Login Get Started →
// fix guide · SendGrid

Fix SendGrid emails going to spam

When SendGrid mail lands in spam, the defaults are usually to blame: sendgrid.net DKIM signing, ct.sendgrid.net link wrapping, and shared IPs all tie your reputation to a platform spammers have abused heavily for years. Domain authentication fixes both halves of DMARC at once on SendGrid (the em CNAME aligns SPF, the s1 and s2 CNAMEs align DKIM), which makes those three records the highest-leverage fix on this page. Below: the SendGrid-specific causes, including Microsoft's S3140 and S3150 blocks, and how to verify a fix with a real send.

Run a free spam test → How to test your sends
// why it happens

Why SendGrid emails land in spam.

01

Your mail is still signed by sendgrid.net, not your domain

A new SendGrid account can start sending with nothing more than Single Sender Verification, which confirms you control a From address and nothing else. Mail goes out DKIM-signed by sendgrid.net, Gmail shows "via sendgrid.net" next to your name, and DMARC alignment fails. Since the February 2024 Google and Yahoo rules, anyone sending 5,000+ emails a day to Gmail needs aligned authentication, and SendGrid's own docs treat Single Sender Verification as a testing-stage option. Complete domain authentication under Settings > Sender Authentication, then confirm the DKIM d= domain on a live send.

02

Every tracked link resolves through ct.sendgrid.net

With click tracking on and no link branding, SendGrid rewrites every link through its default ct.sendgrid.net tracking domain, and that domain has a documented history of phishing abuse: attackers mask malicious URLs behind SendGrid tracking redirects, and corporate filters such as Microsoft Defender have flagged sendgrid.net links as malicious outright. A link domain that never matches your From domain, on a redirector with that history, is a strong spam signal. Set up link branding in Settings > Sender Authentication so tracked links resolve through a subdomain of your own domain.

03

Essentials accounts share IPs with SendGrid's abuse problem

On the Essentials plan every send leaves from shared IP pools; dedicated IPs only arrive with Pro and Premier. SendGrid groups senders of similar reputation, but you still ride infrastructure on the platform spammers and phishers favor, including documented waves of hijacked accounts pumping out phishing mail. You cannot pick your pool, so control what you can: domain authentication and link branding move the signals filters weigh most onto your own domain, and consistent engagement keeps you grouped with better senders.

04

Microsoft is blocking the sending IP: 550 5.7.1 with S3140 or S3150

Outlook.com, Hotmail, and Microsoft 365 reject with 550 5.7.1 errors carrying an S3140 or S3150 code when they put the sending IP on their block list; Microsoft publishes no separate meaning for the two codes. These rejections land in your Blocks list, not Bounces, and SendGrid has confirmed that many recent S3140/S3150 blocks hit reputable senders during Microsoft-side filtering changes. Check your IPs in Microsoft SNDS: green results plus piling blocks is a strong case to file a delisting and support request at olcsupport.office.com with your domains, IPs, and the exact bounce text.

05

A fresh dedicated IP went straight to full volume

Pro and Premier plans include a dedicated IP, and the switch is a common trigger for sudden spam placement: the new IP has zero history, so providers throttle or junk high volume from it. SendGrid's guidance is to warm it gradually over weeks, starting with your most engaged recipients. Use SendGrid's automated IP warmup when the IP is added, or follow a manual ramp schedule, and keep volume consistent afterward, because an IP that sends in bursts cools back down.

06

Suppression lists were cleared, purged, or ignored

SendGrid automatically suppresses hard bounces, spam reports, and unsubscribes, then silently drops future sends to those addresses. Two failure modes follow. Deleting entries (or enabling bounce purge) re-mails dead and complaining addresses, which is exactly the behavior that sinks IP and domain reputation. And because drops are silent, senders sometimes "fix" missing mail by clearing the lists; check the Activity Feed for Dropped events before touching them.

// authentication

How SendGrid authenticates your mail.

