How to Set Up Domain Authentication


Setting up domain authentication is a critical step when establishing your Twilio SendGrid account. This process is essential for ensuring the optimal deliverability of your emails. Domain Authentication not only enhances your email delivery rates but also boosts trustworthiness with both email inbox providers and your recipients.

(information)

Info

This page provides insights into Twilio SendGrid's Domain Authentication process, focusing on domain setup and the verification of sending email servers' legitimacy through DNS entries. It's important to note that while this documentation discusses Twilio SendGrid here, the requirements and best practices for setting up domains and ensuring email deliverability are applicable to all reputable email delivery services.

This page guides you through Domain Authentication setup. Domain setup is a crucial step in sending affective email campaigns. If you're already familiar with Domain Name System (DNS) records, you may want to skip to the setup instructions.

If you're less familiar with DNS or email-specific DNS records, the following sections will help you understand why Domain Authentication is necessary and how it helps protect the reputation of your domain when sending email.

SendGrid added a Domain-based Message Authentication, Reporting & Conformance (DMARC) record on the DNS records page in the console. By following the steps below and adding this to the records hosted by your DNS provider, your organization will be able to meet the DMARC requirements set by Gmail and Yahoo!(link takes you to an external page). These inbox providers may block email that does not contain a valid DMARC record.


What is Domain Authentication

what-is-domain-authentication page anchor

When sending email, you must set Domain Name System (DNS) records on the domain to:

  1. Communicate to receiving email servers that you own the domain the email was sent from.
  2. Verify that you have given the sending email server permission to send email on behalf of the domain.

Domain Authentication, formerly known as Domain Whitelabel, is Twilio SendGrid's process for domain setup and setting the DNS entries that grant us permission to send email on your behalf. Once you have completed Domain Authentication by following the instructions on this page:

  • Your recipients will no longer see "via sengrid.net" (or "via eu.sendgrid.net" for Regional customers) beside the from address of your messages.
  • Both receiving email servers and human recipients will be more likely to trust the legitimacy of your messages, which means you're more likely to reach an inbox than a spam folder.

Having a high level understanding of the following terms will help as you learn more about email deliverability. However, you do not need to become an email deliverability expert to send email with Twilio SendGrid. If you wish to continue with Domain Authentication setup, skip ahead to the setup instructions.

As mentioned earlier, Domain Name System (DNS) records are essential to verifying which email servers are allowed to send email on behalf of your domain. DNS is a naming system for domains on the internet. It resolves domains humans can remember, like sendgrid.com, to IP addresses that belong to specific computers.

There are several types of DNS records. An A record points a domain directly to an IP address where requested resources can be found. However, some records, such as CNAME records, link a domain to another domain or "host." Other records, such as TXT records, allow a domain owner to store text information about the domain. A single domain may have many records of varying types. For example, your domain may have an A record pointing to the IP address of your web server and CNAME records pointing to the cloud service that handles your email.

DNS records are managed using your DNS provider or host. Popular DNS providers include DNSimple, GoDaddy, Rackspace, and Cloudflare, but there are many others. These providers allow you to set and remove DNS entries for your domain.

DNS records and email authentication

dns-records-and-email-authentication page anchor

When working with an email provider such as Twilio SendGrid, you should be aware of three types of email authentication: DomainKeys Identified Mail (DKIM), Sender Policy Framework (SPF) and Domain-based Message Authentication, Reporting & Conformance (DMARC). DKIM, SPF and DMARC are all implemented in part by setting records on your domain. DMARC is encouraged, but not a requirement for email authentication.

DomainKeys Identified Mail (DKIM) is an authentication method that uses asymmetric encryption(link takes you to an external page) to sign and verify your email. With DKIM implemented, the sending email server adds a cryptographic signature to your emails' headers. The DKIM record is a TXT record that stores the DKIM public key. For more information about how DKIM works, see DKIM Records Explained.

Sender Policy Framework (SPF) is an email authentication standard developed by AOL that allows you to list all the IP addresses that are authorized to send email on behalf of your domain. The SPF record is a TXT record that lists the IP addresses approved by the domain owner. The receiving server can compare the email sender's actual IP address to the list in the SPF record. For more information about how SPF works, see SPF Records Explained.

