Connection settings
- Host
- smtp.sendgrid.net
- Port
- 587
- Security
- STARTTLS
SendGrid's SMTP relay is at smtp.sendgrid.net on port 587 with STARTTLS (or port 465 with implicit TLS, or port 2525 as an alternative when 587 is blocked). Unlike most providers, the SMTP username is the literal string apikey — not your email address — and the password is a SendGrid API key that has the "Mail Send" permission enabled.
Recommended settings
- Host:
smtp.sendgrid.net - Port: 587 (STARTTLS), 465 (TLS), or 2525 (STARTTLS fallback)
- Username:
apikey(the exact string, all lowercase) - Password: your SendGrid API key with Mail Send permission
- Auth method: Auto, PLAIN, or LOGIN
- From address: must match a verified Sender Identity or authenticated domain
Creating an API key for SMTP
- Log in to the SendGrid dashboard.
- Go to Settings → API Keys → Create API Key.
- Name the key (e.g. "SMTP Tester") and select "Restricted Access".
- Under Mail Send, enable "Mail Send" (the only permission SMTP needs).
- Click Create & View. Copy the key immediately — SendGrid only shows it once.
- Use this key as the SMTP password. The username is always
apikey.
Do not use your SendGrid account password or your Twilio master account password — those will not authenticate over SMTP.
Testing with SMTP Tester
- Set host to
smtp.sendgrid.net, port 587, security STARTTLS. - Username:
apikey. Password: paste your API key. - From: an address on a domain you have verified in SendGrid (Sender Authentication).
- To: any recipient (or your own address to verify delivery).
- Click Run. A successful test shows
235 Authentication successfulfollowed by250 Okwith a message ID after DATA.
Common errors
535 "Authentication failed" / "basic authentication is not allowed"
The most frequent SendGrid SMTP error. Causes:
- Wrong username: the SMTP username must be the literal string
apikey, not your email address or Twilio SID. - Wrong password: the password must be a SendGrid API key (starts with
SG.), not your account login password. - 2FA on the SendGrid account: once Two-Factor Authentication is enabled, basic username/password login is blocked. You must use an API key instead — which is the correct approach anyway.
- Key lacks Mail Send permission: if the API key was created with restricted access but "Mail Send" was not enabled, authentication succeeds but sending fails. Recreate the key with the correct scope.
- Truncated key: SendGrid API keys are long (~69 characters). If your client or config file truncated it, auth will fail. Paste the full key.
550 "The from address does not match a verified Sender Identity"
Authentication worked, but SendGrid rejected the message because the From address is not authorized. Fix: go to Settings → Sender Authentication and either verify the exact email address as a Single Sender, or authenticate the full domain via DNS (CNAME records).
451 "Temporarily unavailable, please try again"
SendGrid is throttling or rate-limiting the connection. Causes include exceeding your plan's hourly/daily sending rate, or the account being flagged for review. Check your SendGrid dashboard for alerts.
Connection timeout on port 587
Some networks and cloud providers block outbound port 587. SendGrid also accepts SMTP on port 2525 (STARTTLS) and port 465 (implicit TLS). Switch to one of those if 587 times out.
Sender Authentication (required)
SendGrid requires that the "From" address is authorized before it relays mail. Two options:
- Domain Authentication (recommended): add three CNAME records to your DNS. This sets up DKIM signing and makes your domain the envelope sender, improving deliverability.
- Single Sender Verification: verify an individual email address by clicking a confirmation link. Acceptable for testing but not recommended for production.
Without either, SendGrid responds with a 550 after AUTH even though the credentials are valid.
SendGrid sending limits
Limits vary by plan:
- Free tier: 100 emails per day.
- Essentials: 100K per month (higher daily burst).
- Pro / Premier: up to millions per month depending on tier.
Exceeding limits results in 451 temporary rejections or queued mail. Check the Activity Feed in the SendGrid dashboard to track delivery status.
API key vs SMTP credentials
SendGrid does not issue separate "SMTP credentials" like some providers. The same API key used for the REST API (v3 Mail Send) also works for SMTP — just use apikey as the username. If you see references to "SMTP credentials" in legacy docs or forum posts, they are referring to the old username/password system that has been deprecated. Always use an API key.
Security notes
- Never commit API keys to version control. Use environment variables or a secrets manager.
- Rotate keys regularly and revoke unused ones in the SendGrid API Keys settings.
- SMTP Tester redacts your password from the live transcript, so screenshots are safe to share.
- Use the most restrictive API key scope possible — "Mail Send" only for SMTP.