Loading tutorials…
Loading tutorials…
SendGrid's onboarding looks fast — sign up, paste an API key, send. The decisions hidden inside that flow (which Twilio org, which subuser, which sender identity, which API key scopes) lock in choices that are painful to reverse at month 6. Here's the setup that doesn't rot.
Who this is forDevelopers and founders creating a fresh SendGrid account, or accounts that were spun up in 10 minutes with a single Full Access API key and a personal Gmail. If you're on the free plan and want to scale past 100/day without a deliverability cliff, this is the foundation.
What you'll need
Step 1
sendgrid.com → Start for Free. SendGrid is now part of Twilio — you'll create a Twilio account, then provision the SendGrid Email API inside it.
Go to sendgrid.com → Start for Free. As of 2026, this redirects through twilio.com — SendGrid lives inside Twilio Console as the Email API product.
Use a business email on your sending domain (e.g., founder@yourbrand.com). Avoid personal Gmail — ownership transfer later is messy and Twilio support gates some actions on the verified account email.
Complete the Twilio profile: business name, address (required for CAN-SPAM compliance), country, and use case ("Email marketing," "Transactional email," or "Both").
When prompted, choose the Free plan to start (100 emails/day forever, no expiry). Paid tiers (Essentials, Pro, Premier) unlock dedicated IPs and higher quotas — upgrade only when you hit the free ceiling.
After login: Twilio Console → product menu (top-left) → Email API → SendGrid. Bookmark this URL — Twilio Console rearranges itself periodically.
Step 2
Twilio Console → Account → User profile → Two-factor authentication. SendGrid API keys are bearer tokens — if your Twilio login is compromised, every key can be regenerated.
Twilio Console → click your profile (top-right) → Account → User profile → Security.
Enable Two-factor authentication. Choose Authenticator app (Authy, 1Password, Google Authenticator) over SMS — SIM-swap attacks against Twilio accounts are documented.
Save the backup codes in your password manager. Losing 2FA without backup codes means a Twilio support ticket with identity verification.
Repeat for every team member who logs in. SendGrid's SSO is paid-tier only; 2FA is the floor for free + Essentials accounts.
Step 3
SendGrid → Settings → Sender Authentication → Single Sender Verification. Use this to send your first test email. Replace with Domain Authentication in the next tutorial.
SendGrid → Settings → Sender Authentication → Single Sender Verification → Create New Sender.
Fill in: From Name ("Sarah at Yourbrand"), From Email Address (e.g., hello@yourbrand.com — must be a real mailbox you can check), Reply To (same address is fine), and a real physical address (CAN-SPAM requirement).
Click Create. SendGrid sends a verification email to the From Email Address. Open it and click the verification link.
Single Sender is a quick-start hack — it only verifies that ONE email address. Marketing Campaigns and any meaningful production sending REQUIRE Domain Authentication. Treat Single Sender as a one-week stopgap.
After verification, you can send test emails via the API or Marketing Campaigns from this address only.
Step 4
SendGrid → Settings → API Keys → Create API Key. Choose Restricted Access. Grant only Mail Send + Stats Read.
SendGrid → Settings → API Keys → Create API Key.
API Key Name: name it by USE, not by person — e.g., "production-mail-send-2026" or "marketing-app-prod." Future-you needs to know what it does.
API Key Permissions: choose Restricted Access (never Full Access for an application key).
Toggle Mail Send → Full Access (the app needs to send). Toggle Stats → Read Access (so you can pull metrics). Leave everything else at No Access.
Click Create & View. SendGrid shows the key ONCE. Copy it immediately to your password manager + your env var store. There is no way to view it again — only regenerate.
Paste into your `.env`: `SENDGRID_API_KEY=SG.xxxxxxxx`. Add `.env` to `.gitignore` if not already.
Test from terminal: `curl -X POST https://api.sendgrid.com/v3/mail/send -H "Authorization: Bearer $SENDGRID_API_KEY" -H "Content-Type: application/json" -d '{"personalizations":[{"to":[{"email":"you@yourbrand.com"}]}],"from":{"email":"hello@yourbrand.com"},"subject":"Test","content":[{"type":"text/plain","value":"hello"}]}'`
Step 5
SendGrid → Settings → Mail Settings. Turn on the right toggles for footer compliance, click tracking, and bounce handling.
