How to Set Up Domain Authentication

When sending email, you must set Domain Name System (DNS) records on the domain to:

1. Communicate to receiving email servers that you own the domain the email was sent from.
2. Verify that you have given the sending email server permission to send email on behalf of the domain.

Domain Authentication, formerly known as Domain Whitelabel, is Twilio SendGrid's process for domain setup and setting the DNS entries that grant us permission to send email on your behalf. Once you have completed Domain Authentication by following the instructions on this page:

• Your recipients will no longer see "via sengrid.net" (or "via eu.sendgrid.net" for Regional customers) beside the from address of your messages.
• Both receiving email servers and human recipients will be more likely to trust the legitimacy of your messages, which means you're more likely to reach an inbox than a spam folder.

Having a high level understanding of the following terms will help as you learn more about email deliverability. However, you do not need to become an email deliverability expert to send email with Twilio SendGrid. If you wish to continue with Domain Authentication setup, skip ahead to the setup instructions.

As mentioned earlier, Domain Name System (DNS) records are essential to verifying which email servers are allowed to send email on behalf of your domain. DNS is a naming system for domains on the internet. It resolves domains humans can remember, like sendgrid.com, to IP addresses that belong to specific computers.

There are several types of DNS records. An A record points a domain directly to an IP address where requested resources can be found. However, some records, such as CNAME records, link a domain to another domain or "host." Other records, such as TXT records, allow a domain owner to store text information about the domain. A single domain may have many records of varying types. For example, your domain may have an A record pointing to the IP address of your web server and CNAME records pointing to the cloud service that handles your email.

DNS records are managed using your DNS provider or host. Popular DNS providers include DNSimple, GoDaddy, Rackspace, and Cloudflare, but there are many others. These providers allow you to set and remove DNS entries for your domain.

When working with an email provider such as Twilio SendGrid, you should be aware of three types of email authentication: DomainKeys Identified Mail (DKIM), Sender Policy Framework (SPF) and Domain-based Message Authentication, Reporting & Conformance (DMARC). DKIM, SPF and DMARC are all implemented in part by setting records on your domain. DMARC is encouraged, but not a requirement for email authentication.

DomainKeys Identified Mail (DKIM) is an authentication method that uses asymmetric encryption to sign and verify your email. With DKIM implemented, the sending email server adds a cryptographic signature to your emails' headers. The DKIM record is a TXT record that stores the DKIM public key. For more information about how DKIM works, see DKIM Records Explained.

Sender Policy Framework (SPF) is an email authentication standard developed by AOL that allows you to list all the IP addresses that are authorized to send email on behalf of your domain. The SPF record is a TXT record that lists the IP addresses approved by the domain owner. The receiving server can compare the email sender's actual IP address to the list in the SPF record. For more information about how SPF works, see SPF Records Explained.

Domain-based Message Authentication, Reporting & Conformance (DMARC) is a protocol that verifies the authenticity of an email's sender. It helps prevent malicious senders from harming your sender reputation. DMARC provides a policy to email service providers, instructing them on the actions to take when they receive an email that fails SPF, DKIM, or both checks, and appears to be from your domain—a sign it may be spoofed.

DMARC is an optional field for Sender Authentication. SendGrid will check for an existing DMARC policy at your domain and display it if found. If no DMARC policy is identified, SendGrid will return a simple default policy of v=DMARC1; p=none. For more information on DMARC, please refer to the article, Everything about DMARC.

During Domain Authentication setup, Twilio SendGrid's automated security will be enabled by default. If you leave automated security on, Twilio SendGrid will provide you with CNAME records that must be added to your domain. If you turn automated security off, you will be given one MX record and two TXT records instead.

As mentioned earlier, CNAME records link one domain to another domain. When Twilio SendGrid gives you CNAME records during Domain Authentication, they point to a domain Twilio SendGrid controls. This means that Twilio SendGrid can create and update your SPF and DKIM records for you. For example, if you purchase a dedicated IP address, Twilio SendGrid can add that address to your SPF automatically.

