DMARC setup · SendGrid

    How to set up DMARC for SendGrid

    SendGrid (Twilio) is one of the most-used transactional ESPs. Their domain authentication wizard generates per-account CNAMEs you publish on a sending subdomain — never on your apex.

    DMARC (RFC 7489) tells receiving mail servers what to do when a message claiming to be from your domain fails SPF or DKIM. You publish exactly one DMARC record at `_dmarc.<your-domain>`, regardless of which ESP you use — DMARC is a domain-level policy, not a per-sender configuration. SendGrid doesn't run DMARC for you, but their SPF + DKIM setup is what makes your DMARC checks pass.

    Start every domain at `p=none` with a `rua` (aggregate report) address pointing somewhere you actually read. Watch the reports for two to four weeks to confirm 100% of legitimate mail is aligned, then progress to `p=quarantine` and finally `p=reject`. Skipping the monitoring step is the single most common way founders accidentally block their own mail.

    Publish these DNS records

    Add the following record(s) to your domain's DNS zone. Most registrars (Cloudflare, Route 53, Namecheap, GoDaddy) accept values exactly as shown.

    Type
    TXT
    Host
    _dmarc
    Value
    v=DMARC1; p=none; rua=mailto:[email protected]
    • Publish DMARC at the apex even though SendGrid sends from a subdomain — DMARC alignment honors the From: header domain, which should be your brand domain, not the SendGrid CNAME subdomain.
    • If you use SendGrid for transactional and a separate tool for marketing, both will share this single DMARC policy.

    Where in SendGrid

    The DMARC configuration lives in SendGrid → Settings → Sender Authentication → Authenticate Your Domain.

    Verify the records

    Once published, run the DMARC Checker on your apex domain to confirm the record parses, reporting URIs are valid, and the policy is what you intended.

    From a terminal
    dig +short TXT _dmarc.your-domain.com
    → Run the free DMARC checker

    Common pitfalls

    • SendGrid's wizard sometimes fails to detect successful CNAME publication for several hours due to caching. If verification fails immediately, check `dig CNAME` from a different resolver before changing anything.
    • For shared IP plans, you have no control over IP-level reputation — DKIM signing on your domain is what protects deliverability.
    • SendGrid's free tier includes a `<random>.sendgrid.net` From: domain by default; only authenticated senders should ever use a real brand From: address.

    Want to know if it actually keeps working?

    MailerMonk continuously watches your DMARC record, aggregate DMARC reports, and inbox placement — and pings you the moment something drifts. Free for the first domain.