Domain authentication on SendGrid fixes both halves of DMARC at once: the em CNAME moves the Return-Path so SPF aligns, and the s1/s2 CNAMEs move DKIM signing onto your domain. That is more than DKIM-only ESPs can offer, and the whole flow lives under Settings > Sender Authentication.

record default the problem the fix
DKIM Without domain authentication, SendGrid signs mail as sendgrid.net. Single Sender Verification does not change that; it only verifies a From address. The DKIM d= domain never matches your From domain, DMARC alignment fails, and Gmail shows "via sendgrid.net" beside your sender name. Run Settings > Sender Authentication > Authenticate Your Domain and publish the two DKIM CNAMEs (s1._domainkey and s2._domainkey, pointing to hosts like s1.domainkey.u1234567.wl123.sendgrid.net); with automated security on, SendGrid rotates the keys behind the CNAMEs for you.
SPF The default Return-Path is a sendgrid.net address, so SPF passes against SendGrid's domain rather than yours. SPF without alignment contributes nothing to DMARC, and the bounce domain builds no reputation for your brand. The third CNAME from the same wizard (em1234.yourdomain.com pointing to u1234567.wl123.sendgrid.net) delegates a return-path subdomain to SendGrid, which publishes the SPF record there; with automated security on, do not add include:sendgrid.net to your root SPF.
DMARC The Authenticate Your Domain wizard hands you a _dmarc TXT record (v=DMARC1; p=none;), but publishing it is on you, and mail flows whether or not you do. Google and Yahoo require a DMARC record on bulk senders' From domains, and an enforcement policy (quarantine or reject) without aligned DKIM and SPF sends your own mail to spam. Publish v=DMARC1; p=none; with an rua reporting address at _dmarc.yourdomain.com, watch the reports while the CNAMEs settle, then tighten the policy once aligned sends run clean.
Link branding Click tracking rewrites every link through ct.sendgrid.net until you brand a link subdomain. ct.sendgrid.net has a documented phishing-abuse history and gets flagged by corporate URL filters, and the link domain never matches your From domain. In Settings > Sender Authentication, complete the Brand Your Links flow and publish its CNAMEs (a url1234 host plus a numeric host, both pointing to sendgrid.net) so tracked links resolve through your own subdomain.
// test your real sends

How to test a SendGrid campaign with Unspam.

SendGrid's test paths do not behave like production sends. Marketing Campaigns test emails go out with "Test -" prepended to the subject line and without live links, Email Testing previews render the message without a normal send, and the Email API's sandbox mode validates the payload without delivering anything. The only honest test is a real send to a seed address.

  1. 01

    Get your Unspam seed address

    Start a spam test or inbox placement test in Unspam and copy the test address it generates. Placement tests include seed addresses across Gmail, Outlook, Yahoo, Zoho, ProtonMail and AOL.

  2. 02

    Add the seed address as a SendGrid contact

    For Marketing Campaigns, go to Marketing > Contacts > Add Contacts, add the address manually, and keep seeds in their own list named something like Deliverability seeds. For the Email API, skip this step; the seed address goes straight into your recipient field.

  3. 03

    Send the real message, not a test

    Marketing Campaigns: build the Single Send exactly as it will go out, choose the seed list under Recipients, and use Send Immediately, not the test button. Email API: fire your production template through the same API call or SMTP route your app uses, with the seed as recipient and sandbox mode off.

  4. 04

    Read the results in Unspam

    Check the SpamAssassin-style spam score, the SPF, DKIM and DMARC verdicts on the live send (the DKIM d= domain should be yours via the s1/s2 selectors, the Return-Path your em subdomain), placement per provider, client previews and the AI eye-tracking heatmap. The AI fix assistant flags what to change before the real campaign.

  5. 05

    Check the Activity Feed if a seed never arrives, then re-test

    If the seed address ever bounced or filed a spam report, SendGrid drops the send silently; look for a Dropped event and remove only that one suppression. Apply fixes, send again to the same seed list, and compare runs. The free tier covers 10 spam tests, 10 previews, 10 heatmaps and 3 inbox placement tests per month with no card; paid plans start at $9 per month with a 14-day refund.

