How to Set Up Domain Authentication

When configuring your Twilio SendGrid account, set up Domain Authentication. Domain Authentication improves your email reputation. Improved reputation enhances your email delivery rates and boosts trustworthiness with both email inbox providers and your recipients.

This tutorial explains the Twilio SendGrid Domain Authentication process. This process covers how to set up your domain and verify of sending email servers' legitimacy through Domain Name System (DNS) entries. These requirements and practices apply to all reputable email delivery services.

If you understand DNS record types and configuration, skip to the setup instructions.
If you're less familiar with DNS or email-specific DNS records, keep reading.

Domain Name Service concepts

To determine which hostnames in a domain point to which IP addresses, the Domain Name Service checks each domain's records.

For example: DNS translates the hostname for an email server that humans can remember, like email.example.com, to an IP address.

DNS record types

DNS includes many types of records. Each domain must include at least one of these records.

An A record maps a domain to an IPv4 address.
An AAAA record maps a domain to an IPv6 address.
A Canonical Name (CNAME) record maps one domain to another domain or host.
A Mail Exchanger (MX) record direct incoming email to the correct host for the domain.
A TXT record stores arbitrary text for a domain. These records often get used for email security and administration.

Your DNS provider manages your DNS records so you can set and remove DNS entries for your domain.

To learn more, see the Guide to Understanding DNS Record Types.

Email authentication using DNS

Authenticating email through DNS uses three types of authentication:

DomainKeys Identified Mail (DKIM)
Sender Policy Framework (SPF)
Domain-based Message Authentication, Reporting & Conformance (DMARC).

DKIM

DKIM signs and verifies your email with [asymmetric encryption][asymm-encryption]. When you implement DKIM, your sending email server adds a cryptographic signature to your email message headers. Store your DKIM public key in a DNS TXT record.

SPF

The SPF email authentication standard allows you to list all IP addresses that can send email on behalf of your domain. Store the SPF IP address list in a DNS TXT record. The receiving email server compares the email sending server IP address to the IP address list stored in the SPF record.

DMARC

To prevent harm to your sender reputation, the DMARC protocol verifies the email sending server. DMARC provides a policy to email service providers. This policy instructs providers how to act when they receive an email, apparently from your domain, that fails checks of SPF, DKIM, or both. Store your DMARC policy in a DNS TXT record.

Domain Authentication doesn't require DMARC. If Twilio SendGrid finds an existing DMARC policy at your domain, it displays. If Twilio SendGrid didn't find a DMARC policy, it returns the default policy: v=DMARC1; p=none.

DNS records needed for Twilio SendGrid Domain Authentication

During Domain Authentication setup, Twilio SendGrid turns on security by default.

If you leave these security features turned on, Twilio SendGrid generates CNAME records to add to your domain.
If you turn off security, Twilio SendGrid generates one MX record and two TXT records.

Canonical Name records

When Twilio SendGrid generates CNAME records during Domain Authentication, they map to a host in a domain that Twilio SendGrid controls. This means that Twilio SendGrid can create and update your SPF and DKIM records for you.

For example: If you purchase a dedicated IP address, Twilio SendGrid adds that IP address to your SPF record to your domain.

The CNAME record allows Twilio SendGrid to route click and open tracking statistics to your Twilio SendGrid account.

To support Link Branding through Domain Authentication, Twilio offers two additional CNAME records.

Mail Exchanger records

When you turn off Automated Security, Twilio SendGrid generates one MX record for you to add to your domain. This record enables the return-path.

The return-path email header defines an address separate from your original sending address. The return-path address tells email servers where to send feedback such as delayed bounces and unsubscribes.

Text records

To implement DKIM, SPF, and DMARC, use TXT records with specific formatting.

With automated security turned off, Twilio SendGrid generates these TXT records to add to your domain.
When you turn off automated security then make a change to your email configuration, update the TXT records on your domain.

For example: When you add an IP address to your account, update your SPF TXT record with the IP address to prevent email delivery issues.

Twilio SendGrid added a DMARC record on the DNS records page in the console. Completing this tutorial provides the data your organization needs to meet the inbox provider DMARC requirements. These inbox providers may block email that doesn't contain a valid DMARC record.

Set up Domain Authentication

When sending email, set DNS records on the domain that make the following assertions:

Communicate to receiving email servers that you own the domain the email was sent from.
Verify that you have given the sending email server permission to send email on behalf of the domain.

