TL;DR
SendGrid (now part of Twilio) is an enterprise-grade email platform with robust security. It offers scoped API keys, required domain authentication, and webhook signing. Being one of the largest email providers, it's battle-tested and compliant with major standards. Protect your API keys and configure domain authentication properly.
What is SendGrid?
SendGrid is an email delivery platform for transactional and marketing emails. Now owned by Twilio, it handles email for companies like Spotify, Uber, and Airbnb. Offers APIs, SMTP relay, and email marketing tools.
Our Verdict
What's Good
- Twilio security standards
- Scoped API key permissions
- Domain authentication required
- Event webhook signing
- SOC 2, ISO 27001 certified
What to Watch
- API key exposure risk
- Complex permission model
- Account takeover history
API Key Security
Scoped Keys: SendGrid allows you to create API keys with specific permissions. Create minimal-permission keys for each use case.
Permission Levels
| Permission | Access | Use Case |
|---|---|---|
| Full Access | Everything | Admin only, never in code |
| Restricted | Selected permissions | Production apps |
| Billing | Billing only | Finance access |
Best Practice: Create a restricted API key with only "Mail Send" permission for your applications. Never use full-access keys in production code.
Domain Authentication
SendGrid requires proper domain setup:
- Domain authentication: Proves you own the sending domain
- DKIM: Cryptographic signing of emails
- SPF: Authorize SendGrid's servers
- Link branding: Custom tracking domains
Webhook Security
SendGrid's Event Webhooks need verification:
- Signed events: Verify webhook signatures
- HTTPS required: Encrypted endpoints only
- OAuth 2.0: Optional additional security
- IP allowlisting: Restrict webhook sources
Security Checklist
| Item | Status |
|---|---|
| Use restricted API keys | Required |
| Domain authentication | Required |
| Two-factor authentication | Strongly recommended |
| Webhook verification | Required if using webhooks |
| API key rotation | Recommended quarterly |
Is SendGrid safe for production?
Yes, SendGrid is enterprise-grade and powers email for major companies. It's SOC 2 and ISO 27001 certified. Use scoped API keys and configure domain authentication for secure operation.
SendGrid vs Resend: which is more secure?
Both are secure. SendGrid has more enterprise features and a longer track record. Resend is simpler with fewer options to misconfigure. Choose based on features needed-both handle security fundamentals well.
What if my API key is exposed?
Immediately delete the key in the SendGrid dashboard and create a new one. An exposed key could be used to send spam from your domain, damaging your sender reputation.