Multiple DNS Issues with SendGrid

mknight · April 29, 2025, 9:15pm

What is the name of the domain?

e.contactcenterpipeline.com

What is the error number?

NA

What is the error message?

NA

What is the issue you’re encountering

CNAME flattening is breaking SendGrid authentication and link branding

What steps have you taken to resolve the issue?

I reached out to SendGrid support, and they have escalated the issue. I’ve also tried turning flattening on/off and sending test messages to see if it effects link branding wrapper.

The core problem appears to be that flattening needs to be turned off for authentication to work consistently, but flattening needs to be turned on for link branding to function correctly – based on case by case DNS entry. I haven’t been able to find any official documentation about this, aside from a brief mention in SendGrid’s link branding setup materials: “When configuring CNAME records in Cloudflare, check the bottom of the DNS settings page and make sure “CNAME Flattening” is set to “Flatten CNAME at root”.” Literally two months ago, I had to turn CNAME Flattening OFF because it was breaking my authentication.

What feature, service or problem is this related to?

DNS records

What are the steps to reproduce the issue?

NA

cscharff · April 29, 2025, 9:50pm

You need a DNS record for e. And need to have the records associated with Senger’s set to DNS only.

mknight · April 30, 2025, 2:01pm

Thanks for your reply.
I do have a full set of DNS entries/authentication for e. and have all SendGrid DNS entries set to DNS only.

The problem is related to flattening. Late last year my Gmail delivery dropped from almost no blocks to 99%. This was attributed to the flattened DNS records. As soon as I turned it off, my blocks went away.

But now, my link branding is no longer working. SendGrid says this is because DNS flattening must be on. So apparently some records need to be flattened and others do not. I’m trying to figure out what to have flattened and what not.

cscharff · April 30, 2025, 2:39pm

Not in the Cloudflare account which has the active DNS zone. What are the nameservers listed in the DNS panel you’re looking at and what does the status at the top of the page next to the domain name say?

 dig e.contactcenterpipeline.com      

; <<>> DiG 9.10.6 <<>> e.contactcenterpipeline.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50309
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;e.contactcenterpipeline.com.	IN	A

;; AUTHORITY SECTION:
contactcenterpipeline.com. 1800	IN	SOA	gene.ns.cloudflare.com. dns.cloudflare.com. 2371442772 10000 2400 604800 1800

dig e.contactcenterpipeline.com CNAME

; <<>> DiG 9.10.6 <<>> e.contactcenterpipeline.com CNAME
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51870
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;e.contactcenterpipeline.com.	IN	CNAME

;; AUTHORITY SECTION:
contactcenterpipeline.com. 1800	IN	SOA	gene.ns.cloudflare.com. dns.cloudflare.com. 2371442772 10000 2400 604800 1800

Not based on the results being returned by Cloudflare DNS.

If they’d like to post diagnostic information to back up the assertion, then I’m sure someone in the community would be happy to review it.

At the moment for this issue e.contactcenterpipeline.com doesn’t resolve in Cloudflare DNS at all. So there’s nothign to flatten, nor a flattened response being returned. Please post the DNS entries you’ve created, along with the nameservers listed in the DNS zone, along with the zone status in Cloudflare.

mknight · May 6, 2025, 12:44am

Appreciate the assistance. Thank you.

I should have been more clear in my initial post. When I said there are a ‘full set’ of DNS records for (e.) there are not. For context, we send mail from three domains: corporate: contactcenterpipeline.com; marketing: e.contactcenterpipeline.com; and web-notifications: n.contactcenterpipeline.com. We have the records for (e.) required by SendGrid.

Nameservers are: NS gene.ns.cloudflare.com and NS sid.ns.cloudflare.com
Status: Active

We are using the SendGrid marketing dashboard, not API. We have our DNS hosted with Cloudflare. All of our SendGrid entries have proxy turned off, therefore link-flattening is available to turn on/off.

I had also reached out to SendGrid to have SSL links enabled. I followed their documentation which included setting Proxy to ‘on’ and generated a new SSL cert for (e.). After this, SendGrid support enabled SSL wrapped links.
1 SendGrid Doc

So at this point we have all SendGrid DNS set to Proxy.

This apparently caused havoc for our ESPs authentication. After hours of troubleshooting, I realized that when flattening is enabled, Cloudflare returns an IP address
, not a domain name. I don’t know the specifics of which authentication protocols this breaks, but our delivery went from ~98% to ~40% – when I disabled flattening, it came right back.

So at this point, I had disabled proxy and flattening for all SendGrid records.

Then when testing an email, I realized that we no longer had ‘branded-links.’ This seemed too coincidental, but in the SendGrid dashboard, branded-links were enabled and showed "verified.

The SendGrid documentation for branded-links, says:

When configuring CNAME records in Cloudflare, check the bottom of the DNS settings page and make sure “CNAME Flattening” is set to “Flatten CNAME at root”.

I have a total of 22 DNS records for SendGrid, across root and two subdomains. Apparently some of these records need to be proxied and some need to have flattening on and some off.

Below are the DNS records that I have related to e.contactcenterpipeline.com
I’ve bracketed numbers that I prefer not to post

A Records
o1.e.contactcenterpipeline.com. 1 IN A [111.11.111.111]
o2.e.contactcenterpipeline.com. 1 IN A [111.11.11.111]

CNAME Records
[111].e.contactcenterpipeline.com. 1 IN CNAME sendgrid.net. ;
[111]._domainkey.e.contactcenterpipeline.com. 1 IN CNAME
[111]._domainkey.e.contactcenterpipeline.com. 1 IN CNAME
[111]._domainkey.e.contactcenterpipeline.com. 1 IN CNAME
[111111].e.contactcenterpipeline.com. 1 IN CNAME [111111111.11111].sendgrid.net. ;
[111111].e.contactcenterpipeline.com. 1 IN CNAME sendgrid.net. ; sendgrid cf_tags=sendgrid,cf-proxied:false,cf-flatten-cname

** Update: today, working with SendGrid support, we seem to have the issue corrected. The “fix” was to turn Proxy on for the CNAME url7599.sendgrid.net. I haven’t had a lot of luck with SendGrid support in the past, so I’m trying to figure this out on my own.

system · May 21, 2025, 12:44am

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Sendgrid & Cloudflare DNS issue DNS & Network	11	4254	January 17, 2022
Sendgrid Setup DNS & Network	3	5263	September 9, 2020
Sendgrid domain authentication CNAME is not working DNS & Network	3	3783	July 9, 2019
Issue with cname when using sendgrid DNS Records DNS & Network	3	1211	February 20, 2023
CNAME not working for SendGrid DNS & Network	18	5353	August 10, 2021