SendGrid domain authentication (formerly 'domain whitelabeling') adds DKIM signing to your emails using your own domain. This is essential for good deliverability — without it, emails show as sent 'via sendgrid.net' and many spam filters score them lower.
Important: The exact CNAME values are unique to your SendGrid account. The table below shows the format — get your actual values from SendGrid → Settings → Sender Authentication.
DNS Records Required
| Type | Host | Value | TTL | Notes |
|---|---|---|---|---|
| CNAME | em1234.yourdomain.com | u1234.wl.sendgrid.net | 3600 | Replace em1234 and u1234 with your SendGrid values |
| CNAME | s1._domainkey.yourdomain.com | s1.domainkey.u1234.wl.sendgrid.net | 3600 | DKIM key 1 |
| CNAME | s2._domainkey.yourdomain.com | s2.domainkey.u1234.wl.sendgrid.net | 3600 | DKIM key 2 |
| TXT | @ | v=spf1 include:sendgrid.net ~all | 3600 | Add sendgrid.net to existing SPF — don't replace it |
Step-by-Step Setup
Go to Sender Authentication in SendGrid
In SendGrid → Settings → Sender Authentication → Domain Authentication. Click Authenticate a Domain.
Choose your DNS provider
Select your DNS host from the list (or 'Other'). Enter your domain name and optionally set up click tracking.
Copy your CNAME records
SendGrid generates 3 CNAME records unique to your account. Copy all 3 — the exact subdomains and values contain your account ID.
Add CNAMEs to DNS
Add all 3 CNAME records to your DNS provider. The host names will look like em1234 and s1._domainkey, s2._domainkey.
Click Verify in SendGrid
Return to SendGrid and click Verify. DNS changes may take a few minutes to an hour to propagate.
Update SPF record
Add include:sendgrid.net to your existing SPF record. Don't create a new one — merge it: v=spf1 [existing includes] include:sendgrid.net ~all
Copy-ready records: Use the DNS Record Builder — select this service from the dropdown and enter your domain to get all records formatted and ready to copy.
After Adding Records
DNS changes can take anywhere from a few minutes to 24 hours to propagate. Use the DNS Propagation Checker to verify your records are live globally, then return to the service's admin console to verify domain ownership.
SendGrid uses CNAMEs that point to their own DNS for DKIM keys. This lets SendGrid rotate keys without requiring you to update your DNS every time.
Yes, add include:sendgrid.net to your existing SPF record. If you don't have one, create: v=spf1 include:sendgrid.net ~all
DNS changes take time to propagate. Wait 30–60 minutes after adding records before clicking Verify. Also ensure you've added all 3 CNAMEs, not just one or two.