SendGrid → Settings → Mail Settings.
Address Whitelabel: OFF until link-branding is set up in Tutorial 2. Enabling without a CNAME breaks links silently.
Footer: ON. Set a default footer with your physical address + an unsubscribe link. CAN-SPAM requires both on every commercial email.
Event Webhook: leave OFF for now — Tutorial 7 covers configuring it properly.
Bounce Purge: ON, set to 60 days. Bounced addresses are kept on suppression but purged from suppression after 60 days so genuine retries can resume.
Spam Checks: ON. SendGrid pre-scans outbound content for SpamAssassin score >5.0 and blocks the worst before sending. Cheap insurance.
Settings → Tracking Settings: enable Open Tracking + Click Tracking initially. You can disable Open Tracking later per send if you want cleaner Apple-MPP-resistant metrics.
Step 6
SendGrid → Settings → Teammates → Add Teammate. Use the built-in role presets — never share the owner login.
SendGrid → Settings → Teammates → Add Teammate.
Enter the teammate's email. SendGrid sends them an invite.
Choose Teammate Permissions: pick role-based presets. Developer = API + integration access. Marketer = Marketing Campaigns + templates. Accountant = Billing only. Read-only = stats only.
Custom Permissions: scope-by-scope toggle for unusual cases. Default to the presets — custom permissions are easy to get wrong.
Never share the owner login or hand out Full Access. The Teammates panel is free on every paid plan; on the free plan you get 1 teammate slot.
On Pro+ plans, enable SSO via Twilio Console → Identity & Access → SSO. Eliminates password reuse across the org.
Step 7
Send one test from API/Marketing Campaigns to a Gmail, Outlook, and Yahoo address you control. Verify inbox placement before any production traffic.
Either: Marketing Campaigns → Create Single Send → write a basic email and send to 3 test addresses (one Gmail, one Outlook, one Yahoo).
OR: send via API using the curl command in Step 4, targeting the same three addresses.
Open each inbox. Verify: From Name displays correctly, subject renders, unsubscribe link is present, physical address is in the footer.
Check WHERE the email landed: Gmail Primary vs Promotions, Outlook Focused vs Other, Yahoo Inbox vs Spam.
If it landed in spam or Promotions on a freshly-verified Single Sender, that's expected — Domain Authentication in Tutorial 2 fixes it. If it landed in Gmail Primary on Single Sender alone, you got lucky; still finish auth.
Click the unsubscribe link in your test email. Verify it adds the address to SendGrid → Suppressions → Global Unsubscribes.
Common mistakes
Creating a Full Access API key and pasting it everywhere
What goes wrong: A leaked Full Access key gives attackers control over suppressions, sender reputation, and billing. The standard incident: key committed to a public repo, picked up by GitHub scrapers in <60 seconds, used to send spam from your authenticated domain. Cleanup is a $500-2,000 incident (key rotation, IP de-listing, customer notification).
How to avoid: Use Restricted Access keys with Mail Send + Stats only. Rotate any Full Access keys older than 90 days. Use GitHub secret scanning to catch leaked keys before attackers do.
Signing up under a personal Gmail
What goes wrong: Twilio support gates ownership transfer on the verified account email. Founder leaves → account is locked to their Gmail → 2-4 weeks of support tickets and identity verification to recover. Multiple production senders have lost weeks of email this way.
How to avoid: Sign up with a business-domain email (founder@yourbrand.com, ops@yourbrand.com). For solo founders, use a domain alias that forwards to your personal inbox — keeps ownership on the domain.
Skipping 2FA on the Twilio parent account
What goes wrong: SendGrid API keys are bearer tokens. A compromised Twilio login can regenerate every key, drain SMS balance, and lock you out. Twilio account takeovers via SMS-based SIM swap have been documented multiple times.
How to avoid: Twilio Console → Account → User profile → Security → enable 2FA via Authenticator app (not SMS). Save backup codes in your password manager. Enforce for every teammate.
Going to production on Single Sender Verification
What goes wrong: Single Sender authenticates one address, not the domain. Gmail/Outlook can't DKIM-align the message to your brand, so deliverability is capped around 60-70%. On 1,000/day sends, that's ~3,000 missed emails/month landing in Promotions or Spam.
