Best practices for SendGrid SMTP Integration
Episerver DXP service includes a SendGrid account for sending emails. Adding SMTP configuration is straightforward and typically common knowledge, in this post I'll highlight some best practices to secure your SendGrid account.
As part of your DXP setup, Episerver Managed Services will provide your SendGrid account credentials (username and password).
1. Use API keys for authentication
Do not use the supplied account username and password for authenticating against the SendGrid SMTP API. This username and password allow full access to your SendGrid account so it is a security risk if this credential gets compromised.
API Keys add an additional layer of security for your account and is the recommended way to securely talk to SendGrid APIs. You can create API keys from the Settings section of the SendGrid Portal. If your API key does get compromised, it is easy to delete and create a new one and update your environment variables.
Use the API key for Bearer authentication when calling SendGrid APIs. For Episerver to send out email notifications, you will need to add SMTP settings in web config. Set the username to "apikey" and use the API key for the password value. While this is still authenticating via Basic authentication, it is using an API key which is recommended.
2. Restricted permissions for API keys
API keys should be created with the minimum required permission level to provide access to different functions of your account. To further improve security, you should create separate API keys for use in each DXP environment.
For example, the below API key only has permission to send emails.
3. Secret variables for API keys
As a good practice, do not store API keys in source control. It is sensitive data and shouldn't be accessible to anyone who has access to the code repository. Instead, you should store them in your Azure Pipelines as secret variables or in Azure Key Vault and access them from your Azure Pipeline.
I used a 3rd party extension Replace Tokens as a step in my Azure Pipeline to inject the API key into the SMTP settings in my web config.
Below is my Replace Tokens task (YAML) to update the environment web config files on the fly with the required SendGrid credentials before pushing the code package to DXP using the Deployment API.
Azure pipeline variables for SendGrid credentials
If you are using the App Service Deploy task to deploy to your DXP environment, refer to this blog on how to do variable substitution using parameters.xml.
4. Two-factor authentication
For improved security, enable two-factor authentication for your account. It looks like SendGrid will soon be enforcing this soon
Note once you enable two-factor authentication, SendGrid will no longer accept the account username and password for API authentication. Thus further protecting your account from malicious use if account credentials are compromised.
5. Sender authentication
Setup sender authentication to improve your domain's reputation and email deliverability. Request the TXT record from Episerver Managed Services and give it to your DNS provider to configure the Sender Policy Framework (SPF) record.
For #5, Send authentication.
If we add that SPF record for sendgrid, it includes all of *sendgrid.net. Is there a way to narrow down the SPF record so it does not include all of sendgrid?
SendGrid does support dedicated IP addresses, though this feature may not be available to the sub user account that comes with Episerver DXP. Something to ask Managed Services.