How to set up DMARC on SendGrid

If you use Sendgrid to send newsletter campaigns and automated workflows you probably want to send from your own domain. Adding a sending domain is important step in order to ensure DMARC compliance. Here's how to do it.

First, add the domain

SendGrid expects you to have access to an email address on the domain in order to prove your ownership over the domain.

  1. Go to your Sender Authentication under Settings.
  2. Click the "Authenticate Your Domain" button.
  3. If you are lucky enough that your DNS host is listed in the DNS host dropdown, feel free to select that. Otherwise just select "Other Host".
  4. If you want to enable link-tracking, you should probably select "Yes" in "Would you also like to brand the links for this domain?". This isn't necessary for DMARC compliance, and it's not necessary if you don't want to track clicks in links on your emails (which you might not want to). Answering "Yes" does give you more DNS entries to create, though.
  5. Go to the "Next" page.
  6. Enter the domain you want to send from. This is the domain part of the email addresses you want to send from, ie whatever comes after the @-sign. For example, if you want to send from [email protected] you should enter emailsherpa.net.
  7. Under "Advanced Settings" enable "Use automated security". This configures SendGrid to automatically refresh your DKIM keys ever so often.
  8. You probably also want to enable "Use custom return path". This sets up bounce tracking to look like it's coming from your domain, which is a good thing and helps with DMARC alignment. You can use a "Return path" that you don't already have a DNS subdomain for, be it "bounces" or "mail" or "sg" or something else.
  9. If you have a subuser account in your account that needs to be able to send from this domain, you should enable "Assign to a subuser" and select that subuser in the dropdown. Note that the only way to assign the domain to a subuser after having authenticated it, is to delete it and re-authenticate.
  10. Click "Next".

Install DNS Records

You should now be looking at a table with DNS entries you need to add. If you told SendGrid what DNS provider you use, the list is tailored to that provider.

Set up DKIM

SendGrid asks me to set up the following DNS record:

Don't worry if this looks like technical mumbo jumbo to you, the actual values aren't that important as long as you type them correctly.

  1. Log in to my domain name provider, in this case GoDaddy.
  2. Find my domain name in the list of products and click it.
  3. Scroll down to the bottom of the page where you can find the "Manage DNS" section and click that.
  4. Click the "Add" button and choose CNAME as the record type.
  5. In the Name field I enter the subdomain part of the record name. In this case that is mail.
  6. In the Value field I enter the "points to" value given to us by SendGrid - use the "Copy" button in the popup dialog to make sure you get it right.
  7. I can then click "Add record" and the DNS record has been added.

Repeat this process for eac of the DNS records SendGrid shows you. At the time of writing there are 4 records in total to add. Note that 3 of them are CNAME records and one is a TXT record.

Verify DNS records

With all of the above DNS records created it is time to head back to SendGrids interface, check the "I've added these records" checkbox and click Verify.

You should get a "It worked!" message if you've done everything correctly. If you don't get that message, don't fret. DNS record changes can take some time to be distributed to the entire internet, so just wait a while and try again.