SendGrid Domain Authentication Configuration

Key terminology

A high-level understanding of the following terms will help you learn more about email deliverability. However, you need not become an email deliverability expert to send emails with Twilio SendGrid. If you wish to continue with the Domain Authentication setup, skip to the setup instructions.

DNS

As mentioned earlier, Domain Name System (DNS) records are essential to verifying which email servers can send email on your domain's behalf. DNS is a naming system for domains on the internet. It resolves domains humans can remember, like sendgrid.com, to IP addresses that belong to specific computers.

There are several types of DNS records. An A record points a domain directly to an IP address where requested resources can be found. However, some records, such as CNAME records, link a domain to another domain or "host." Other records, such as TXT records, allow a domain owner to store text information about the domain. A single domain may have many records of varying types. For example, your domain may have an A record pointing to the IP address of your web server and CNAME records pointing to the cloud service that handles your email.

DNS records are managed using your DNS provider or host. Popular DNS providers include DNSimple, GoDaddy, Rackspace, and Cloudflare, but many others exist. These providers allow you to set and remove DNS entries for your domain.

DNS records and email authentication

When working with an email provider such as Twilio SendGrid, you should know two types of email authentication: DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF). DKIM and SPF are partially implemented by setting TXT records on your domain.

DKIM

DomainKeys Identified Mail (DKIM) is an authentication method that uses asymmetric encryption to sign and verify your email. With DKIM implemented, the sending email server adds a cryptographic signature to your emails' headers. The DKIM record is a TXT record that stores the DKIM public key.

SPF

Sender Policy Framework (SPF) is an email authentication standard developed by AOL that allows you to list all the IP addresses authorized to send emails on behalf of your domain. The SPF record is a TXT record that lists the IP addresses approved by the domain owner. The receiving server can compare the email sender's IP address to the list in the SPF record.

Twilio SendGrid's DNS records

During Domain Authentication setup, Twilio SendGrid's automated security will be enabled by default. If you leave automated security on, Twilio SendGrid will provide you with CNAME records that must be added to your domain. If you turn automated security off, you will receive one MX and two TXT records instead.

CNAME

As mentioned earlier, CNAME records link one domain to another domain. When Twilio SendGrid gives you CNAME records during Domain Authentication, they point to a domain Twilio SendGrid controls. This means Twilio SendGrid can create and update your SPF and DKIM records. For example, if you purchase a dedicated IP address, Twilio SendGrid can add that address to your SPF automatically.

The CNAME record also allows Twilio SendGrid to route our click and open tracking statistics back to your Twilio SendGrid account, where you can use them to adjust more sending behavior.

MX

MX records specify the server's location responsible for handling inbound email for a domain. When automated security is turned off, Twilio SendGrid will provide one MX record during Domain Authentication that must be added to your domain. This record enables the return path.

The return path is an email header, defining an address separate from your original sending address. The return path address tells email servers where to send feedback, such as delayed bounces and unsubscribes.

TXT

TXT records allow you to add text information about your domain. DKIM and SPF are both implemented using TXT records with specific formatting. With automated security turned off, Twilio SendGrid will provide these TXT records to be added to your domain.

When automated security is turned off, you must manually update the TXT records on your domain when you change your email configuration. For example, when you add a new IP address to your account, your SPF TXT record must be updated with the new IP information to prevent email delivery issues.

If you choose to brand links during Domain Authentication, you will be given two additional CNAME records to support Link Branding.

Set up Domain Authentication

IMPORTANT NOTE: Each user may have a maximum of 3,000 authenticated domains and 3,000 link brandings. This limit is at the user level, meaning each Subuser belonging to a parent account may have its own 3,000 authenticated domains and 3,000 link brandings.

Before you begin

To set up Domain Authentication, you must submit the DNS records provided by Twilio SendGrid to your DNS or hosting provider. Popular DNS providers include DNSimple, GoDaddy, Rackspace, and Cloudflare, but many others exist.

1. Determine who your hosting provider is and make sure you have the access required to change your records.
2. If you don't have access to your DNS or hosting provider, determine who in your company can make DNS modifications for your domain.