How to avoid: Set up Domain Authentication (Tutorial 2) before any production traffic. Single Sender is a one-week stopgap for testing only — switch within the first week of going live.
No physical address or fake address in the footer
What goes wrong: CAN-SPAM requires a real physical address on every commercial email. Fake addresses trigger compliance complaints; missing addresses get accounts flagged in SendGrid's Trust + Safety review (suspension within 30-60 days).
How to avoid: Settings → Mail Settings → Footer → set a real address (business address or PO box, both valid). Include it on every send — Marketing Campaigns + transactional templates.
No password manager — pasting the API key in Notion/Slack/email
What goes wrong: Once the key is in chat history or a wiki, it's in 5+ places you can't audit. New hire reads old onboarding doc, copies the key, pastes it into their own script — now there are uncontrolled copies. Rotation becomes 'rotate and hope.'
How to avoid: Treat API keys like passwords. Store ONLY in your password manager (1Password, Bitwarden, AWS Secrets Manager). When sharing, share via the manager — never paste into chat or docs.
Recap
Done — what's next
How to set up SendGrid domain authentication — DKIM CNAMEs, SPF, DMARC, and link branding
Read the next tutorial
Hand it off
SendGrid setup looks like a 15-minute task and bills like one — the cost shows up at month 6 when a leaked key drains the sender reputation you spent months building. A specialist who's set up 50+ SendGrid accounts will sequence auth, scoped keys, and footer compliance correctly on day one. Typical setup engagement is $300-600 of one-time work at $14-16/hr.
See specialist rates
Both. Twilio acquired SendGrid in 2019. The product is officially Twilio SendGrid; the SendGrid dashboard is now nested inside Twilio Console. You log in at twilio.com (or sendgrid.com, which redirects). The API endpoint and product capabilities are unchanged.
Free is 100 emails/day forever. Essentials starts at $19.95/mo for 50K/mo and unlocks dedicated IP eligibility (Pro+). Upgrade when you consistently hit the 100/day cap, OR when you need to remove the SendGrid footer/branding, OR when you need more than 1 teammate.
Yes — set it up before generating API keys, not after. Once a Restricted Access key is generated, it can send mail under your authenticated domain. If your Twilio login is compromised before 2FA is on, your reputation is at risk before you've ever sent your first marketing campaign.
Not in production. SendGrid will let you verify hello@gmail.com as a Single Sender, but DMARC alignment requires the From domain to match the authenticated domain. Sending from @gmail.com via SendGrid will land in spam at Gmail itself (Gmail recognizes the spoofing pattern).
Single Sender verifies ONE email address can send through SendGrid. Domain Authentication adds DKIM CNAMEs to your DNS so Gmail/Outlook can cryptographically verify any email from any address on your domain came from your authenticated SendGrid account. Single Sender = stopgap; Domain Authentication = production.
Create a new key with the same scopes. Deploy to your env vars. Verify traffic is flowing on the new key (SendGrid → Settings → API Keys → Last Used). THEN delete the old key. Never delete first — there's no way to recover a deleted key.
SendGrid
Gmail and Yahoo's 2024 bulk sender rules made domain authentication non-negotiable above 5K sends/day — and strongly recommended below it. SendGrid hides the link-branding step that most accounts skip, leaving every click flagged 'via sendgrid.net' in Gmail's clip warning. Here's the full auth stack.
SendGrid
Web API or SMTP Relay is one of those decisions that looks like '5 minutes of research' and turns into a 2-week migration when you pick wrong. The defaults each tutorial pushes are usually backward for your real use case. Here's the honest tradeoff and complete setup for both.
SendGrid
Open rate dropped from 28% to 14%. Bounces jumped. Customer support is forwarding 'we never got the email' tickets. The instinct is 'subject lines' or 'content' — usually it's deliverability infrastructure. Here's how specialists diagnose SendGrid deliverability without guessing.
Mailchimp
Mailchimp's onboarding hides the decisions that matter most — audience structure, single vs double opt-in, and sending-domain authentication. Skip them and you'll be untangling them in 6 months. Here's the setup that doesn't rot.
SendGrid
DIY SendGrid is the right call until it isn't. The signal isn't 'sending more emails' — it's that the cost-of-mistakes finally outweighs the cost-of-hiring. Here's the honest framework for when that line is crossed.