# Configure Domain Authentication When configuring your Twilio SendGrid account, set up Domain Authentication. Domain Authentication improves your email reputation. Improved reputation enhances your email delivery rates and boosts trustworthiness with both email inbox providers and your recipients. This tutorial explains the Twilio SendGrid Domain Authentication process. This process covers how to set up your domain and verify of sending email servers' legitimacy through [Domain Name System (DNS)][dns] entries. These requirements and practices apply to all reputable email delivery services. * If you understand DNS record types and configuration, skip to the [setup instructions][]. * If you're less familiar with DNS or email-specific DNS records, keep reading. ## Domain Name Service concepts To determine which hostnames in a domain point to which IP addresses, the Domain Name Service checks each domain's records. **For example**: DNS translates the hostname for an email server that humans can remember, like `email.example.com`, to an IP address. ### DNS record types DNS includes many types of records. Each domain must include at least one of these records. * An `A` record maps a domain to an IPv4 address. * An `AAAA` record maps a domain to an IPv6 address. * A Canonical Name (`CNAME`) record maps one domain to another domain or host. * A Mail Exchanger (`MX`) record direct incoming email to the correct host for the domain. * A `TXT` record stores arbitrary text for a domain. These records often get used for email security and administration. Your DNS provider manages your DNS records so you can set and remove DNS entries for your domain. To learn more, see the [Guide to Understanding DNS Record Types][dns-record-types]. ### Email authentication using DNS Authenticating email through DNS uses three types of authentication: * *DomainKeys Identified Mail* (DKIM) * *Sender Policy Framework* (SPF) * *Domain-based Message Authentication, Reporting & Conformance* (DMARC). #### DKIM DKIM signs and verifies your email with [asymmetric encryption][asymm-encryption]. When you implement DKIM, your sending email server adds a cryptographic signature to your email message headers. Store your [DKIM public key][dkim-records] in a DNS `TXT` record. #### SPF The \[SPF email authentication standard]\[spf] allows you to list all IP addresses that can send email on behalf of your domain. Store the SPF IP address list in a DNS `TXT` record. The receiving email server compares the email sending server IP address to the IP address list stored in the SPF record. #### DMARC To prevent harm to your sender reputation, the [DMARC protocol][dmarc] verifies the email sending server. DMARC provides a policy to email service providers. This policy instructs providers how to act when they receive an email, apparently from your domain, that fails checks of SPF, DKIM, or both. Store your DMARC policy in a DNS `TXT` record. Domain Authentication doesn't require DMARC. If Twilio SendGrid finds an existing DMARC policy at your domain, it displays. If Twilio SendGrid didn't find a DMARC policy, it returns the default policy: `v=DMARC1; p=none`. ### DNS records needed for Twilio SendGrid Domain Authentication During Domain Authentication setup, Twilio SendGrid turns on security by default. * If you leave these security features turned on, Twilio SendGrid generates `CNAME` records to add to your domain. * If you turn off security, Twilio SendGrid generates one `MX` record and two `TXT` records. #### Canonical Name records When Twilio SendGrid generates `CNAME` records during Domain Authentication, they map to a host in a domain that Twilio SendGrid controls. This means that Twilio SendGrid can create and update your SPF and DKIM records for you. **For example**: If you purchase a dedicated IP address, Twilio SendGrid adds that IP address to your SPF record to your domain. The `CNAME` record allows Twilio SendGrid to route click and open tracking statistics to your Twilio SendGrid account. To support [Link Branding][link-branding] through Domain Authentication, Twilio offers two additional `CNAME` records. #### Mail Exchanger records When you turn off **Automated Security**, Twilio SendGrid generates one `MX` record for you to add to your domain. This record enables the [`return-path`][return-path]. The `return-path` email header defines an address separate from your original sending address. The `return-path` address tells email servers where to send feedback such as delayed bounces and unsubscribes. #### Text records To implement DKIM, SPF, and DMARC, use `TXT` records with specific formatting. * With automated security turned off, Twilio SendGrid generates these `TXT` records to add to your domain. * When you turn off automated security then make a change to your email configuration, update the `TXT` records on your domain. **For example**: When you add an IP address to your account, update your SPF `TXT` record with the IP address to prevent email delivery issues. Twilio SendGrid added a DMARC record on the DNS records page in the console. Completing this tutorial provides the data your organization needs to meet the inbox provider DMARC requirements. These inbox providers may block email that doesn't contain a valid DMARC record. ## Set up Domain Authentication When sending email, set DNS records on the domain that make the following assertions: 1. Communicate to receiving email servers that you own the domain the email was sent *from*. 