Introduction
SendGrid is one of the most widely-deployed transactional email platforms. Default config doesn't align with DMARC; proper domain authentication does. This article covers the setup and common issues.
How to authenticate SendGrid
- SendGrid admin → Settings → Sender Authentication → Domain Authentication.
- Enter your domain.
- SendGrid generates DNS records — CNAMEs for DKIM and link branding.
- Publish the records.
- Verify in SendGrid.
Common issues
Issue 1: Subdomain confusion
SendGrid creates a sending subdomain (e.g., em1234.yourdomain.com). Configure to use this subdomain consistently.
Issue 2: Link branding mismatch
SendGrid's link tracking can affect DMARC. Configure link branding to match.
Issue 3: Shared IP reputation
Default plans use shared IPs. Reputation drift affects deliverability.
Issue 4: Multiple subusers
Each subuser needs domain authentication separately.
Step-by-step approach
- Authenticate domain in SendGrid.
- Publish CNAMEs.
- Confirm signing with a test message.
- Watch aggregate reports for alignment.
- For high-volume senders, consider dedicated IP.
Best practices
- Pair with proper From subdomain.
- Use SendGrid's link branding for consistency.
- Watch SPF lookup count when adding SendGrid.
- Configure separately for transactional vs. marketing.
- Test all flows before tightening DMARC policy.
Recommended next step
For SendGrid users, run domain authentication if not already. Required for DMARC alignment.
FAQ
Does SendGrid sign by default?
With its own domain, yes. Custom DKIM through domain authentication aligns with yours.
What about SendGrid sub-accounts?
Each needs separate authentication.
Can I use dedicated IP and shared IP simultaneously?
Yes, for different sending purposes.
Does SendGrid integrate with BIMI?
Yes, once DMARC is at enforcement.
What's the deliverability impact of authentication?
Positive — aligned mail has better placement.
Final thoughts
SendGrid + DMARC works cleanly with domain authentication. Five-minute setup for most cases; durable alignment.