SPF setup · SendGrid

    How to set up SPF for SendGrid

    SendGrid (Twilio) is one of the most-used transactional ESPs. Their domain authentication wizard generates per-account CNAMEs you publish on a sending subdomain — never on your apex.

    SPF (Sender Policy Framework, RFC 7208) authorizes specific servers to send mail for your domain. When you start sending through SendGrid, you must publish a single SPF record at your domain apex that includes SendGrid's sending infrastructure — otherwise the messages will fail SPF, your DMARC checks will fail, and your mail will land in spam or be rejected outright.

    If you already publish SPF for another sender (Google Workspace for inbound, a marketing tool, your CRM), do not publish a second record. Merge the new include into the existing record. RFC 7208 §3 forbids multiple SPF records on the same name and receivers MUST return permerror when they see one.

    Publish these DNS records

    Add the following record(s) to your domain's DNS zone. Most registrars (Cloudflare, Route 53, Namecheap, GoDaddy) accept values exactly as shown.

    Type
    CNAME
    Host
    em<NUM>
    Value
    u<NUM>.wl.sendgrid.net
    • SendGrid uses a delegated subdomain (e.g. `em1234.your-domain.com`) rather than asking you to modify the apex SPF record. The CNAME chain ends in SendGrid's SPF, so receivers resolve it automatically.
    • The exact `<NUM>` values are issued by SendGrid in the wizard; copy them verbatim.
    • If you want Sender ID alignment for the From: header, use a custom Return-Path subdomain (the wizard handles this).

    Where in SendGrid

    The SPF configuration lives in SendGrid → Settings → Sender Authentication → Authenticate Your Domain.

    Verify the records

    Once published, run the SPF Checker on your domain to verify the lookup chain expands cleanly and stays under the 10-DNS-lookup limit.

    From a terminal
    dig +short TXT your-domain.com
    → Run the free SPF checker

    Common pitfalls

    • SendGrid's wizard sometimes fails to detect successful CNAME publication for several hours due to caching. If verification fails immediately, check `dig CNAME` from a different resolver before changing anything.
    • For shared IP plans, you have no control over IP-level reputation — DKIM signing on your domain is what protects deliverability.
    • SendGrid's free tier includes a `<random>.sendgrid.net` From: domain by default; only authenticated senders should ever use a real brand From: address.

    Want to know if it actually keeps working?

    MailerMonk continuously watches your SPF record, aggregate DMARC reports, and inbox placement — and pings you the moment something drifts. Free for the first domain.