set to Single Sender

  • Since SendGrid publishes DKIM keys on the parent of the subdomain they use, it is important to always use customized DKIM selectors and not the default s1/s2. This is to ensure there are no selector conflicts since many third parties also use SendGrid under the hood. There are some third parties that do not expose the ability to customize the DKIM Selectors

  • If it is not possible to customize DKIM selectors, the next best approach is to use a sub-subdomain. For example, if the org domain is, the standard approach would be to create a subdomain in the SendGrid UI like This would result in DKIM keys on In the sub-sub domain example, the approach should be to create, in SendGrid something like In this case, is dedicated to SendGrid. This would result in the SPF record being on and the DKIM keys being on In this example, DKIM can be delegated to Valimail for as an option or it can be done manually. Since this will be the only service using this subdomain, there is no need to delegate it to Valimail.

  • If the customer has dedicated IP addresses with hostnames in the customer’s DNS, there is no need to add Netblocks to the configuration for these IPs since the subdomain is set to Single Sender

  • If importing an existing SendGrid DKIM key, ensure that both keys are imported

  • Some old implementations of SendGrid use a single DKIM key using the m1 selector. Two things to remember in this situation when adding the DKIM key to the configuration:

    • Select the checkbox ‘Only Allow Exact Domain Signing’

    • Select the Checkbox ‘Omit the 'v=DKIM1' from the DKIM record?’

  • When looking at the DMARC data for SendGrid, look at any other DKIM keys that are associated with the email. These can be clues as to whether this is a native SendGrid setup or a third party using SendGrid under the hood

  • When looking at the DMARC data for SendGrid, look at the PTR name. This can be a clue as to whether this is a native SendGrid setup or a third party using SendGrid under the hood

  • Do a DNS lookup of the SPF domain and see if there is a UID/WL ID embedded in the SPF CNAME or the MX record. If so, add this to the configuration when adding the service in the Enforce UI. This can be seen in the example below:

    •        86387    IN    CNAME

  • Some older instances of SendGrid will use the smtpapi DKIM selector.