Providers

SendGrid SPF Setup

SendGrid requires SPF authorization through include:sendgrid.net or domain authentication on your bounce domain.

Beginner · 5 min read · Reviewed Jul 4, 2026

Quick answer

SendGrid authorizes outbound mail with include:sendgrid.net added to the SPF record on your domain or authenticated subdomain. Domain authentication pairs SPF with DKIM CNAME records SendGrid provides. Transactional and marketing subusers may share infrastructure, so verify DNS for each authenticated domain rather than assuming one corporate record covers all API keys.

Beginner explanation

SendGrid is a popular choice for transactional email from SaaS products. Like other ESPs, it sends from SendGrid-controlled IPs, so your DNS must explicitly authorize those servers.

SendGrid's domain authentication wizard generates SPF and DKIM values tailored to your chosen domain or subdomain. Many engineering teams complete DKIM while delaying SPF, which leaves authentication incomplete.

If multiple products use different SendGrid subusers, each authenticated domain may need its own DNS entries even though the include macro looks the same.

Technical explanation

The standard include mechanism is include:sendgrid.net published on the hostname used in MAIL FROM for authenticated mail. SendGrid may also instruct customers to publish CNAME records for DKIM selectors such as s1._domainkey and s2._domainkey.

When using link branding and dedicated IPs, SPF requirements remain tied to the bounce domain configuration in the SendGrid UI. Dedicated IPs do not remove the need for SPF; they change which IPs must be covered by underlying SendGrid macros.

Test with SendGrid's built-in validation tools plus external header inspection. API success responses do not prove inbox placement if SPF or DKIM alignment fails at receivers.

Business impact

SendGrid SPF gaps hurt product-led growth companies hardest because onboarding emails and security alerts fail just as users sign up. That creates churn and support tickets unrelated to application bugs.

Marketing teams sharing a domain with transactional SendGrid mail suffer reputation bleed when either stream misconfigures authentication.

Common mistakes

- Authenticating only DKIM CNAMEs without adding include:sendgrid.net to SPF
- Using the root domain for employee mail while SendGrid bounces use an unconfigured subdomain
- Rotating API keys and subusers without confirming domain authentication still matches production MAIL FROM

How SPF Manager helps

SPF Manager recognizes sendgrid.net includes and checks bounce-domain SPF coverage typical in SendGrid setups. Lookup analysis helps combine SendGrid with Microsoft, Google, and marketing tools without PermError.

Alerts notify you if SendGrid-related authorization drifts after DNS or subuser changes.

Recommended next step

See how this applies to your domain before you change DNS.

Analyze my domain

Related articles

Providers

Amazon SES SPF Setup

Amazon SES sends from AWS infrastructure and requires SPF authorization via include or dedicated MAIL FROM domain configuration.

Intermediate 6 min read

Providers

SPF Email Providers

Email providers publish SPF include hostnames or IP ranges that you must add to your domain policy to authorize their outbound mail.

Beginner 6 min read

Deliverability

SPF and Email Deliverability

Correct SPF improves deliverability by giving receivers a trusted signal that your mail comes from authorized infrastructure.

Beginner 7 min read

Best Practices

SPF Record Validation

SPF record validation checks syntax, duplicate policies, lookup limits, and real-world resolution before you rely on a record in production.

Beginner 6 min read