Set up reliable email delivery with SendGrid

# Set up reliable email delivery with SendGrid Campaign emails look great in the editor. They land in spam. This article explains why that happens and how to fix it permanently with SendGrid domain authentication. > [!quote] Own Your Deliverability > Authenticating your domain tells Gmail and Outlook that ==SendGrid is authorised to send on your behalf==. Without it, your emails are a coin-flip away from the spam folder. ## Why emails go to spam When you send a campaign, the email travels from SendGrid's servers to your recipient's inbox. Gmail and Outlook check whether the sending server is actually authorised to send mail for your domain. This check is called **DMARC alignment**. If your DNS doesn't include records that authorise SendGrid, the receiving server sees a mismatch: the email claims to come from `[email protected]`, but it arrived from a SendGrid IP with no DKIM signature you control. That mismatch is the single biggest reason campaign emails go to spam. Domain authentication fixes it by: - Adding a **DKIM signature** to every email you send, proving the email hasn't been tampered with and that your domain authorises the send - Removing the **"via sendgrid.net"** label Gmail shows on unauthenticated emails - Building sender reputation on your domain over time, not SendGrid's shared pool > [!note] One-time setup > You do this once per sending domain. After that, every campaign you send from that domain is covered automatically. ## What you need - **Access to your domain's DNS.** This guide uses Cloudflare. The steps are the same in any DNS provider - the names of the screens will differ slightly. - **A SendGrid account.** If you're using RelayBook Campaigns, you bring your own SendGrid account. See [[Email Settings]] if you haven't connected it yet. - **About 10 minutes.** --- ## Step 1: Add domain authentication in SendGrid 1. Log in to [SendGrid](https://app.sendgrid.com) 2. Go to **Settings** > **Sender Authentication** 3. Under **Domain Authentication**, click **Authenticate Your Domain** 4. Select your DNS host from the list (e.g. **Cloudflare**). Selecting your host lets SendGrid tailor the instructions to match. 5. Check **Also set up link branding**. This removes the "via sendgrid.net" label that Gmail shows on unauthenticated emails. 6. Enter your **sending domain** - for example, `yourcompany.com`. This must exactly match the domain in your campaign **From** address. If your From address is `[email protected]`, enter `yourcompany.com`. 7. Expand **Advanced Settings**. If your SendGrid account has multiple subusers, make sure the correct subuser is selected here. This is where RelayBook's BYOK key lives. 8. Click **Next**. SendGrid will now generate **5 CNAME records** for you to add to your DNS. Leave this tab open - you'll need those values in the next step. > [!tip] Subdomains work too > You can authenticate a subdomain like `mail.yourcompany.com` instead of your root domain. Emails would come from `[email protected]`. Some teams prefer this to keep marketing and transactional mail reputation separate. --- ## Step 2: Add the DNS records in Cloudflare You need to add all 5 CNAME records exactly as SendGrid shows them. A typo in any one will break verification. 1. Open [Cloudflare](https://dash.cloudflare.com) in a new tab 2. Select your domain 3. Go to **DNS** > **Records** 4. Click **Add record** and fill in the first CNAME: - **Type:** CNAME - **Name:** paste the value from SendGrid (e.g. `url4438`, `em5665`, `s1._domainkey`) - **Target:** paste the value from SendGrid exactly as shown - **Proxy status:** set to **DNS only** (grey cloud) Repeat for all 5 records. > [!highlight] Critical: set every record to DNS only (grey cloud) > This is the most common mistake. Cloudflare proxies (orange cloud) intercept the DNS lookup and return Cloudflare's IPs instead of SendGrid's values. SendGrid's verification will fail, and DKIM signing will break on every email you send. Every CNAME for SendGrid must be **DNS only**. ### What the 5 records do | Record name example | Purpose | |---------------------|---------| | `em5665.yourcompany.com` | SPF/bounce tracking subdomain | | `s1._domainkey.yourcompany.com` | DKIM signing key (selector 1) | | `s2._domainkey.yourcompany.com` | DKIM signing key (selector 2) | | `url4438.yourcompany.com` | Link branding (replaces sendgrid.net links) | | `1098163.yourcompany.com` | Link branding (secondary tracking) | The exact names will be different for your account - always copy from SendGrid, don't type them manually. > [!note] If `_dmarc` already exists in your DNS > SendGrid may suggest a DMARC record. If one already exists, check whether it already covers your domain. If it does, skip the duplicate - you only need one `_dmarc` record. If it doesn't, add or update it. --- ## Step 3: Verify in SendGrid 1. Return to the SendGrid tab where the 5 records are listed 2. Check **I've added these records** 3. Click **Verify** If verification passes, you'll see green checkmarks next to all 5 records. You're done. **If verification fails:** - Double-check every record is set to **DNS only** in Cloudflare (grey cloud, not orange) - Check that the Name and Target values match exactly - watch for trailing dots or extra spaces - DNS changes normally propagate within a few minutes, but can take up to an hour. Wait 5 minutes and try verifying again. - If you're still stuck, use [MXToolbox CNAME lookup](https://mxtoolbox.com/CNAMELookup.aspx) to check whether the record is resolving to SendGrid's expected value > [!tip] Quick propagation check > On a Mac, open Terminal and run `dig CNAME s1._domainkey.yourcompany.com`. If it returns the SendGrid value, DNS has propagated and the record is correct. --- ## Step 4: Make sure your From address matches Domain authentication only protects emails that come from the domain you authenticated. If you authenticated `yourcompany.com` but your campaign From address is `[email protected]`, those emails are still unauthenticated. Check your From address in RelayBook: 1. Go to **Campaigns** > **Settings** 2. Check the **From Email** field 3. The domain after `@` must match the domain you authenticated in SendGrid If they don't match, either: - Update the From Email to use the authenticated domain, or - Go back to SendGrid and authenticate the other domain too --- ## What changes after setup Once authentication is verified and your From domain matches: - Every email you send carries a valid **DKIM signature** - inbox providers can verify it belongs to your domain - **DMARC alignment passes** - Gmail and Outlook no longer treat your emails as suspicious - The **"via sendgrid.net"** label disappears from Gmail's interface - Your **domain's sender reputation** starts building with each send - this improves deliverability over time - **Bounce and unsubscribe tracking** routes through your domain instead of SendGrid's shared infrastructure > [!success] Test it > Send yourself a test email from a campaign. In Gmail, click the three-dot menu on the message and select **Show original**. Look for `dkim=pass` in the Authentication-Results header. That confirms DKIM is working. --- **Next:** Return to [[Email Settings]] to review your sender identity and make sure your From address is set correctly.