Should I add "include:sendgrid.net" to my SPF record if my third-party vendor uses SendGrid?

No, SPF checks the Return-Path (also known as smtp.mailfrom ) domain, which for SendGrid is typically a subdomain they manage. Adding include:sendgrid.net to your primary SPF is usually not necessary and can lead to SPF lookup limits. Ensure your vendor has properly configured your domain authentication using their recommended CNAME records.

How does DMARC alignment affect emails sent via a third-party vendor?

DMARC requires either SPF or DKIM to align with your From domain. If your third-party vendor's SPF or DKIM setup doesn't align with your primary domain, DMARC will fail. With a p=quarantine or p=reject policy, these emails are likely to land in spam.

My emails pass SPF/DKIM/DMARC, but still go to spam. What else could be causing this?

While authentication is crucial, IP and domain reputation are equally important. Shared IPs can suffer from the poor sending practices of other users. Even with correct SPF/DKIM/DMARC, a poor reputation can lead to spam placement. Content filters also play a role, flagging emails based on their content regardless of authentication.

What are the first steps to troubleshoot spam placement with a third-party vendor?

Obtain full email headers from a recipient who received the email in spam. Look for Authentication-Results and any spam scoring. Share these with your vendor and ask about their IP reputation and any recent issues. Continuously monitor your sender reputation and maintain excellent list hygiene.

How to troubleshoot spam placement issues with a third-party vendor using SendGrid? - Troubleshooting - Email deliverability - Knowledge base

Emails from third-party vendors, even with established providers like

SendGrid, can unexpectedly land in spam folders. This can be particularly frustrating when authentication records seem correctly configured, like implementing BIMI and a DMARC policy of p=quarantine; pct=100. It's a common scenario where emails, despite originating from a seemingly reputable platform with a dedicated IP, still encounter deliverability issues.

When a third-party service sends emails on your behalf, understanding how various email authentication protocols interact becomes crucial. Your IT team might be less familiar with these specifics, but it's a layered problem that goes beyond simply having a DMARC policy in place.

This guide will walk you through the key aspects of troubleshooting spam placement issues when using a third-party vendor like SendGrid. We'll cover everything from email authentication to IP reputation and actionable steps you can take to improve your inboxing rates. For a broader understanding of why emails often end up in spam, consult our guide on why emails go to spam.

The foundations of third-party email authentication

One of the most common misconceptions revolves around SPF (Sender Policy Framework) and how it applies to third-party email senders. SPF checks the sending server's IP address against the domain specified in the Return-Path (also known as smtp.mailfrom) header, not the From header that recipients typically see. Many Email Service Providers (ESPs) like SendGrid utilize a subdomain for this Return-Path to manage their sending infrastructure.

SendGrid, for instance, typically provides specific CNAME records for domain authentication rather than asking you to add include:sendgrid.net to your primary domain's SPF record. These CNAME records delegate authority for a specific subdomain (like em.yourdomain.com) to SendGrid. This subdomain's SPF record, managed by

SendGrid, will correctly authorize their IPs. For more details on this setup, you can refer to SendGrid's domain authentication documentation.

An example Authentication-Results header from an email sent via SendGrid would clearly show the domains used for validation:

Example authentication results headertext

Authentication-Results: spf=pass (sender IP is 168.245.17.202)
 smtp.mailfrom=em3580.kingarthurbaking.com; dkim=pass (signature was verified)
 header.d=kingarthurbaking.com;dmarc=pass action=none
 header.from=kingarthurbaking.com;compauth=pass reason=100

In this example, the smtp.mailfrom domain em3580.kingarthurbaking.com is what SPF checks against, not the primary domain directly. Therefore, adding a sendgrid.net include to your SPF might not resolve the issue and could potentially lead to SPF lookup limits being exceeded. Always ensure your vendor has properly configured your domain authentication (SPF and DKIM) using their recommended CNAMEs for the relevant subdomains. Learn more about DMARC, SPF, and DKIM in our comprehensive guide.

DMARC, alignment, and their impact

DMARC (Domain-based Message Authentication, Reporting, and Conformance) plays a critical role in email deliverability, especially with a third-party sender. While SPF and DKIM verify the sender, DMARC enforces alignment. This means that the domain in the visible From header must align with the domain used for either SPF (the Return-Path) or DKIM (the d= tag in the DKIM signature).

Even if SPF and DKIM pass their individual checks, a DMARC failure can occur if alignment fails. For instance, if your From domain is yourdomain.com, but the Return-Path is em.sendgrid.net and DKIM is not correctly configured to align with yourdomain.com, then DMARC will fail. With a policy like p=quarantine, this will cause your emails to go to spam or junk folders. We have a detailed guide on how to safely transition your DMARC policy.

DMARC best practice

Always ensure your third-party vendor configures proper domain authentication (SPF and DKIM) so that it aligns with your From domain. This is essential for DMARC pass results and optimal inbox placement. Regularly monitor your DMARC reports to identify any authentication or alignment issues. You can also use a DMARC record generator.

Implementing BIMI (Brand Indicators for Message Identification) further highlights the importance of DMARC. BIMI requires a DMARC policy of p=quarantine or p=reject to display your brand logo. If your DMARC records show failures due to third-party sending, it indicates underlying deliverability issues that need to be addressed before your emails consistently land in the inbox.

Understanding IP and domain reputation

Even with perfect authentication, the reputation of the sending IP address and the sending domain significantly impacts inbox placement. When using a third-party vendor like SendGrid with a dedicated IP, you have more control, but if you're on a shared IP pool, your deliverability can be affected by the sending practices of other users on that same IP. If other senders on a shared IP are sending spam or exhibiting poor email hygiene, it can lead to that IP being listed on a blocklist (or blacklist).