Domain-based Message Authentication, Reporting & Conformance (DMARC) is a protocol that verifies the authenticity of an email's sender. It helps prevent malicious senders from harming your sender reputation. DMARC provides a policy to email service providers, instructing them on the actions to take when they receive an email that fails SPF, DKIM, or both checks, and appears to be from your domain—a sign it may be spoofed.

DMARC is an optional field for Sender Authentication. SendGrid will check for an existing DMARC policy at your domain and display it if found. If no DMARC policy is identified, SendGrid will return a simple default policy of v=DMARC1; p=none. For more information on DMARC, please refer to the article, Everything about DMARC.

Twilio SendGrid's DNS records

twilio-sendgrids-dns-records page anchor

During Domain Authentication setup, Twilio SendGrid's automated security will be enabled by default. If you leave automated security on, Twilio SendGrid will provide you with CNAME records that must be added to your domain. If you turn automated security off, you will be given one MX record and two TXT records instead.

As mentioned earlier, CNAME records link one domain to another domain. When Twilio SendGrid gives you CNAME records during Domain Authentication, they point to a domain Twilio SendGrid controls. This means that Twilio SendGrid can create and update your SPF and DKIM records for you. For example, if you purchase a dedicated IP address, Twilio SendGrid can add that address to your SPF automatically.

The CNAME record also allows Twilio SendGrid to route our click and open tracking statistics back to your Twilio SendGrid account where you can use them to adjust more sending behavior.

MX records specify the location of the server responsible for handling inbound email for a domain. When automated security is turned off, Twilio SendGrid will provide one MX record during Domain Authentication that must be added to your domain. This record enables the return-path(link takes you to an external page).

The return-path is an email header, and it defines an address that is separate from your original sending address. The return-path address tells email servers where to send feedback such as delayed bounces and unsubscribes.

TXT records allow you to add text information about your domain. DKIM and SPF are both implemented using TXT records with specific formatting. With automated security turned off, Twilio SendGrid will provide these TXT records to be added to your domain.

When automated security is turned off, you must update the TXT records on your domain manually when you make a change to your email configuration. For example, when you add a new IP address to your account, your SPF TXT record will need to be updated with the new IP information to prevent email delivery issues.

(information)

Info

If you choose to brand links during Domain Authentication, you will be given two additional CNAME records to support Link Branding. See our Link Branding documentation for more information.


Set up Domain Authentication

set-up-domain-authentication page anchor
(information)

Info

Each user may have a maximum of 3,000 authenticated domains and 3,000 link brandings. This limit is at the user level, meaning each Subuser belonging to a parent account may have its own 3,000 authenticated domains and 3,000 link brandings.

Before you begin setting up your domain

before-you-begin-setting-up-your-domain page anchor

To set up Domain Authentication, you must submit the DNS records provided by Twilio SendGrid to your DNS or hosting provider. Popular DNS providers include DNSimple, GoDaddy, Rackspace, and Cloudflare, but there are many others.

  1. Determine who your hosting provider is and make sure you have the access required to change your records.
  2. If you don't have access to your DNS or hosting provider, determine who in your company is able to make DNS modifications for your domain.

Manual or automated setup

manual-or-automated-setup page anchor
(error)

Danger

If you already have a DNS record with a custom name on your domain, adding a new record with a matching custom name will overwrite your existing DNS entry. This can happen if you Use a custom return-path and set the name to one that already exists in your DNS entries.

For example, let's assume you have a TXT record with the host email.example.com. If you set a custom return-path of email during Domain Authentication, Twilio SendGrid will create a record with the host email.example.com. When you complete automatic Domain Authentication, your existing TXT record will be replaced with Twilio SendGrid's record. This will likely break one of your existing services.

Be sure you are not completing Domain Authentication by using any custom names that already exist for records on your domain before proceeding.

Twilio SendGrid supports Domain Connect(link takes you to an external page), which can simplify the Domain Authentication process.If we have partnered with your DNS provider to support Domain Connect, you will have the option to authenticate with your DNS provider and allow Twilio SendGrid to configure the DNS changes for you. Both automatic and manual setup begin the same way with the "Setup steps required for both automatic and manual setup" that follow.

