SUPPORT.TWILIO.COM END OF LIFE NOTICE: This site, support.twilio.com, is scheduled to go End of Life on February 27, 2024. All Twilio Support content has been migrated to help.twilio.com, where you can continue to find helpful Support articles, API docs, and Twilio blog content, and escalate your issues to our Support team. We encourage you to update your bookmarks and begin using the new site today for all your Twilio Support needs.

How to Configure Firewall Settings for SendGrid Webhook and Inbound Parse IPs

Objective

You may be looking to restrict access to your Event Webhook or Inbound Parse Webhook endpoint by only allowing incoming connections from SendGrid. It’s common to consider using IP allowlisting for this purpose. While we understand the desire for this kind of security, we don’t recommend relying on IP allowlisting alone due to the dynamic nature of our infrastructure. Instead, we offer other options that are ultimately more secure and reliable for protecting your webhook endpoints.
 

Product

SendGrid Email 

 

Environment

SendGrid Console

 

User Account Permission/Role(s) Required 

All accounts have access to Event and Inbound Parse Webhooks

 

Procedure 

1. Use SendGrid’s Security Features

  • Event Webhook: Signed Event Webhook
    • Enable signature verification on your endpoint to confirm that incoming webhook payloads are genuinely from SendGrid.
  • Inbound Parse: Signed Inbound Parse Webhook
    • This cryptographically signs every payload you receive through Inbound Parse, so you can validate authenticity regardless of the sending IP.

We strongly encourage using these verification methods for security, rather than IP-based allowlists.
 

2. Capture and Verify Sender IP on Your Side 

If you want to track or audit where webhook traffic is coming from, you can log the sender IP address for each incoming request to your webhook

You may optionally perform a reverse DNS lookup to check the origin. For example:

  • If you notice a request from 159.26.150.39, running dig -x 159.26.150.39 will show a result like outbound-mx.sendgrid.net.

Note: Attempting to rely on DNS lookups or reverse lookups as your main security layer is not recommended. Webhook traffic comes from scalable cloud infrastructure where IPs can change frequently, making this method unreliable and insecure as a primary defense. Signature verification offers much greater security and reliability.

 

Additional Information

We’re generally unable to provide static IP ranges for Event Webhook or Inbound Parse endpoints. Our services run on dynamic cloud infrastructure, where the underlying IPs can change frequently to ensure security, scalability, and reliability. As a result, relying on a static list of IPs may cause disruptions if or when those IPs rotate.
 

Domain whitelisting is not supported

While you may be able to whitelist by domain for standard API traffic, this approach does not work for webhook traffic. With webhooks, connections come from a variety of dynamic cloud servers, and the IP addresses behind these connections change frequently. Unlike traditional servers where you could look up a domain and get a consistent set of IP addresses, there’s no reliable command or method to discover or maintain a complete list of all possible IPs used for webhook delivery.

Below you will find references to useful documents:

If you need help enabling these features or have specific firewall questions, please contact our support team.

Have more questions? Submit a request
We can’t wait to see what you build.
Powered by Zendesk