Ron Rangaiya
Oct 6, 2020
(1 votes)

Best practices for SendGrid SMTP Integration

Episerver DXP service includes a SendGrid account for sending emails. Adding SMTP configuration is straightforward and typically common knowledge, in this post I'll highlight some best practices to secure your SendGrid account.

As part of your DXP setup, Episerver Managed Services will provide your SendGrid account credentials (username and password).

1. Use API keys for authentication

Do not use the supplied account username and password for authenticating against the SendGrid SMTP API. This username and password allow full access to your SendGrid account so it is a security risk if this credential gets compromised.

API Keys add an additional layer of security for your account and is the recommended way to securely talk to SendGrid APIs. You can create API keys from the Settings section of the SendGrid Portal. If your API key does get compromised, it is easy to delete and create a new one and update your environment variables. 

Use the API key for Bearer authentication when calling SendGrid APIs. For Episerver to send out email notifications, you will need to add SMTP settings in web config. Set the username to "apikey" and use the API key for the password value. While this is still authenticating via Basic authentication, it is using an API key which is recommended.

2. Restricted permissions for API keys

API keys should be created with the minimum required permission level to provide access to different functions of your account. To further improve security, you should create separate API keys for use in each DXP environment.

For example, the below API key only has permission to send emails.

3. Secret variables for API keys

As a good practice, do not store API keys in source control. It is sensitive data and shouldn't be accessible to anyone who has access to the code repository. Instead, you should store them in your Azure Pipelines as secret variables or in Azure Key Vault and access them from your Azure Pipeline.

I used a 3rd party extension Replace Tokens as a step in my Azure Pipeline to inject the API key into the SMTP settings in my web config.

Below is my Replace Tokens task (YAML) to update the environment web config files on the fly with the required SendGrid credentials before pushing the code package to DXP using the Deployment API.

Azure pipeline variables for SendGrid credentials

If you are using the App Service Deploy task to deploy to your DXP environment, refer to this blog on how to do variable substitution using parameters.xml.

4. Two-factor authentication

For improved security, enable two-factor authentication for your account. It looks like SendGrid will soon be enforcing this soon

Note once you enable two-factor authentication, SendGrid will no longer accept the account username and password for API authentication. Thus further protecting your account from malicious use if account credentials are compromised. 

5. Sender authentication

Setup sender authentication to improve your domain's reputation and email deliverability. Request the TXT record from Episerver Managed Services and give it to your DNS provider to configure the Sender Policy Framework (SPF) record.

Oct 06, 2020


Mike Malloy
Mike Malloy Oct 21, 2020 01:14 PM

For #5, Send authentication.

If we add that SPF record for sendgrid, it includes all of * Is there a way to narrow down the SPF record so it does not include all of sendgrid?

Oct 23, 2020 11:44 AM

SendGrid does support dedicated IP addresses, though this feature may not be available to the sub user account that comes with Episerver DXP. Something to ask Managed Services. 

Please login to comment.
Latest blogs
Optimizely SendGrid SMTP host is deprecated

SendGrid is a services for sending email that is included in Optimizely DXP. Previously was the recommended SMTP server to use,...

Tomas Hensrud Gulla | Dec 4, 2022 | Syndicated blog

Hosting Optimizely CMS 12 on Docker Engine

Since Optimizely CMS can now be deployed as a Docker container, here is a demonstration of building, running and scaling an Optimizely CMS 12 site ...

Stefan Holm Olsen | Dec 4, 2022 | Syndicated blog

How to use CacheTagHelper with content areas in Optimizely CMS 12

I might be going out on a limb here - if you have a better solution, feel very free to share it!  Upgrading your Optimizely web application from .N...

Andreas J | Dec 2, 2022

The 1001st Piece in your 1000 Piece Puzzle: .NET Default Interface Functions

I was recently working with a client who wanted a reasonably large subsystem added to Optimizely that would add automated management to their...

Greg J | Nov 28, 2022 | Syndicated blog