2. Verify that you have given the sending email server permission to send email on behalf of the domain. Twilio SendGrid process for domain setup and setting the DNS entries includes Domain Authentication. After configuring Domain Authentication, you have the following benefits: * You can remove `via sendgrid.net` (or `via eu.sendgrid.net` for Regional customers) beside the *from* address in your messages. * You can improve the trust the legitimacy of your messages for both receiving email servers and human recipients. This improves your probability of reaching an inbox instead of a spam folder. > \[!NOTE] > > Each user may have a maximum of 3,000 authenticated domains and 3,000 link brandings. The limit applies to each individual *user* and *subuser*: each Subuser belonging to a parent account may have its own 3,000 authenticated domains and 3,000 link brandings. ### Prerequisites Setting up Domain Authentication requires changes to your DNS records. Before you proceed, do the following: * Identify your domain provider. * Confirm who has access or permission to change DNS records with your provider. * To use EU-pinned domains or link branding, your account must be on the Email API Pro (or higher) plan or the Marketing Campaigns Advanced (or higher) plan. Learn more about [how to send Emails with Twilio SendGrid on EU servers][eu-email]. ### Setup options To set up Domain Authentication, choose from three options: 1. **Automated Setup**: Have Twilio SendGrid configure it for you. Twilio SendGrid supports [Domain Connect][] with [GoDaddy][]. Log in to GoDaddy and give Twilio SendGrid permission to configure your DNS changes. > \[!NOTE] > > Twilio SendGrid only supports automated setup with three conditions: > > * GoDaddy hosts the domains. > * You left automated security turned on. > * You're not using Link Branding. 2. **Manual Setup**: Configure the changes yourself. 3. **Send To A Coworker**: Send an email to a coworker with access to the DNS host so they can make the changes. ## Automated Setup 1. In the Twilio SendGrid console, select **Settings** > [**Sender Authentication**][sender-auth]. 2. In the **Domain Authentication** section, click **Get Started**. The **Authenticate Your Domain** page appears. 3. From the **Authenticate Your Domain** page, select your DNS host from the **Which Domain Name Server (DNS) host do you use?** dropdown. You can select **I'm not sure** or **Other Host (Not Listed)** if necessary. 4. To use branded links, toggle **Would you also like to brand the links for this domain?** to **Yes**. If you choose **No**, you can add Link Branding later. To learn more about link branding, see [How to Set up Link Branding][link-branding]. 5. Click **Next**. 6. In the **Domain You Send From** box, type the domain you want to authenticate. * This domain would appear in the *from* address of your messages. * Type only your root domain ``. * Omit any subdomains or protocols like `www` or `http://www`. **For example**: To send messages from addresses like `orders@example.com`, type `example.com`. 7. Click [**Advanced Settings**](#advanced-settings). 1. Check [**Use automated security**][use-automated-security]. * Leave **Use automated security** checked. * When checked, Twilio SendGrid handles the signing of your DKIM and the authentication of your SPF with `CNAME` records. 2. If you want to override the return path, check [**Use custom return path**][use-a-custom-return-path]. * This `return-path` informs receiving email servers where to route delayed bounces and unsubscribes. * The **Return Path** box appears. * Type a custom domain into the **Return Path** box. 3. If another service uses a DKIM selector of `s`, check [**Use a custom DKIM selector**][use-a-custom-dkim-selector]. * The **DKIM Selector** box appears. * Type a set of three characters in this box. 4. If you need to limit your domain to the European Union, check **Make domain EU-pinned**. * Regional email users must pin their domain to the EU region. 8. Select the **Advanced Settings** appropriate for your needs. 9. Click **Next**. The **Install DNS Records** page appears. 10. If Twilio SendGrid can finish the Domain Authentication process, the **Automatic Setup** tab appears. * If not, the **Manual Setup** tab appears. [sender-auth]: https://app.sendgrid.com/settings/sender_auth [link-branding]: /docs/sendgrid/ui/account-and-settings/how-to-set-up-link-branding [use-automated-security]: /docs/sendgrid/ui/account-and-settings/how-to-set-up-domain-authentication#use-automated-security [use-a-custom-return-path]: /docs/sendgrid/ui/account-and-settings/how-to-set-up-domain-authentication#use-a-custom-return-path [use-a-custom-dkim-selector]: /docs/sendgrid/ui/account-and-settings/how-to-set-up-domain-authentication#use-a-custom-dkim-selector 11. From the **Automated Setup** tab, click **Connect**. 