Blog

The SendGrid CNAME Setup Most People Miss (And Why DMARC Fails Without It)

March 19, 2026

You added include:sendgrid.net to your SPF record. SPF passes.

DMARC still fails.

This is the most common SendGrid setup mistake. The SPF include is not enough for DMARC alignment.

Why the SPF Include Isn't Enough

The SPF include authorises SendGrid's servers to send as your domain. SPF passes. Good.

But the Return-Path for your emails is still @sendgrid.net — not @yourdomain.com.

DMARC alignment requires the Return-Path domain to match your From: domain. It doesn't. DMARC fails.

What You Actually Need

Three CNAME records from SendGrid's Sender Authentication dashboard.

These records do two things: (1) let SendGrid sign email with your domain's DKIM key (DKIM alignment), and (2) route your Return-Path through your domain (SPF alignment).

The exact records are account-specific — your account ID appears in the values. Get them from:

SendGrid → Settings → Sender Authentication → Authenticate Your Domain

The Pattern (Replace [ID] with Your Account ID)

em[ID].yourdomain.com
  CNAME → u[ID].wl.sendgrid.net

s1._domainkey.yourdomain.com
  CNAME → s1.domainkey.u[ID].wl.sendgrid.net

s2._domainkey.yourdomain.com
  CNAME → s2.domainkey.u[ID].wl.sendgrid.net

Add all three. Not just one.

After Adding the Records

Wait up to 48 hours for DNS propagation.

Then return to SendGrid's Sender Authentication page and click Verify. SendGrid confirms the records are live.

Run DNS Preflight after that to confirm the alignment visual shows green.

What If You're Already Sending

Adding these records doesn't break existing delivery. Email continues normally during the transition.

After SendGrid verifies the records, new emails are signed with your domain and DMARC alignment passes.