The CNAME record also allows Twilio SendGrid to route our click and open tracking statistics back to your Twilio SendGrid account where you can use them to adjust more sending behavior.

MX records specify the location of the server responsible for handling inbound email for a domain. When automated security is turned off, Twilio SendGrid will provide one MX record during Domain Authentication that must be added to your domain. This record enables the return-path.

The return-path is an email header, and it defines an address that is separate from your original sending address. The return-path address tells email servers where to send feedback such as delayed bounces and unsubscribes.

TXT records allow you to add text information about your domain. DKIM and SPF are both implemented using TXT records with specific formatting. With automated security turned off, Twilio SendGrid will provide these TXT records to be added to your domain.

When automated security is turned off, you must update the TXT records on your domain manually when you make a change to your email configuration. For example, when you add a new IP address to your account, your SPF TXT record will need to be updated with the new IP information to prevent email delivery issues.

To set up Domain Authentication, you must submit the DNS records provided by Twilio SendGrid to your DNS or hosting provider. Popular DNS providers include DNSimple, GoDaddy, Rackspace, and Cloudflare, but there are many others.

1. Determine who your hosting provider is and make sure you have the access required to change your records.
2. If you don't have access to your DNS or hosting provider, determine who in your company is able to make DNS modifications for your domain.

Twilio SendGrid supports Domain Connect, which can simplify the Domain Authentication process.If we have partnered with your DNS provider to support Domain Connect, you will have the option to authenticate with your DNS provider and allow Twilio SendGrid to configure the DNS changes for you. Both automatic and manual setup begin the same way with the "Setup steps required for both automatic and manual setup" that follow.

1. In the Twilio SendGrid App user interface (UI), select Settings > Sender Authentication.
2. In the Domain Authentication section, click Get Started. The Authenticate Your Domain page will load.
3. From the Authenticate Your Domain page, select your DNS host from the drop-down menu below the text: Which Domain Name Server (DNS) host do you use? You can select I'm not sure or Other Host (Not Listed) if necessary.
4. You can choose to set up Link Branding by choosing Yes below the text: Would you also like to brand the links for this domain? If you choose No, you can add Link Branding at a later time. Link Branding is not a required part of the Domain Authentication process. See our Link Branding docs for more information.

5. Click Next. A second Authenticate Your Domain page will load.
6. From the new page, add the domain you want to authenticate below the text: Domain You Send From. This will be the domain that appears in the from address of your messages. For example, if you want your messages to be from addresses like orders@example.com, you will authenticate example.com. Make sure that you enter only your root domain <domain-name.top-level-domain>. Do not include a subdomain or protocol such as www or http://www in this field.
7. Select the Advanced Settings appropriate for your needs. Most customers can leave Use automated security checked and continue. For more information about advanced settings, see the "Advanced settings" section of this page. Regional Email users must pin their domain to the EU region.
8. Click Next. The Install DNS Records page will load.
9. The Twilio SendGrid App will now determine if we can automatically finish the Domain Authentication process for you. If we can automatically finish the setup, you will be taken to the Automatic Setup tab. If we cannot automatically finish the setup, you will be taken to the Manual Setup tab.
10. If you cannot modify your domain's DNS records, you can email the records to a colleague using the Send To A Coworker tab. The email includes a direct link to the records. The recipient doesn't need to log in to your Twilio SendGrid account.

1. From the Automated Setup tab, click Connect.
2. A dialog box titled Connect <your DNS host> to Twilio SendGrid for this domain will load.
3. A new window will also open where you can connect to your DNS host. In the new window, log in to your DNS host and follow the instructions to connect your domain.
4. Once you see a success message in the new window, you can close it.
5. In the Connect <your DNS host> to Twilio SendGrid for this domain dialog, Twilio SendGrid will attempt to verify the correct setup of your DNS records.
6. Once your Domain Authentication setup is verified, the dialog will close, and you will see a success message in the Twilio SendGrid App UI.
7. If verification is not successful, try clicking Verify again in 48 hours. It can take up to 48 hours for DNS changes to be applied. If you are still unable to verify Domain Authentication after 48 hours, please contact Twilio SendGrid support for help.