12. A modal titled **Connect GoDaddy to Twilio SendGrid for this domain** appears. 13. Log in to your GoDaddy account and connect to your domain. 14. Twilio SendGrid tries to verify your DNS records. * If GoDaddy verification succeeds, the modal closes. The Twilio SendGrid console displays a success message. * If GoDaddy verification fails, close this modal. * Click **Verify** again in 48 hours. DNS changes can take up to 48 hours to apply. * If Domain Authentication hasn't been verified after 48 hours, contact [Twilio SendGrid support][sg-support]. ## Manual Setup 1. In the Twilio SendGrid console, select **Settings** > [**Sender Authentication**][sender-auth]. 2. In the **Domain Authentication** section, click **Get Started**. The **Authenticate Your Domain** page appears. 3. From the **Authenticate Your Domain** page, select your DNS host from the **Which Domain Name Server (DNS) host do you use?** dropdown. You can select **I'm not sure** or **Other Host (Not Listed)** if necessary. 4. To use branded links, toggle **Would you also like to brand the links for this domain?** to **Yes**. If you choose **No**, you can add Link Branding later. To learn more about link branding, see [How to Set up Link Branding][link-branding]. 5. Click **Next**. 6. In the **Domain You Send From** box, type the domain you want to authenticate. * This domain would appear in the *from* address of your messages. * Type only your root domain ``. * Omit any subdomains or protocols like `www` or `http://www`. **For example**: To send messages from addresses like `orders@example.com`, type `example.com`. 7. Click [**Advanced Settings**](#advanced-settings). 1. Check [**Use automated security**][use-automated-security]. * Leave **Use automated security** checked. * When checked, Twilio SendGrid handles the signing of your DKIM and the authentication of your SPF with `CNAME` records. 2. If you want to override the return path, check [**Use custom return path**][use-a-custom-return-path]. * This `return-path` informs receiving email servers where to route delayed bounces and unsubscribes. * The **Return Path** box appears. * Type a custom domain into the **Return Path** box. 3. If another service uses a DKIM selector of `s`, check [**Use a custom DKIM selector**][use-a-custom-dkim-selector]. * The **DKIM Selector** box appears. * Type a set of three characters in this box. 4. If you need to limit your domain to the European Union, check **Make domain EU-pinned**. * Regional email users must pin their domain to the EU region. 8. Select the **Advanced Settings** appropriate for your needs. 9. Click **Next**. The **Install DNS Records** page appears. 10. If Twilio SendGrid can finish the Domain Authentication process, the **Automatic Setup** tab appears. * If not, the **Manual Setup** tab appears. [sender-auth]: https://app.sendgrid.com/settings/sender_auth [link-branding]: /docs/sendgrid/ui/account-and-settings/how-to-set-up-link-branding [use-automated-security]: /docs/sendgrid/ui/account-and-settings/how-to-set-up-domain-authentication#use-automated-security [use-a-custom-return-path]: /docs/sendgrid/ui/account-and-settings/how-to-set-up-domain-authentication#use-a-custom-return-path [use-a-custom-dkim-selector]: /docs/sendgrid/ui/account-and-settings/how-to-set-up-domain-authentication#use-a-custom-dkim-selector 11. The **Manual Setup** tab displays the [DNS records for your DNS host provider][sg-dns]. * If you turned on **Use automated security**, the first step on this page displays three `CNAME` records and one `TXT` record. * If you turned off **Use automated security**, the first step on this page displays an `MX` record and three `TXT` records. 12. To add the records displayed, follow the instructions for your DNS provider. 13. After adding the DNS records to your domain, return to the Twilio SendGrid console and click **Verify**. * If verification succeeded, you should see the records. * If only Twilio SendGrid verified half of your records, wait. It's also possible that you entered one of your records incorrectly. * If you need help, see [Troubleshooting Sender Authentication][sender-auth-ts]. 