Email Security, Authentication & Cybersecurity Assurance
Enreach Outbound uses Twilio SendGrid as its email delivery infrastructure. SendGrid is one of the world's most widely trusted email platforms, processing hundreds of billions of emails per year for enterprises, governments, and regulated industries globally.
This guide explains why the SendGrid API Key authentication model used by Enreach Outbound is secure, and outlines the certifications, protocols, and cybersecurity controls that underpin the platform.
What is SendGrid?
SendGrid, now part of Twilio, is a cloud-based email delivery platform founded in 2009 and trusted by over 80,000 businesses worldwide β including major financial institutions, healthcare organisations, and government agencies. It handles both transactional email (automated notifications, confirmations) and marketing communications at enterprise scale.
Enreach Outbound integrates SendGrid as its SMTP relay and email API layer. This means that when the Enreach Outbound platform sends emails on behalf of customers, those emails are routed through SendGrid's global infrastructure β benefiting from its deliverability expertise, security controls, and compliance certifications.
Why a dedicated email delivery platform?
Using a specialised email delivery service like SendGrid is a recognised industry best practice. It offloads complex security, compliance, and deliverability concerns to a dedicated provider with the scale and expertise to manage them continuously β rather than relying on a generic mail server or in-house SMTP configuration.
How SendGrid authentication works
1 . API Key Authentication β The Primary Method
Enreach Outbound connects to SendGrid using API Key authentication, delivered as a Bearer token. This is the recommended and most secure authentication method available on the platform.
Here is how it works in practice:
- A unique API key is generated within the SendGrid platform and scoped to specific permissions (e.g., email sending only β no access to billing, account settings, or contact lists).
- The key is stored securely as an environment variable, never embedded in code or configuration files.
- All API calls authenticate by passing this key in an HTTP Authorization header over an encrypted TLS connection.
- If a key is compromised, it can be revoked and replaced instantly β without changing any passwords or disrupting the broader account.
API keys can be granted granular, least-privilege access:
- Full Access β all sending and management endpoints
- Custom Access β restricted to specific functions (e.g., send-only)
- Billing Access β isolated to billing management only
Billing API access is always managed via a separate key, ensuring that email-sending credentials cannot be used to access financial data.
2 Two-Factor Authentication (2FA / MFA) on the Account
SendGrid requires Two-Factor Authentication (2FA) for all user accounts on the platform. This applies to all logins, including account administrators and sub-users. Once 2FA is enabled:
- Basic username/password login is disabled for API access β API keys must be used instead.
- Console access requires a second factor (SMS code or authenticator app).
- Security-sensitive actions (such as modifying 2FA settings) require re-verification.
This means the SendGrid account itself is protected by MFA, directly addressing the concern raised about multi-factor authentication.
3. Single Sign-On (SSO) Support
For organisations requiring centralised identity management, SendGrid supports SAML 2.0-based Single Sign-On with providers including Microsoft Azure Active Directory and Okta. This allows enterprise security teams to manage SendGrid access through their existing identity provider, enforce MFA policies centrally, and audit access in their own systems.
SendGrid API key authentication vs. OAuth2 for Microsoft SMTP
Some customers are concerned that basic SMTP authentication bypasses MFA and that Microsoft will deprecate basic SMTP auth in H2 2027. These are valid points β but they apply to standard username/password SMTP authentication, not to the SendGrid model.
Feature | Basic SMTP Authentication | SendGrid API Key Authentication |
|---|---|---|
Protects account with MFA | No β basic SMTP bypasses MFA by design | Yes β 2FA required on account; API key scoped separately |
Credential scope | Full account credentials used for sending | Scoped API key β send-only access possible |
Credential revocation | Requires password change (disruptive) | Instant key revocation with no account disruption |
Affected by Microsoft deprecation (H2 2027) | Yes β basic SMTP auth will be blocked | No β independent of Microsoft SMTP |
Encrypted in transit | TLS required (varies by client) | TLS enforced end-to-end |
Audit trail | Limited | Full email activity log per sending event |
Granular permissions | None | Yes β per-key permission scoping |
SSO / identity provider integration | Via Microsoft only | Azure AD, Okta, SAML 2.0 |
Email authentication standards: SPF, DKIM & DMARC
Beyond account-level authentication, SendGrid implements the three pillars of modern email authentication β SPF, DKIM, and DMARC β which protect against email spoofing, phishing, and domain impersonation.