Twilio SendGrid process for domain setup and setting the DNS entries includes Domain Authentication. After configuring Domain Authentication, you have the following benefits:

You can remove via sendgrid.net (or via eu.sendgrid.net for Regional customers) beside the from address in your messages.
You can improve the trust the legitimacy of your messages for both receiving email servers and human recipients. This improves your probability of reaching an inbox instead of a spam folder.

(information)

User limits for authenticated domains and link brandings

Each user may have a maximum of 3,000 authenticated domains and 3,000 link brandings. The limit applies to each individual user and subuser: each Subuser belonging to a parent account may have its own 3,000 authenticated domains and 3,000 link brandings.

Prequisites

Configuring Domain Authentication requires changes to your DNS records. To change your DNS records, you need to determine two concerns:

Identify your domain provider.
Verify who can change DNS records with your provider.

Setup choices

To set up Domain Authentication, choose from three options:

Automated Setup: Have Twilio SendGrid configure it for you. Twilio SendGrid supports Domain Connect with GoDaddy. Log in to GoDaddy and give Twilio SendGrid permission to configure your DNS changes.
(information)
Conditions for automated setup
Twilio SendGrid only supports automated setup with three conditions:

GoDaddy hosts the domains.

You left automated security turned on.

You're not using Link Branding.
Manual Setup: Configure the changes yourself.
Send To A Coworker: Send an email to a coworker with access to the DNS host so they can make the changes.

Automated SetupManual SetupSend To A Coworker

In the Twilio SendGrid console, select Settings > Sender Authentication.
In the Domain Authentication section, click Get Started. The Authenticate Your Domain page appears.
From the Authenticate Your Domain page, select your DNS host from the Which Domain Name Server (DNS) host do you use? dropdown. You can select I'm not sure or Other Host (Not Listed) if necessary.
To use branded links, toggle Would you also like to brand the links for this domain? to Yes.

If you choose No, you can add Link Branding later.

To learn more about link branding, see How to Set up Link Branding.
Click Next.
In the Domain You Send From box, type the domain you want to authenticate.
- This domain would appear in the from address of your messages.
- Type only your root domain <domain-name.top-level-domain>.
- Omit any subdomains or protocols like www or http://www.
For example: To send messages from addresses like orders@example.com, type example.com.
Click Advanced Settings.
1. Check Use automated security.
  - Leave Use automated security checked.
  - When checked, Twilio SendGrid handle the signing of your DKIM and the authentication of your SPF with CNAME records.rotates your DKIM keys on your behalf.
2. If you want to override the return path, check Use custom return path.
  - This return-path informs receiving email servers where to route delayed bounces and unsubscribes.
  - The Return Path box appears.
  - Type a custom domain into the Return Path box.
3. If another service uses a DKIM selector of s, check Use a custom DKIM selector.
  - The DKIM Selector box appears.
  - Type a set of three characters in this box.
4. If you need to limit your domain to the European Union, check Make domain EU-pinned.
  - Regional email users must pin their domain to the EU region.
Select the Advanced Settings appropriate for your needs.
Click Next. The Install DNS Records page appears.
If Twilio SendGrid can finish the Domain Authentication process, the Automatic Setup tab appears.
- If not, the Manual Setup tab appears.

From the Automated Setup tab, click Connect.
A modal titled Connect GoDaddy to Twilio SendGrid for this domain appears.
Log in to your GoDaddy account and connect to your domain.
Twilio SendGrid tries to verify your DNS records.
- If GoDaddy verification succeeds, the modal closes. The Twilio SendGrid console displays a success message.
- If GoDaddy verification fails, close this modal.
  - Click Verify again in 48 hours. DNS changes can take up to 48 hours to apply.
  - If Domain Authentication hasn't been verified after 48 hours, contact Twilio SendGrid support.

In the Twilio SendGrid console, select Settings > Sender Authentication.
In the Domain Authentication section, click Get Started. The Authenticate Your Domain page appears.
From the Authenticate Your Domain page, select your DNS host from the Which Domain Name Server (DNS) host do you use? dropdown. You can select I'm not sure or Other Host (Not Listed) if necessary.
To use branded links, toggle Would you also like to brand the links for this domain? to Yes.

If you choose No, you can add Link Branding later.