14. Any time that you send an email with a `from` address where the domain matches your authenticated domain, Twilio SendGrid applies that domain to your email. If you want to update the domain you are emailing from, you only need to update your Domain Authentication. ## Send To A Coworker 1. If you can't modify your domain's DNS records, click the **Send To A Coworker** tab. 2. Type the desired email address in the **To** box. 3. Type the message you want your colleague to receive in the **Message** box. The email includes a direct link to the records. The recipient doesn't need to log in to your Twilio SendGrid account. > \[!WARNING] > > GoDaddy, Amazon Route 53, and Namecheap, among other providers, append your domain to your added DNS record values, resulting in a `CNAME` entry that fails verification. > > **For example**: > > * Your domain is `example.com`. > * The Twilio SendGrid `CNAME` host value is `em123.example.com`. > * The provider creates an incorrect record: `em123.example.com.example.com`. > > To remedy this, only type the host value into your DNS provider's host field. In this example, the host value is `em123`. Don't modify the value of the record. If your domain doesn't validate, check the generated `CNAME` record. > \[!NOTE] > > DNS verification can take up to 48 hours after upload. To find if verification completed, return to this page. ## Advanced settings During Domain Authentication setup, on the second **Authenticate Your Domain** page includes a drop-down menu labeled **Advanced Settings**. The following section explains each of these settings. ### Use automated security *Automated security* differs from *automatic setup*. Automated security lets Twilio SendGrid manage the signing of your DKIM and the authentication of your SPF with `CNAME` records. This allows you to add a dedicated IP address or update your account without having to update your DNS records. Automated security defaults to **On**. If your DNS provider doesn't accept underscores in `CNAME` records, turn off **Automated Security** then use `MX` and `TXT` records. If you turn off automated security, you need to manage and update the `MX` and `TXT` records yourself. To learn more about how this works, see [Twilio SendGrid DNS records][sg-dns]. ### Use a custom return-path To customize the subdomain, use a custom [`return-path`][return-path]. This `return-path` informs receiving email servers where to route delayed bounces and unsubscribes. > \[!WARNING] > > If you have a DNS record with a custom name in your domain, adding another record with a matching custom name overwrites your existing DNS entry. This can happen if you **Use a custom return-path** and set the name to an existing one in your DNS records. > > **For example**: You have a `TXT` record with the host `email.example.com`. If you set a custom `return-path` of `email` during Domain Authentication, Twilio SendGrid creates a record with the host `email.example.com`. When it completes Domain Authentication, it replaces your existing `TXT` record with the Twilio SendGrid record. This could break one of your existing services. > > When completing Domain Authentication, never use the custom names for existing records in your domain. To build a custom `return-path`, 1. Select **Use a custom return path**. 2. Type the letters or numbers. If you don't select these, Twilio SendGrid selects them for you. Verify that your selected characters differ from those that Twilio SendGrid assigned you. ### Use a custom DKIM selector You might set a custom DKIM selector for one of two reasons: 1. You want to authenticate a single domain multiple times. 2. Another service uses the Twilio SendGrid DKIM selector, `s`. To set a custom DKIM selector, add the custom selector to the domain as a custom subdomain. 1. Select **Use a custom DKIM selector**. 2. Type three letters or numbers to build a custom subdomain. * If you don't select these, Twilio SendGrid selects them for you. * Type three characters different from your original selection. **For example**: you could use `org` or `001`. ## Migrate from legacy Domain Authentication Any domains authenticated before 2015 can't be updated or changed. To change or update it, delete the domain and recreate it as an authenticated domain. ## Additional resources * [Troubleshooting Sender Authentication][sender-auth-ts] * [How to set up link branding][link-branding] * [How to set up reverse DNS][reverse-dns] * [Configuring Sign in with Apple][apple-signin] [asymm-encryption]: https://www.twilio.com/blog/what-is-public-key-cryptography [apple-signin]: /docs/sendgrid/ui/account-and-settings/configuring-sign-in-with-apple [dkim-records]: /docs/sendgrid/ui/account-and-settings/dkim-records [dmarc]: /docs/sendgrid/ui/sending-email/dmarc [dns]: /docs/sendgrid/glossary/dns [dns-record-types]: https://dnsmadeeasy.com/resources/guide-to-understanding-dns-record-types [Domain Connect]: https://www.domainconnect.org [GoDaddy]: https://www.godaddy.com [reverse-dns]: /docs/sendgrid/ui/account-and-settings/how-to-set-up-reverse-dns [link-branding]: /docs/sendgrid/ui/account-and-settings/how-to-set-up-link-branding [return-path]: https://www.twilio.com/en-us/blog/insights/what-is-return-path [sender-auth-ts]: /docs/sendgrid/ui/account-and-settings/troubleshooting-sender-authentication [setup instructions]: #set-up-domain-authentication [sg-dns]: #dns-records-needed-for-twilio-sendgrid-domain-authentication [sg-support]: https://support.sendgrid.com/hc/en-us [eu-email]: https://www.twilio.com/en-us/blog/send-emails-in-eu