Website: www.twilio.com

Aligned Authentication method:


SPF - Yes - CNAME

DKIM - Yes CNAME records


Most SendGrid deployments use a dedicated subdomain. SendGrid does not host the subdomain on their DNS but they do host the SPF and DKIM info using CNAMEs. Some points to be aware of for SendGrid:

  • Do not have the customer use a Valimail SPF record. Use only the SPF record generated via the SendGrid UI. This will be a CNAME

  • Ensure that the subdomain for SendGrid is set to Single Sender

  • Since SendGrid publishes DKIM keys on the parent of the subdomain they use, it is important to always use customized DKIM selectors and not the default s1/s2. This is to ensure there are no selector conflicts since many third parties also use SendGrid under the hood. There are some third parties that do not expose the ability to customize the DKIM Selectors

  • If it is not possible to customize DKIM selectors, the next best approach is to use a sub-subdomain. For example, if the org domain is foo.com, the standard approach would be to create a subdomain in the SendGrid UI like em123.foo.com. This would result in DKIM keys on foo.com. In the sub-sub domain example, the approach should be to create, in SendGrid something like em123.email.foo.com. In this case, email.foo.com is dedicated to SendGrid. This would result in the SPF record being on em123.email.foo.com and the DKIM keys being on email.foo.com. In this example, DKIM can be delegated to Valimail for email.foo.com as an option or it can be done manually. Since this will be the only service using this subdomain, there is no need to delegate it to Valimail.

  • If the customer has dedicated IP addresses with hostnames in the customer’s DNS, there is no need to add Netblocks to the configuration for these IPs since the subdomain is set to Single Sender

  • If importing an existing SendGrid DKIM key, ensure that both keys are imported

  • Some old implementations of SendGrid use a single DKIM key using the m1 selector. Two things to remember in this situation when adding the DKIM key to the configuration:

    • Select the checkbox ‘Only Allow Exact Domain Signing’

    • Select the Checkbox ‘Omit the 'v=DKIM1' from the DKIM record?’

  • When looking at the DMARC data for SendGrid, look at any other DKIM keys that are associated with the email. These can be clues as to whether this is a native SendGrid setup or a third party using SendGrid under the hood

  • When looking at the DMARC data for SendGrid, look at the PTR name. This can be a clue as to whether this is a native SendGrid setup or a third party using SendGrid under the hood

  • Do a DNS lookup of the SPF domain and see if there is a UID/WL ID embedded in the SPF CNAME or the MX record. If so, add this to the configuration when adding the service in the Enforce UI. This can be seen in the example below:

    • em123.acme.com.        86387    IN    CNAME    u1959045.wl.sendgrid.net

  • Some older instances of SendGrid will use the smtpapi DKIM selector.