To learn more about link branding, see How to Set up Link Branding.
Click Next.
In the Domain You Send From box, type the domain you want to authenticate.
- This domain would appear in the from address of your messages.
- Type only your root domain <domain-name.top-level-domain>.
- Omit any subdomains or protocols like www or http://www.
For example: To send messages from addresses like orders@example.com, type example.com.
Click Advanced Settings.
1. Check Use automated security.
  - Leave Use automated security checked.
  - When checked, Twilio SendGrid handle the signing of your DKIM and the authentication of your SPF with CNAME records.rotates your DKIM keys on your behalf.
2. If you want to override the return path, check Use custom return path.
  - This return-path informs receiving email servers where to route delayed bounces and unsubscribes.
  - The Return Path box appears.
  - Type a custom domain into the Return Path box.
3. If another service uses a DKIM selector of s, check Use a custom DKIM selector.
  - The DKIM Selector box appears.
  - Type a set of three characters in this box.
4. If you need to limit your domain to the European Union, check Make domain EU-pinned.
  - Regional email users must pin their domain to the EU region.
Select the Advanced Settings appropriate for your needs.
Click Next. The Install DNS Records page appears.
If Twilio SendGrid can finish the Domain Authentication process, the Automatic Setup tab appears.
- If not, the Manual Setup tab appears.

The Manual Setup tab displays the [DNS records for your DNS host provider][Twilio SendGrid DNS records].
- If you turned on Use automated security, the first step on this page displays three CNAME records and one TXT record.
- If you turned off Use automated security, the first step on this page displays an MX record and three TXT records.
To add the records displayed, follow the instructions for your DNS provider.
After adding the DNS records to your domain, return to the Twilio SendGrid console and click Verify.
- If verification succeeded, you should see the records.
- If only Twilio SendGrid verified half of your records, wait. It's also possible that you entered one of your records incorrectly.
- If you need help, see Troubleshooting Sender Authentication.
Any time that you send an email with a from address where the domain matches your authenticated domain, Twilio SendGrid applies that domain to your email. If you want to update the domain you are emailing from, you only need to update your Domain Authentication.

(warning)

Provider generating incorrect DNS records

GoDaddy, Amazon Route 53, and Namecheap, among other providers, append your domain to your added DNS record values, resulting in a CNAME entry that fails verification.

For example:

Your domain is example.com.
The Twilio SendGrid CNAME host value is em123.example.com.
The provider creates an incorrect record: em123.example.com.example.com.

To remedy this, only type the host value into your DNS provider's host field. In this example, the host value is em123. Don't modify the value of the record. If your domain doesn't validate, check the generated CNAME record.

(information)

DNS verification can take 48 hours

DNS verification can take up to 48 hours after upload. To find if verification completed, return to this page.

Advanced settings

During Domain Authentication setup, on the second Authenticate Your Domain page includes a drop-down menu labeled Advanced Settings. The following section explains each of these settings.

Use automated security

Automated security differs from automatic setup. Automated security lets Twilio SendGrid manage the signing of your DKIM and the authentication of your SPF with CNAME records. This allows you to add a dedicated IP address or update your account without having to update your DNS records.

Automated security defaults to On. If your DNS provider doesn't accept underscores in CNAME records, turn off Automated Security then use MX and TXT records.

If you turn off automated security, you need to manage and update the MX and TXT records yourself.

To learn more about how this works, see [Twilio SendGrid DNS records][].

Use a custom return-path

To customize the subdomain, use a custom return-path. This return-path informs receiving email servers where to route delayed bounces and unsubscribes.

(warning)

Possibility of overwriting DNS records

If you have a DNS record with a custom name in your domain, adding another record with a matching custom name overwrites your existing DNS entry. This can happen if you Use a custom return-path and set the name to an existing one in your DNS records.

For example: You have a TXT record with the host email.example.com. If you set a custom return-path of email during Domain Authentication, Twilio SendGrid creates a record with the host email.example.com. When it completes Domain Authentication, it replaces your existing TXT record with the Twilio SendGrid record. This could break one of your existing services.

When completing Domain Authentication, never use the custom names for existing records in your domain.

To build a custom return-path,

Select Use a custom return path.
Type the letters or numbers.

If you don't select these, Twilio SendGrid selects them for you. Verify that your selected characters differ from those that Twilio SendGrid assigned you.

Use a custom DKIM selector

You might set a custom DKIM selector for one of two reasons:

You want to authenticate a single domain multiple times.
Another service uses the Twilio SendGrid DKIM selector, s.

To set a custom DKIM selector, add the custom selector to the domain as a custom subdomain.

Select Use a custom DKIM selector.
Type three letters or numbers to build a custom subdomain.
- If you don't select these, Twilio SendGrid selects them for you.
- Type three characters different from your original selection. For example: you could use org or 001.

Migrate from legacy Domain Authentication

Any domains authenticated before 2015 can't be updated or changed. To change or update it, delete the domain and recreate it as an authenticated domain.