Setup steps required for both automatic and manual setup

setup-steps-required-for-both-automatic-and-manual-setup page anchor
  1. In the Twilio SendGrid App user interface (UI), select Settings > Sender Authentication.
  2. In the Domain Authentication section, click Get Started. The Authenticate Your Domain page will load.
  3. From the Authenticate Your Domain page, select your DNS host from the drop-down menu below the text: Which Domain Name Server (DNS) host do you use? You can select I'm not sure or Other Host (Not Listed) if necessary.
  4. You can choose to set up Link Branding by choosing Yes below the text: Would you also like to brand the links for this domain? If you choose No, you can add Link Branding at a later time. Link Branding is not a required part of the Domain Authentication process. See our Link Branding docs for more information.
(warning)

Warning

Link Branding is not currently supported by the automatic setup process. If you choose to brand links during Domain Authentication, you must add the Link Branding CNAME records to your domain manually.

  1. Click Next. A second Authenticate Your Domain page will load.
  2. From the new page, add the domain you want to authenticate below the text: Domain You Send From. This will be the domain that appears in the from address of your messages. For example, if you want your messages to be from addresses like orders@example.com, you will authenticate example.com. Make sure that you enter only your root domain <domain-name.top-level-domain>. Do not include a subdomain or protocol such as www or http://www in this field.
  3. Select the Advanced Settings appropriate for your needs. Most customers can leave Use automated security checked and continue. For more information about advanced settings, see the "Advanced settings" section of this page. Regional Email users must pin their domain to the EU region.
  4. Click Next. The Install DNS Records page will load.
  5. The Twilio SendGrid App will now determine if we can automatically finish the Domain Authentication process for you. If we can automatically finish the setup, you will be taken to the Automatic Setup tab. If we cannot automatically finish the setup, you will be taken to the Manual Setup tab.
  6. If you cannot modify your domain's DNS records, you can email the records to a colleague using the Send To A Coworker tab. The email includes a direct link to the records. The recipient doesn't need to log in to your Twilio SendGrid account.
(information)

Info

Automated setup is currently available for GoDaddy only. We plan to add support for additional DNS providers in the future.

(error)

Danger

If you already have a DNS record with a custom name on your domain, adding a new record with a matching custom name will overwrite your existing DNS entry. This can happen if you Use a custom return-path and set the name to one that already exists in your DNS entries.

For example, let's assume you have a TXT record with the host email.example.com. If you set a custom return-path of email during Domain Authentication, Twilio SendGrid will create a record with the host email.example.com. When you complete automatic Domain Authentication, your existing TXT record will be replaced with Twilio SendGrid's record. This will likely break one of your existing services.

Be sure you are not completing Domain Authentication by using any custom names that already exist for records on your domain before proceeding.

  1. From the Automated Setup tab, click Connect.
  2. A dialog box titled Connect <your DNS host> to Twilio SendGrid for this domain will load.
  3. A new window will also open where you can connect to your DNS host. In the new window, log in to your DNS host and follow the instructions to connect your domain.
  4. Once you see a success message in the new window, you can close it.
  5. In the Connect <your DNS host> to Twilio SendGrid for this domain dialog, Twilio SendGrid will attempt to verify the correct setup of your DNS records.
  6. Once your Domain Authentication setup is verified, the dialog will close, and you will see a success message in the Twilio SendGrid App UI.
  7. If verification is not successful, try clicking Verify again in 48 hours. It can take up to 48 hours for DNS changes to be applied. If you are still unable to verify Domain Authentication after 48 hours, please contact Twilio SendGrid support for help(link takes you to an external page).
  1. In the Manual Setup tab, you will see the DNS records that must be added with your DNS host provider. If you left Use automated security checked during the earlier configuration steps, you will have three CNAME records and one TXT record. If you unchecked Use automated security, you will see an MX record and three TXT records. For more information about these records, see the "Twilio SendGrid's DNS records" section of this page.
  2. Next, you will add the records displayed using your DNS provider. This process varies depending on your DNS host. Please see your host's documentation for details about working with their interfaces.
  3. Once you add the DNS records to your domain, return to the Twilio SendGrid App UI and click Verify.
  4. You should now see the records verified successfully.
  5. If only half of your records are verified, you likely need to wait a bit longer. It's also possible that you entered one of your records incorrectly. For other troubleshooting information, see Troubleshooting Sender Authentication.
  6. Any time that you send an email with a from address where the domain matches your authenticated domain, Twilio SendGrid applies that domain to your email. You only need to update your Domain Authentication if you want to update the domain you are emailing from.
(warning)

