Fix guide

How to Fix DMARC Alignment for SendGrid

SendGrid emails fail DMARC alignment because SendGrid sends from its own Return-Path domain by default. To fix this, you must add three CNAME records to your DNS that allow SendGrid to sign email using your domain — enabling SPF and DKIM alignment with your From: address.

Why alignment fails for SendGrid

By default, SendGrid uses return-path: @sendgrid.net — which doesn't match your From: domain. DMARC alignment requires the Return-Path (SPF) or DKIM signing domain to match the From: header domain.

Exact DNS records required

Copy-paste pattern (replace [ID] with your SendGrid account ID from the dashboard):

em[ID].yourdomain.com → CNAME → u[ID].wl.sendgrid.net s1._domainkey.yourdomain.com → CNAME → s1.domainkey.u[ID].wl.sendgrid.net s2._domainkey.yourdomain.com → CNAME → s2.domainkey.u[ID].wl.sendgrid.net

Step-by-step fix

Step 1 Log into SendGrid → Settings → Sender Authentication → Authenticate Your Domain

Step 2 Enter your domain name and select your DNS provider

Step 3 Copy the 3 CNAME records SendGrid generates for your account

Step 4 Add all 3 CNAMEs to your DNS provider (Cloudflare, Namecheap, etc.)

Step 5 Return to SendGrid and click Verify — wait up to 48 hours for DNS propagation

Step 6 Run DNS Preflight on your domain to confirm alignment passes

Verify alignment and DNS in your browser

Open DNS Preflight →

Related glossary: DMARC · DMARC alignment · DKIM · SPF record · Email spoofing

FAQ

Why do SendGrid emails fail DMARC even with SPF and DKIM records added?

Standard SPF and DKIM records alone do not fix DMARC alignment for SendGrid. You need SendGrid's specific CNAME records that enable them to sign with your domain — not their own.

What are the exact CNAME records SendGrid needs?

Three CNAMEs: em[ID].yourdomain.com, s1._domainkey.yourdomain.com, and s2._domainkey.yourdomain.com — all pointing to SendGrid's servers. Your account ID is in the Sender Authentication dashboard.

How long does SendGrid DMARC alignment take?

DNS propagation typically takes 24-48 hours. Run DNS Preflight after 48 hours to confirm alignment is passing.

Do I need both SPF and DKIM alignment for DMARC to pass?

No. DMARC passes if either SPF or DKIM aligns. SendGrid's CNAME setup enables DKIM alignment which is sufficient.

Will existing emails break during the CNAME setup?

No. Adding CNAMEs does not affect existing email delivery. Alignment only improves once SendGrid verifies the records.

← All DMARC fix guides

Run checks on domainpreflight.dev →