What is SPF Permerror?

SPF=Permerror indicates that there is a fundamental problem with the SPF record, making it impossible to determine if the sending server is authorized or not.

What is the 10 DNS lookup limit?

During SPF check, every time an email is sent from your domain, your recipient’s email server performs DNS query requests, also known as DNS lookups to check the presence of authorized IP addresses in your DNS and match them to the ones in the received email’s return-path header. However, RFC limits the number of DNS lookups to 10. This is known as the 10 DNS lookup limit.

Am I exceeding SPF Too Many DNS Lookups limit?

If you are worried about exceeding the lookup limit for SPF, you can check your record instantly using our SPF record checker tool.

How to fix SPF Permerror?

A more effective way to avoid SPF errors is to deploy an SPF flattening tool that is automatic and hassle-free – like PowerSPF!

How To Setup SendGrid DMARC, SPF, And DKIM Records?

Email security is crucial today, and setting up authentication protocols like DMARC, SPF, and DKIM is a key step in protecting your domain. These protocols help prevent phishing, domain spoofing, and business email compromise, ensuring that your emails reach their intended recipients safely and securely.

Domain-based Message Authentication, Reporting, and Conformance, or DMARC, is an essential protocol to implement in recent times. DMARC helps prevent a number of email-borne threats. This includes phishing, direct-domain spoofing, and business email compromise.

While Twilio informs that DMARC is not a mandatory requirement for SendGrid, they encourage and recommend it. Moreover, bulk email senders need to have a DMARC policy in place if they are sending messages to Gmail or Yahoo inboxes. Otherwise, these messages may be rejected! So let’s find out how you can enable SendGrid DMARC, DKIM, and SPF authentication.

Setting Up Domain Authentication for SendGrid

Domain authentication is the process of establishing the legitimacy of your domain name. It is important to authenticate your domain to prevent unauthorized usage and impersonation. Authentication also reduces the chances of emails being marked as spam and improves domain reputation.

SPF, DKIM and DMARC are three such protocols that can be used to authenticate your domain. Let’s find out how to enable them for SendGrid.

How to Setup SendGrid SPF Record

According to Twilio’s sender authentication document:

Automated SendGrid SPF Setup

On completing SendGrid’s Domain Authentication setup, you can choose for SPF authentication to be handled automatically by SendGrid.
In an automated security setup, SendGrid will provide you CNAME records to enable SPF authentication.
Once you retrieve the CNAME records from SendGrid, you need to publish these records on your Domain Name System (DNS).
Once your DNS has propagated the changes, this will allow SendGrid to directly manage SPF on your behalf without the requirement of manual SPF implementation or management.

Manual SendGrid SPF Setup

You can turn off automated security settings on SendGrid by disabling the “Use Automated Security” checkbox on the Domain Authentication page.
Now SendGrid will provide you with an SPF TXT record for your domain.
You need to publish the record in your DNS, to activate SPF authentication.

Note: On choosing manual SendGrid SPF implementation, you need to manually update your IP addresses and make changes to your DNS settings. Whereas on an automated setup this is handled by SendGrid.

How to Add SendGrid DKIM Record

According to Twilio’s DKIM authentication document:

Automated SendGrid DKIM Setup

On completing SendGrid’s Domain Authentication setup, you can choose for DKIM authentication to be handled automatically by SendGrid.
SendGrid will provide you with a custom DKIM signature whether you enable automated security or not. In an automated security setup, SendGrid will provide your CNAME records to enable DKIM authentication.
Once you retrieve the CNAME records from SendGrid, you need to publish these records on your Domain Name System (DNS).
Once your DNS has propagated the changes, this will allow SendGrid to directly manage DKIM on your behalf. In this case, when you make any changes to your sending domain, they will be automatically updated to your SendGrid DKIM setup.

Manual SendGrid DKIM Setup

You can turn off automated security settings on SendGrid by disabling the “Use Automated Security” checkbox on the Domain Authentication page.

In this case, when you make any changes to your sending domain, you will need to manually update your DNS settings. SendGrid will not handle it for you like in case of automated setups.

SendGrid DKIM record example (with automated security turned on)

SendGrid DKIM record example (with automated security turned off)

em1234.yourdomain.com | MX | mx.sendgrid.net
em1234.yourdomain.com | TXT | v=spf1 include:sendgrid.net ~all
m1._yourdomain.com | TXT | k=rsa; t=s; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDPtW5iwpXVPiH5FzJ7Nrl8USzuY9zqqzjE0D1r04xDN6qwziDnmgcFNNfMewVKN2D1O+2J9N14hRprzByFwfQW76yojh54Xu3uSbQ3JP0A7k8o8GutRF8zbFUA8n0ZH2y0cIEjMliXY4W4LwPA7m4q0ObmvSjhd63O9d8z1XkUBwIDAQAB

How to Add SendGrid DMARC Record

To setup SendGrid DMARC authentication for your domain(s), follow these steps:

Once you have completed Domain Authentication for SendGrid by implementing SPF and DKIM you are ready to set up DMARC.
Create a DMARC record using our free DMARC record generator tool. It is advisable to start with a DMARC policy of “none” and then slowly shift to quarantine and reject while monitoring your DMARC reports.
Publish the generated TXT record on your DNS. Once you publish the DNS record and the DNS has propagated the changes, DMARC will be enabled for your domain.

Learn more about the DMARC syntax by learning about DMARC tags.

Final Words

SendGrid DMARC alignment along with SPF and DKIM ensures emails you send using SendGrid as your vendor, successfully reach your receiver’s inbox. IAuthentication ultimately improves your email delivery performance and helps you enhance your brand’s credibility.

For advanced email authentication solutions, contact us today!

Content Review and Fact-Checking Process

This article has been curated by an email security expert, along with references to official domain authentication documents published by Twilio. You can find more related Twilio SendGrid documents here.

About
Latest Posts

Yunes Tarada

Domain & Email Security Expert at PowerDMARC

Yunes is an Operations Team Lead at PowerDMARC with expert knowledge in email authentication and security. Yunes is a Microsoft-certified Azure Administrator Associate with certifications in CompTIA A+ and many more.

How to Setup SendGrid DMARC, SPF, and DKIM Records? Easy Step-by-Step Guide