Manual or automated setup

If you already have a DNS record with a custom name on your domain, adding a new record with a matching name will overwrite your existing DNS entry. This can happen if you use a custom return path and set the name to one already in your DNS entries.

For example, let's assume you have a TXT record with the host email.example.com. If you set a custom return-path of email during Domain Authentication, Twilio SendGrid will create a record with the host email.example.com. When you complete automatic Domain Authentication, your existing TXT record will be replaced with Twilio SendGrid's record. This will likely break one of your existing services.

Be sure you are not completing Domain Authentication by using any custom names that already exist for records on your domain before proceeding.

Twilio SendGrid supports Domain Connect, which can simplify the Domain Authentication process. If we have partnered with your DNS provider to support Domain Connect, you can authenticate with your DNS provider and allow Twilio SendGrid to configure the DNS changes for you. Both automatic and manual setup begin the same way with the "Setup steps required for both automatic and manual setup" that follow.

Setup steps required for both automatic and manual setup

1. In the Twilio SendGrid App user interface (UI), select Settings > Sender Authentication.
2. In the Domain Authentication section, click Get Started. The Authenticate Your Domain page will load.
3. Select your DNS host from the Authenticate Your Domain page from the drop-down menu below the text: Which Domain Name Server (DNS) host do you use? You can select I'm not sure or Other Host (Not Listed) if necessary.
4. Yes, below the text: Would you also like to brand the links for this domain? If you choose No, you can add Link Branding later. Link Branding is not a required part of the Domain Authentication process.
   
   IMPORTANT NOTE: The automatic setup process does not currently support Link Branding. If you choose to brand links during Domain Authentication, you must manually add the Link Branding CNAME records to your domain.
   
   
5. Click Next. A second Authenticate Your Domain page will load.
6. Add the domain you want to authenticate from the new page below the text: Domain You Send From. This will be the domain that appears from the address of your messages. For example, if you want your messages to be from addresses like this, you will authenticate example.com. Make sure that you enter only your root domain <domain-name.top-level-domain>. Do not include a subdomain or protocol such as www or http://www in this field.
7. Select the Advanced Settings appropriate for your needs. Most customers can leave. Use automated security checks and continue.
8. Click Next. The Install DNS Records page will load.
9. The Twilio SendGrid App will now determine if we can automatically finish your Domain Authentication process. You will be taken to the Automatic Setup tab if we can automatically finish the setup. You will be taken to the Manual Setup tab if we cannot automatically finish the setup.
10. If you cannot modify your domain's DNS records, you can email the records to a colleague using the Send To A Coworker tab. The email includes a direct link to the records. The recipient doesn't need to log in to your Twilio SendGrid account.

IMPORTANT NOTE: Automated setup is currently available for GoDaddy only. We plan to add support for additional DNS providers in the future.

Automated setup

If you already have a DNS record with a custom name on your domain, adding a new record with a matching name will overwrite your existing DNS entry. This can happen if you use a custom return path and set the name to one already in your DNS entries.

For example, let's assume you have a TXT record with the host email.example.com. If you set a custom return-path of email during Domain Authentication, Twilio SendGrid will create a record with the host email.example.com. When you complete automatic Domain Authentication, your existing TXT record will be replaced with Twilio SendGrid's record. This will likely break one of your existing services.

Be sure you are not completing Domain Authentication by using any custom names that already exist for records on your domain before proceeding.

1. From the Automated Setup tab, click Connect.
2. A dialog box titled Connect <your DNS host> to Twilio SendGrid for this domain will load.
3. A new window will also open where you can connect to your DNS host. In the new window, log in to your DNS host and follow the instructions to connect your domain.
4. Once you see a success message in the new window, you can close it.
5. In the Connect <your DNS host> to Twilio SendGrid for this domain dialog, Twilio SendGrid will attempt to verify the correct setup of your DNS records.
6. Once your Domain Authentication setup is verified, the dialog will close, and you will see a success message in the Twilio SendGrid App UI.
7. If verification is not successful, try clicking Verify again in 48 hours. It can take up to 48 hours for DNS changes to be applied.