Warning

GoDaddy, Amazon Route 53, and Namecheap, among other providers, automatically append your domain to your new DNS record values, resulting in a CNAME entry that fails verification. For example, if your domain is example.com, and Twilio SendGrid's CNAME host value is em123.example.com, the incorrect record will become em123.example.com.example.com.

You can remedy this by pasting only the subdomain section of the host value, em123, into your DNS provider's host field. You do not need to modify the value of the record. Be sure to check your CNAME for this behavior if your domain doesn't validate initially.

(warning)

Warning

It can take up to 48 hours for the records to verify after you upload them into your DNS host, so you will likely have to come back later to verify.


During Domain Authentication setup, on the second Authenticate Your Domain page where you enter your domain, there is a drop-down menu labeled Advanced Settings. The following section explains each of these settings.

Automated security is different from automatic setup. Automated security allows Twilio SendGrid to handle the signing of your DKIM and the authentication of your SPF with CNAME records. This allows you to add a dedicated IP address or update your account without having to update your DNS records. For more information about how this works, see the "Twilio SendGrid's DNS records" section of this page.

Automated security defaults to On. If your DNS provider does not accept underscores in CNAME records, you will have to turn automated security off and use MX and TXT records.

(warning)

Warning

If you turn off automated security, you are responsible for managing and updating the MX and TXT records yourself.

Use a custom return-path

use-a-custom-return-path page anchor

You can use a custom return-path(link takes you to an external page) to customize the subdomain that tells receiving email servers where to route delayed bounces and unsubscribes.

  1. Select Use a custom return path and input letters or numbers to build a custom return-path. If you don't select these, Twilio SendGrid automatically selects them for you. Make sure the characters you select are different from those that Twilio SendGrid assigned you initially.

Use a custom DKIM selector

use-a-custom-dkim-selector page anchor

You can set a custom DKIM selector if you want to authenticate a single domain multiple times or if Twilio SendGrid's DKIM selector, s, is already in use by another service. This works by adding the custom selector to the domain as a custom subdomain.

  1. Select Use a custom DKIM selector and input three letters or numbers to build a custom subdomain. If you don't select these, Twilio SendGrid automatically selects them for you. Make sure the three characters you select are different from your original selection. For example, you could use org or 001.

When you authenticate a domain on a parent account, you can assign it to a Subuser. The Subuser will not see the authenticated domain assigned by the parent. This is intentional and prevents a Subuser from editing or deleting an authenticated domain from the parent or any other assigned Subusers.

The parent account owns the DNS records used to authenticate the domain and then grants the Subuser permission to use the authenticated domain. Authentication records are mapped to the account that creates them.

  1. Select Advanced Settings below the From Domain field. This will be on the second page of Domain Authentication setup in the Twilio SendGrid App.
  2. Select Assign to a subuser.
  3. A field will appear where you can select which Subuser to assign to the authenticated domain.
The Twilio SendGrid user interface with the sections that correspond to the written instructions on this page numbered and highlighted.

You can modify a Subuser's Domain Authentication assignments in the Subuser Management section of the Twilio SendGrid App(link takes you to an external page). See our Subusers documentation for more about Subusers.


DNS providers supported by Twilio SendGrid's automated setup

dns-providers-supported-by-twilio-sendgrids-automated-setup page anchor

Twilio SendGrid has partnered with the following DNS providers who support Domain Connect(link takes you to an external page) to automate the Domain Authentication process.


Migrate from legacy Domain Authentication (Domain Whitelabel)

migrate-from-legacy-domain-authentication-domain-whitelabel page anchor

If you authenticated a domain (Whitelabel) before 2015, your domain will still work. However, if you need to change or update it, you need to delete it and recreate it as an authenticated domain in our new system.