--- title: SendGrid Account Access Strategy type: article created: '2026-02-03' updated: '2026-02-03' source_docs: - raw/2026-02-03-weekly-call-w-sebastian-119341731.md tags: - sendgrid - integrations - email - access-management layer: 2 client_source: null industry_context: null transferable: true --- # SendGrid Account Access Strategy ## Overview When onboarding a new client's SendGrid account, request **full account login credentials** before attempting any API-based integration. Jumping straight to API access makes it difficult to understand the existing configuration and risks creating conflicts with existing sending infrastructure. ## The Pattern New clients often ask whether an API key is sufficient for integration work. It isn't — at least not initially. The correct sequence is: 1. **Request full account login credentials** from the client (a user login, not just an API key). 2. **Audit the existing configuration** — review authenticated domains, sender identities, DMARC/DKIM/SPF records, subusers, suppression lists, and any existing sending streams. 3. **Understand what's already in place** before making any changes or additions. 4. **Switch to API-only access** once the configuration is understood and a safe integration path is clear. > "We need to get in there and see what's going on first. That's hard to do with an API — it'd be like crawling around with your eyes closed. But once you know what's there, the API is faster." > — Mark Hope, 2026-02-03 ## Why This Matters: DMARC Conflicts Clients with established SendGrid accounts often have **DMARC policies and authenticated sending domains** already configured for other use cases (e.g., transactional email for existing products or other vendors). Adding a new sending stream via API without first auditing these records can: - Cause email authentication failures (DMARC rejection or quarantine) - Interfere with existing customer-facing email flows - Create duplicate or conflicting domain authentication entries The client's concern about "customer DMARC" in their SendGrid account is a signal that this infrastructure is already in active use and needs to be understood before touching it. ## Practical Notes - Ask for a **dedicated sub-user or team member login** rather than the primary account owner's credentials where possible. - Once inside, check: authenticated domains, IP pools, subusers, API keys already in use, and suppression/unsubscribe lists. - Document what you find before making any changes. - After the audit, API access is preferred for ongoing programmatic work — it's faster and more controllable. ## Related - [[clients/advanced-health-safety/_index]] — context for the SendGrid integration that prompted this discussion - [[meetings/2026-02-03-weekly-call-w-sebastian]] — source meeting