Blog

SendGrid DMARC Alignment — The Complete Setup Guide

March 31, 2026

You added SendGrid to your SPF record. SPF passes. DMARC still fails.

This is the most common SendGrid configuration mistake. The SPF include is necessary but not sufficient for DMARC alignment.

Why the SPF include isn't enough

SPF passing means SendGrid's servers are authorised to send as your domain.

But the Return-Path on your emails still shows @sendgrid.net — not @yourdomain.com.

DMARC checks whether the Return-Path domain matches your From: domain. It doesn't. DMARC fails.

What You Actually Need — 3 CNAMEs

SendGrid's Sender Authentication gives you three CNAME records. These do two things:

Route your Return-Path through your domain (SPF alignment)
Sign email with your domain's DKIM key (DKIM alignment)

Without them, SendGrid signs with sendgrid.net. With them, it signs with yourdomain.com.

Where to Find Your CNAMEs

SendGrid Dashboard → Settings → Sender Authentication → Authenticate Your Domain

The values are account-specific — your account ID appears in them. Don't copy someone else's values.

The pattern looks like this:

em[ID].yourdomain.com
CNAME → u[ID].wl.sendgrid.net
s1._domainkey.yourdomain.com
CNAME → s1.domainkey.u[ID].wl.sendgrid.net
s2._domainkey.yourdomain.com
CNAME → s2.domainkey.u[ID].wl.sendgrid.net

Adding the CNAMEs — by DNS provider

Cloudflare:

Type: CNAME
Name: em[ID]  (not the full hostname)
Target: u[ID].wl.sendgrid.net
Proxy: DNS only (grey cloud)

Namecheap:

Type: CNAME
Host: em[ID]
Value: u[ID].wl.sendgrid.net
TTL: Automatic

After Adding the CNAMEs

Wait 48 hours for DNS propagation.

Return to SendGrid Sender Authentication and click Verify. SendGrid confirms the records are live.

Then run DNS Preflight — the alignment visual should show green with SendGrid CNAME confirmed.

Still Failing After Adding CNAMEs?

Check these:

Did you add all 3 CNAMEs? All are required.
Is the proxy off in Cloudflare? CNAME records for DKIM must be DNS-only.
Has 48 hours passed? DNS propagation takes time.
Did you click Verify in SendGrid? SendGrid won't use the key until verified.

Check your SendGrid alignment

Check your SendGrid alignment →

Also read: Fix: SendGrid DMARC · Fix: SendGrid DKIM · Fix: SendGrid SPF · DMARC alignment · DKIM selector · SendGrid CNAME setup · SPF/DKIM pass, DMARC fails

FAQ

Why does SendGrid fail DMARC even with SPF configured?

The SPF include authorises SendGrid's servers but doesn't fix alignment. The Return-Path still comes from sendgrid.net — not your domain. DMARC alignment fails.

What are the 3 SendGrid CNAME records for?

em[ID] fixes SPF alignment by routing Return-Path through your domain. s1 and s2 fix DKIM alignment by letting SendGrid sign with your domain's key.

Where do I find my SendGrid CNAME values?

SendGrid → Settings → Sender Authentication → Authenticate Your Domain. Values are account-specific — generated for your account ID.

Will adding CNAMEs break my current sending?

No. Adding DNS records doesn't interrupt delivery. Alignment improves after SendGrid verifies the records.

How do I verify SendGrid alignment is working?

Run DNS Preflight — the alignment engine checks for SendGrid CNAMEs and shows pass/fail with exactly which records are missing.

← All posts