1. SPF (Sender Policy Framework)
SendGrid configures SPF records on the sending domain. SPF publishes a list of authorised sending IP addresses in DNS. When a receiving mail server gets an email, it checks that the sending server's IP is on that list. Emails from unauthorised servers are flagged or rejected.
2. DKIM (DomainKeys Identified Mail)
DKIM cryptographically signs every outgoing email with a private key. The corresponding public key is published in DNS. Receiving servers verify the signature to confirm that the email was genuinely sent from the authorised platform and that its content has not been tampered with in transit.
SendGrid's Automated Security feature manages DKIM signing automatically, rotating keys and maintaining DNS records on the sender's behalf β removing the risk of manual misconfiguration.
3. DMARC (Domain-based Message Authentication, Reporting & Conformance)
DMARC builds on SPF and DKIM by specifying a policy for what receiving servers should do with emails that fail authentication β options include quarantine (send to spam) or reject (block entirely). SendGrid generates and manages DMARC records as part of domain authentication setup.
Together, SPF, DKIM, and DMARC form the industry-standard defence against email spoofing and ensure that recipients can trust that emails from the sending domain are genuine.
Transport security: Enforced TLS
All email transmitted through SendGrid is encrypted in transit using TLS (Transport Layer Security). SendGrid supports configurable Enforced TLS settings, which can require that:
- Recipient servers must support TLS 1.1 or higher to receive email β messages are not delivered in plaintext fallback.
- Recipient servers must present a valid TLS certificate.
- Minimum TLS version can be enforced (TLS 1.1, 1.2, or 1.3).
This means that sensitive emails are never transmitted unencrypted, even if a receiving server attempts a plaintext negotiation β the message is blocked rather than sent insecurely.
Access controls & IP management
1. IP Access Management
SendGrid provides IP allowlisting for account access. Administrators can restrict login and API access to specific IP addresses or ranges, ensuring that account management can only occur from approved network locations.
2. Dedicated IP Addresses
Higher-tier SendGrid accounts can use dedicated IP addresses for email sending. This means the sending IP belongs exclusively to that customer β reputation is not shared with other senders, and IP-level filtering or allowlisting by receiving organisations is straightforward.
3. Teammates & Role-Based Access
SendGrid supports role-based access control through its Teammates feature. Multiple users can be added to an account with individually scoped permissions, and each Teammate must configure their own 2FA. Access can be revoked per user without affecting others.
Compliance & certifications
SendGrid (Twilio) maintains a range of compliance certifications relevant to enterprise and regulated-sector customers:
- PCI-DSS Compliant β SendGrid is PCI-DSS certified and can provide a certificate upon request. No payment card data is stored within the email platform.
- SOC 2 Type II β Twilio/SendGrid holds SOC 2 Type II certification, demonstrating independently audited controls over security, availability, and confidentiality.
- ISO 27001 β Twilio maintains ISO 27001 certification across its infrastructure, covering information security management.
- GDPR β SendGrid supports GDPR compliance obligations, including data processing agreements and EU-region data residency options for applicable plan tiers.
Note: SendGrid does not position itself as a HIPAA-eligible service for Protected Health Information transmission. For organisations with HIPAA obligations, additional measures at the application layer are required.
Monitoring, logging & incident reponse
SendGrid provides comprehensive visibility into all email activity through its Email Activity Feed and detailed event logs. For each email sent, the following events are tracked and queryable:
- Processed β email accepted by SendGrid
- Delivered β email accepted by the recipient server
- Bounced β delivery failed, with reason code
- Opened / Clicked β recipient engagement (where tracking is enabled)
- Spam reports β recipient flagged the message
- Blocked / Dropped β email suppressed before sending
This audit trail provides full accountability for every message sent through the platform and supports security investigations, compliance reporting, and deliverability troubleshooting.
In the event of a security incident, SendGrid has a documented Compromised Account Recovery process and can assist with forced password resets and key revocation. Twilio maintains a public security incident response process and communicates transparently through its status page.
Enreach Outbound's use of SendGrid provides a robust, enterprise-grade email security posture. The API Key authentication model is designed specifically to avoid the weaknesses of basic SMTP authentication β including MFA bypass β while offering granular control, instant revocability, and a comprehensive audit trail.