Ron Rangaiya
Oct 6, 2020
(1 votes)

Best practices for SendGrid SMTP Integration

Episerver DXP service includes a SendGrid account for sending emails. Adding SMTP configuration is straightforward and typically common knowledge, in this post I'll highlight some best practices to secure your SendGrid account.

As part of your DXP setup, Episerver Managed Services will provide your SendGrid account credentials (username and password).

1. Use API keys for authentication

Do not use the supplied account username and password for authenticating against the SendGrid SMTP API. This username and password allow full access to your SendGrid account so it is a security risk if this credential gets compromised.

API Keys add an additional layer of security for your account and is the recommended way to securely talk to SendGrid APIs. You can create API keys from the Settings section of the SendGrid Portal. If your API key does get compromised, it is easy to delete and create a new one and update your environment variables. 

Use the API key for Bearer authentication when calling SendGrid APIs. For Episerver to send out email notifications, you will need to add SMTP settings in web config. Set the username to "apikey" and use the API key for the password value. While this is still authenticating via Basic authentication, it is using an API key which is recommended.

2. Restricted permissions for API keys

API keys should be created with the minimum required permission level to provide access to different functions of your account. To further improve security, you should create separate API keys for use in each DXP environment.

For example, the below API key only has permission to send emails.

3. Secret variables for API keys

As a good practice, do not store API keys in source control. It is sensitive data and shouldn't be accessible to anyone who has access to the code repository. Instead, you should store them in your Azure Pipelines as secret variables or in Azure Key Vault and access them from your Azure Pipeline.

I used a 3rd party extension Replace Tokens as a step in my Azure Pipeline to inject the API key into the SMTP settings in my web config.

Below is my Replace Tokens task (YAML) to update the environment web config files on the fly with the required SendGrid credentials before pushing the code package to DXP using the Deployment API.

Azure pipeline variables for SendGrid credentials

If you are using the App Service Deploy task to deploy to your DXP environment, refer to this blog on how to do variable substitution using parameters.xml.

4. Two-factor authentication

For improved security, enable two-factor authentication for your account. It looks like SendGrid will soon be enforcing this soon

Note once you enable two-factor authentication, SendGrid will no longer accept the account username and password for API authentication. Thus further protecting your account from malicious use if account credentials are compromised. 

5. Sender authentication

Setup sender authentication to improve your domain's reputation and email deliverability. Request the TXT record from Episerver Managed Services and give it to your DNS provider to configure the Sender Policy Framework (SPF) record.

Oct 06, 2020


Mike Malloy
Mike Malloy Oct 21, 2020 01:14 PM

For #5, Send authentication.

If we add that SPF record for sendgrid, it includes all of * Is there a way to narrow down the SPF record so it does not include all of sendgrid?

Oct 23, 2020 11:44 AM

SendGrid does support dedicated IP addresses, though this feature may not be available to the sub user account that comes with Episerver DXP. Something to ask Managed Services. 

Please login to comment.
Latest blogs
Content Delivery API – The Case of the Duplicate API Refresh Token

Creating a custom refresh provider to resolve the issues with duplicate tokens in the DXC The post Content Delivery API – The Case of the Duplicate...

David Lewis | Sep 29, 2022 | Syndicated blog

New Optimizely certifications - register for beta testing before November 1st

In January 2023, Optimizely is making updates to the current versions of our certification exams to make sure that each exam covers the necessary...

Jamilia Buzurukova | Sep 28, 2022

Optimizely community meetup - Sept 29 (virtual + Melbourne)

Super excited to be presenting this Thursday the 29th of September at the Optimizely community meetup. For the full details and RSVP's see the...

Ynze | Sep 27, 2022 | Syndicated blog

Preview multiple Visitor Groups directly while browsing your Optimizely site

Visitor groups are great - it's an easy way to add personalization towards market segments to your site. But it does come with it's own set of...

Allan Thraen | Sep 26, 2022 | Syndicated blog