1. In the Manual Setup tab, you will see the DNS records that must be added with your DNS host provider. If you left Use automated security checked during the earlier configuration steps, you will have three CNAME records and one TXT record. If you unchecked Use automated security, you will see an MX record and three TXT records. For more information about these records, see the "Twilio SendGrid's DNS records" section of this page.
2. Next, you will add the records displayed using your DNS provider. This process varies depending on your DNS host. Please see your host's documentation for details about working with their interfaces.
3. Once you add the DNS records to your domain, return to the Twilio SendGrid App UI and click Verify.
4. You should now see the records verified successfully.
5. If only half of your records are verified, you likely need to wait a bit longer. It's also possible that you entered one of your records incorrectly. For other troubleshooting information, see Troubleshooting Sender Authentication.
6. Any time that you send an email with a from address where the domain matches your authenticated domain, Twilio SendGrid applies that domain to your email. You only need to update your Domain Authentication if you want to update the domain you are emailing from.

During Domain Authentication setup, on the second Authenticate Your Domain page where you enter your domain, there is a drop-down menu labeled Advanced Settings. The following section explains each of these settings.

Automated security is different from automatic setup. Automated security allows Twilio SendGrid to handle the signing of your DKIM and the authentication of your SPF with CNAME records. This allows you to add a dedicated IP address or update your account without having to update your DNS records. For more information about how this works, see the "Twilio SendGrid's DNS records" section of this page.

Automated security defaults to On. If your DNS provider does not accept underscores in CNAME records, you will have to turn automated security off and use MX and TXT records.

You can use a custom return-path to customize the subdomain that tells receiving email servers where to route delayed bounces and unsubscribes.

1. Select Use a custom return path and input letters or numbers to build a custom return-path. If you don't select these, Twilio SendGrid automatically selects them for you. Make sure the characters you select are different from those that Twilio SendGrid assigned you initially.

You can set a custom DKIM selector if you want to authenticate a single domain multiple times or if Twilio SendGrid's DKIM selector, s, is already in use by another service. This works by adding the custom selector to the domain as a custom subdomain.

1. Select Use a custom DKIM selector and input three letters or numbers to build a custom subdomain. If you don't select these, Twilio SendGrid automatically selects them for you. Make sure the three characters you select are different from your original selection. For example, you could use org or 001.

When you authenticate a domain on a parent account, you can assign it to a Subuser. The Subuser will not see the authenticated domain assigned by the parent. This is intentional and prevents a Subuser from editing or deleting an authenticated domain from the parent or any other assigned Subusers.

The parent account owns the DNS records used to authenticate the domain and then grants the Subuser permission to use the authenticated domain. Authentication records are mapped to the account that creates them.

1. Select Advanced Settings below the From Domain field. This will be on the second page of Domain Authentication setup in the Twilio SendGrid App.
2. Select Assign to a subuser.
3. A field will appear where you can select which Subuser to assign to the authenticated domain.

Expand image

You can modify a Subuser's Domain Authentication assignments in the Subuser Management section of the Twilio SendGrid App. See our Subusers documentation for more about Subusers.

Twilio SendGrid has partnered with the following DNS providers who support Domain Connect to automate the Domain Authentication process.

• GoDaddy

If you authenticated a domain (Whitelabel) before 2015, your domain will still work. However, if you need to change or update it, you need to delete it and recreate it as an authenticated domain in our new system.

• Troubleshooting Sender Authentication
• How to set up link branding
• How to set up reverse DNS
• Configuring Sign in with Apple