Major mailbox providers, such as

Gmail,

Yahoo, and

Outlook, heavily weigh both IP and domain reputation when making inbox placement decisions. A poor IP reputation or a high spam complaint rate can trigger their spam filters, regardless of your authentication status. Furthermore, content filters can also play a role, flagging emails based on keywords, links, or formatting that resemble spam. You can find out more by reading this article on tips to keep emails out of spam.

Good reputation factors

Consistently high inbox placement rates for your vendor's overall sending infrastructure.

Low spam complaint rates from subscribers receiving emails through the vendor.

Prompt removal from blocklists (blacklists) if a temporary listing occurs.

Proper bounce management and list hygiene practices by the vendor.

Poor reputation factors

Frequent blocklist (blacklist) listings of shared IPs used by your vendor, impacting all senders on those IPs. You can check your status with a blocklist checker.

High spam complaint rates, especially if other users on the shared IP are sending unsolicited mail. We cover what happens when your domain is blocklisted.

Poor domain reputation due to inconsistent sending volumes or spikes in activity. Learn about domain reputation.

Regularly monitoring your domain and IP reputation is key to proactive deliverability management. Tools that provide blocklist monitoring can alert you if your sending IPs are listed, allowing you to address the issue promptly with your vendor. Understanding how email blacklists work is also beneficial.

Actionable troubleshooting for spam placement

When facing spam placement issues, a systematic approach is essential. Start by reviewing the full email headers of the messages that landed in the junk folder. This is arguably the most crucial step, as headers contain vital information about authentication results (SPF, DKIM, DMARC), spam scores, and the precise path the email took to reach the recipient. Look for any Authentication-Results lines that indicate failures or soft-fails, as well as any spam filtering scores or reasons provided by the receiving mailbox provider. This can help you diagnose if emails are landing in spam despite passing DKIM, SPF, and DMARC.

Next, engage directly with your third-party vendor. Share the problematic email headers with them and explain the issue. They should have access to their own logs and deliverability data for your account, which can provide deeper insights into why your messages are being flagged. Inquire about their shared IP reputation, any recent spam complaints, or specific content-related issues that might be affecting your emails. They might also provide guidance on phishing issues with SendGrid or Mailgun.

Finally, proactively monitor your own email program's metrics. Pay close attention to spam complaint rates (often available via postmaster tools for

Gmail and

Outlook), bounce rates, and engagement metrics (opens, clicks). High complaint rates can quickly tank your sender reputation, leading to more spam folder placements. Regularly cleaning your email lists and sending relevant content to engaged subscribers will significantly improve your overall deliverability. We also have a guide on technical solutions from top-performing senders.

Verify Authentication: Confirm that your vendor has correctly implemented domain authentication (SPF and DKIM) for your sending domain, ensuring proper DMARC alignment. You can use our email deliverability tester.
Review Content: Check your email content for elements commonly flagged by spam filters, such as excessive links, suspicious phrasing, or large images without text. Ensure your unsubscribe mechanism is prominent and functional.
Monitor Reputation: Regularly monitor your IP and domain reputation. This includes checking for any blocklist (or blacklist) listings that might affect your vendor's sending IPs, especially if you're on a shared infrastructure.
List Hygiene: Implement strict list hygiene practices to remove inactive or invalid email addresses. Sending to unengaged recipients can significantly increase spam complaints and negatively impact your sender reputation. This can also help you diagnose email deliverability issues.

Moving forward with your deliverability

Resolving spam placement issues with a third-party vendor like SendGrid involves a multi-faceted approach. It combines meticulous authentication setup with continuous monitoring of reputation and content. The key is to understand that while a vendor provides the sending infrastructure, your domain's reputation and how you manage your email program are equally, if not more, important.

By proactively verifying your authentication, scrutinizing email headers, maintaining good list hygiene, and working closely with your vendor, you can significantly improve your email deliverability. This ensures your legitimate emails reach your customers' inboxes, supporting your communication and business objectives.

Views from the trenches

Best practices

Ensure your third-party vendor configures proper domain authentication (SPF and DKIM) using CNAME records.

Verify DMARC alignment, as it's crucial for your emails to pass authentication checks effectively.

Regularly clean your email lists to remove inactive or invalid addresses, reducing bounces and spam complaints.

Monitor your sender reputation using postmaster tools and third-party monitoring services.

Common pitfalls

Incorrectly adding an ESP's primary domain to your SPF record instead of using provided subdomain CNAMEs.

Ignoring DMARC reports, which can reveal crucial authentication and alignment failures.

Failing to communicate with your third-party vendor about deliverability issues, hindering their ability to assist.

Sending emails with generic or spammy content, regardless of authentication, leading to content-based filtering.

Expert tips

Always request example email headers from recipients experiencing spam placement to diagnose the exact issue.

Leverage DMARC reports to identify the specific authentication (SPF/DKIM) failures and alignment problems.

If on a shared IP, understand that your deliverability can be impacted by other senders, making a dedicated IP a consideration for high-volume senders.

Prioritize email list hygiene and sending relevant content to engaged users to build and maintain a strong sender reputation.

Expert view

Expert from Email Geeks says SendGrid almost always uses a subdomain return path, and SPF checks against this return path, not the friendly from address.

2022-11-04 - Email Geeks

Expert view

Expert from Email Geeks says you should set up a branded mail from (envelope) for better deliverability with third-party vendors.

2022-11-04 - Email Geeks