Don't miss out Virtual Happy Hour this Friday (April 26).

Try our conversational search powered by Generative AI!

Ronil Rangaiya
Oct 6, 2020
(1 votes)

Best practices for SendGrid SMTP Integration

Episerver DXP service includes a SendGrid account for sending emails. Adding SMTP configuration is straightforward and typically common knowledge, in this post I'll highlight some best practices to secure your SendGrid account.

As part of your DXP setup, Episerver Managed Services will provide your SendGrid account credentials (username and password).

1. Use API keys for authentication

Do not use the supplied account username and password for authenticating against the SendGrid SMTP API. This username and password allow full access to your SendGrid account so it is a security risk if this credential gets compromised.

API Keys add an additional layer of security for your account and is the recommended way to securely talk to SendGrid APIs. You can create API keys from the Settings section of the SendGrid Portal. If your API key does get compromised, it is easy to delete and create a new one and update your environment variables. 

Use the API key for Bearer authentication when calling SendGrid APIs. For Episerver to send out email notifications, you will need to add SMTP settings in web config. Set the username to "apikey" and use the API key for the password value. While this is still authenticating via Basic authentication, it is using an API key which is recommended.

2. Restricted permissions for API keys

API keys should be created with the minimum required permission level to provide access to different functions of your account. To further improve security, you should create separate API keys for use in each DXP environment.

For example, the below API key only has permission to send emails.

3. Secret variables for API keys

As a good practice, do not store API keys in source control. It is sensitive data and shouldn't be accessible to anyone who has access to the code repository. Instead, you should store them in your Azure Pipelines as secret variables or in Azure Key Vault and access them from your Azure Pipeline.

I used a 3rd party extension Replace Tokens as a step in my Azure Pipeline to inject the API key into the SMTP settings in my web config.

Below is my Replace Tokens task (YAML) to update the environment web config files on the fly with the required SendGrid credentials before pushing the code package to DXP using the Deployment API.

Azure pipeline variables for SendGrid credentials

If you are using the App Service Deploy task to deploy to your DXP environment, refer to this blog on how to do variable substitution using parameters.xml.

4. Two-factor authentication

For improved security, enable two-factor authentication for your account. It looks like SendGrid will soon be enforcing this soon

Note once you enable two-factor authentication, SendGrid will no longer accept the account username and password for API authentication. Thus further protecting your account from malicious use if account credentials are compromised. 

5. Sender authentication

Setup sender authentication to improve your domain's reputation and email deliverability. Request the TXT record from Episerver Managed Services and give it to your DNS provider to configure the Sender Policy Framework (SPF) record.

Oct 06, 2020


Mike Malloy
Mike Malloy Oct 21, 2020 01:14 PM

For #5, Send authentication.

If we add that SPF record for sendgrid, it includes all of * Is there a way to narrow down the SPF record so it does not include all of sendgrid?

Oct 23, 2020 11:44 AM

SendGrid does support dedicated IP addresses, though this feature may not be available to the sub user account that comes with Episerver DXP. Something to ask Managed Services. 

Please login to comment.
Latest blogs
Solving the mystery of high memory usage

Sometimes, my work is easy, the problem could be resolved with one look (when I’m lucky enough to look at where it needs to be looked, just like th...

Quan Mai | Apr 22, 2024 | Syndicated blog

Search & Navigation reporting improvements

From version 16.1.0 there are some updates on the statistics pages: Add pagination to search phrase list Allows choosing a custom date range to get...

Phong | Apr 22, 2024

Optimizely and the never-ending story of the missing globe!

I've worked with Optimizely CMS for 14 years, and there are two things I'm obsessed with: Link validation and the globe that keeps disappearing on...

Tomas Hensrud Gulla | Apr 18, 2024 | Syndicated blog

Visitor Groups Usage Report For Optimizely CMS 12

This add-on offers detailed information on how visitor groups are used and how effective they are within Optimizely CMS. Editors can monitor and...

Adnan Zameer | Apr 18, 2024 | Syndicated blog