Manual setup

1. In the Manual Setup tab, you will see the DNS records that must be added with your DNS host provider. If you left, Use automated security checked during the earlier configuration steps, and you will have three CNAME records. If you unchecked Use automated security, you will see an MX and two TXT records.
2. Next, you will add the records displayed using your DNS provider. This process varies depending on your DNS host. 
3. Once you add the DNS records to your domain, return to the Twilio SendGrid App UI and click Verify.
4. You should now see the records verified successfully.
5. If only half of your records are verified, you likely need to wait a bit longer. It's also possible that you need one of your records incorrectly. 
6. Any time that you send an email from the address where the domain matches your authenticated domain, Twilio SendGrid applies that domain to your email. You only need to update your Domain Authentication if you want to update the domain you are emailing from.

GoDaddy, Amazon Route 53, and Namecheap, among other providers, automatically append your domain to your new DNS record values, resulting in a CNAME entry that fails verification. For example, if your domain is example.com, and Twilio SendGrid's CNAME host value is em123.example.com, the incorrect record will become em123.example.com.example.com.

You can remedy this by pasting only the subdomain section of the host value em123into your DNS provider's host field. You do not need to modify the value of the record. Check your CNAME for this behavior if your domain doesn't validate initially.

IMPORTANT NOTE: It can take up to 48 hours for the records to verify after you upload them into your DNS host, so you will likely have to return later to verify.

During Domain Authentication setup, on the second Authenticate Your Domain page where you enter your domain, there is a drop-down menu labeled Advanced Settings. The following section explains each of these settings.

Use automated security

Automated security is different from automatic setup. Automated security allows Twilio SendGrid to handle the signing of your DKIM and the authentication of your SPF with CNAME records. This allows you to add a dedicated IP address or update your account without updating your DNS records.

You have automated security defaults to On. If your DNS provider does not accept underscores in CNAME records, you will have to turn automated security off and use MX and TXT records.

IMPORTANT NOTE: If you turn off automated security, you manage and update the MX and TXT records yourself.

Use a custom return-path

You can use a custom return path to customize the subdomain that tells receiving email servers where to route delayed bounces and unsubscribes.

1. Select Use a custom return path and input letters or numbers to build a custom return path. If you don't select these, Twilio SendGrid automatically selects them. Ensure the characters you select differ from those that Twilio SendGrid initially assigned you.

Use a custom DKIM selector.

You can set a custom DKIM selector if you want to authenticate a single domain multiple times or if Twilio SendGrid's DKIM selector sis already used by another service. This works by adding the custom selector to the domain as a custom subdomain.

1. Select Use a custom DKIM selector and input three letters or numbers to build a custom subdomain. If you don't select these, Twilio SendGrid automatically selects them. Make sure the three characters you select are different from your original selection. For example, you could use org or 001.

Assign to a Subuser

When you authenticate a domain on a parent account, you can assign it to a Subuser. The Subuser will not see the authenticated domain assigned by the parent. This is intentional and prevents a Subuser from editing or deleting an authenticated domain from the parent or any other assigned Subusers.

The parent account owns the DNS records used to authenticate the domain and then grants the Subuser permission to use the authenticated domain. Authentication records are mapped to the account that creates them.

1. Select Advanced SetUsegs below the From Domain field. This will be on the second page of the Domain Authentication setup in the Twilio SendGrid App.
2. Select Assign to a sub-user.
3. A field will appear where you can select which Subuser to assign to the authenticated domain.

You can modify a Subuser's Domain Authentication assignments in the Subuser Management section of the Twilio SendGrid App.

DNS providers supported by Twilio SendGrid's automated setup

Twilio SendGrid has partnered with the following DNS providers who support Domain Connect to automate the Domain Authentication process.

• GoDaddy

Migrate from legacy Domain Authentication (Domain Whitelabel)

If you authenticated a domain (Whitelabel) before 2015, your domain will still work. However, if you need to change or update it, you must delete it and recreate it as an authenticated domain in our new system.