// platform gotchas

SendGrid features that quietly affect delivery.

Suppressed addresses are dropped without a bounce

A send to any address on Bounces, Spam Reports, or Global Unsubscribes produces a Dropped event in the Activity Feed and no email ever leaves SendGrid. Nothing warns you at send time. When a recipient or a seed address never got a message, check Suppressions before blaming spam filters.

Blocks and bounces behave differently

A bounce permanently suppresses an address; a block does not. Block events (deny lists, ISP blocks like Microsoft's S3140/S3150, content filtering) leave the address sendable, so the next campaign retries it. Useful for temporary IP trouble, but it means blocks never self-heal through suppression: read the Block Reason text and fix the underlying cause.

Test sends advertise themselves

Marketing Campaigns prepends "Test -" to the subject of every test email and does not enable live links, so the message that filters score is not the message customers receive. Inbox placement of a test send proves nothing either way. Validate with a real Single Send, or a production API call, to seed addresses.

Single Sender Verification is a testing shortcut, not authentication

It proves you control a From address; it signs nothing and aligns nothing. SendGrid's docs recommend against free-mailbox single senders (gmail.com, outlook.com) because Google, Yahoo, and Microsoft enforce DMARC on their own domains, so that mail gets junked or rejected. Anything production-facing needs domain authentication.

// FAQ

SendGrid deliverability, answered.

Why does Gmail show "via sendgrid.net" next to my sender name?

Your domain is not authenticated, so SendGrid signs the mail as sendgrid.net and Gmail flags the mismatch with the via label. Complete domain authentication under Settings > Sender Authentication; once the em and s1/s2 CNAMEs validate, the label disappears and your own domain starts building reputation.

Outlook suddenly rejects my mail with 550 5.7.1 and an S3140 or S3150 code. Did I break something?

Not necessarily. S3140 and S3150 are Microsoft IP blocks, and SendGrid has confirmed that recent waves hit reputable senders during Microsoft-side filtering changes. Check the sending IPs in Microsoft SNDS: if they show green while blocks accumulate, submit a delisting and support request at olcsupport.office.com with your domains, IPs, and the exact bounce text. If SNDS shows yellow or red, fix complaint and bounce sources first.

Will a dedicated IP get me out of the spam folder?

Usually not. Dedicated IPs come with Pro and Premier plans, and a fresh one is colder than any shared pool: zero history means throttling until weeks of warmup are done. Low or inconsistent volume on a dedicated IP performs worse than a healthy shared pool. Fix authentication, link branding, and list quality first; move to a dedicated IP for volume and control, not as a spam fix.

Can Unspam connect to my SendGrid account and test sends automatically?

No. Unspam does not integrate with the SendGrid API or any other ESP API. The workflow is manual by design: add Unspam's test address as a contact or API recipient, send a real message through your production path, and read the results in Unspam. That is the only way to test the exact mail, signature, and links your recipients receive.

Mail to some addresses never arrives and there is no bounce. Where did it go?

Almost certainly a suppression. SendGrid drops sends to addresses on Bounces, Spam Reports, and Unsubscribes without attempting delivery, and logs a Dropped event in the Activity Feed. Do not mass-delete the lists to fix it: re-mailing dead and complaining addresses is what damages reputation. Remove only addresses you can prove are valid and willing.

Is deliverability worse on SendGrid's cheaper plans?

The infrastructure gap is real but narrow. Essentials accounts send from shared IP pools, and SendGrid's defaults carry baggage: the free plan, long a favorite of spammers and account hijackers, was retired entirely in 2025, but sendgrid.net signing and ct.sendgrid.net links still tie you to that history. The fix is separation rather than upgrading: domain authentication and link branding move your reputation onto your own domain on any plan.

SendGrid platform details were verified against publicly available documentation in June 2026 and may have changed since. SendGrid is a trademark of its respective owner. Unspam is not affiliated with or endorsed by SendGrid.

// see where you land

Test your next SendGrid campaign before your subscribers do.

Start a free spam test → Inbox placement test