Subuser Deep Dive: Demystifying Twilio SendGrid Account StructureJustin Foulk
When it comes to setting up your Twilio SendGrid email account structure, there’s a lot to consider. And we take pride in creating a nimble environment where senders have the freedom to build their email platforms in many different ways.
However, sometimes, this freedom and flexibility can become overwhelming, as there are many ways to build a multiple-email stream program that aligns with email best practices. For example, you’ll have to consider how you want to manage your recipient address suppressions, how you want to grant other team members access to further build and manage these email streams, or how you want to authenticate your sending domain, link branding records, and reverse DNS records.
So where do you start? The first step is knowing how parent accounts and subuser accounts function.
In this post, we’ll share insights to help you understand your SendGrid accounts just a little bit better and how to get the most out of them.
Parent and subuser account similarities and differences
When you first sign up for a SendGrid email account, the first account type that you gain access to is what we call your parent account. The parent account is an admin-level account that allows you to:
- Add IP addresses
- View and download past invoices
- Opt into other SendGrid features and tools
- Create additional subuser accounts
Creating subuser accounts (or stand-alone SendGrid accounts) under the parent account is a great way to organize and manage your various email streams in a simplified and effective way. This creates cleaner data so that you can manage your streams with confidence and better optimize your email stream’s reputation. However, be sure to keep your parent account as an admin account (or shell) and not use it to send. You’ll want to leave the email sending up to the subuser accounts.
The illustration above provides a great example of how you can begin to formulate siloes with your account management of multiple email streams. In this example, the parent account acts as the shell to add and allocate IP addresses, create and manage new subuser accounts, manage billing preferences and account features, and more.
However, you’ll notice that email sending is left to the subusers to send out the marketing and transactional email streams. In other words, each subuser account acts as a self-contained environment. So nothing gets shared between subusers other than the total email credits allotted on the account—and the same thing applies to the parent account and subuser accounts as well.
Not to mention, the beauty in this example is that you have one API key per email stream. And since each account has unique API keys to send email or execute other API calls, you don’t have one API key for multiple streams within a single account. For example, you can have a dedicated transactional API key and then a separate marketing API key.
This design also benefits a sender’s use of our Event Webhooks and data ingestion, as each subuser account will have a webhook feedback endpoint post URL. This means senders won’t need to sift through marketing and transactional data in one webhook endpoint to understand (internally) how their email streams perform. So in effect, creating subuser accounts is virtually limitless, allowing you to get as differentiated and granular as you need to in siloing your email streams.
Recipient address suppression management
When we say that each account is self-contained, that also includes your suppression lists. That means you can find permanent suppressions like hard bounces, unsubscribes, spam reports, and invalid email addresses stored individually within each SendGrid account.
Going back to the example in the previous illustration, having 2 separate subuser accounts (e.g., transactional and marketing) allows for a siloed suppression management approach. So if a sender sends to a recipient from their marketing subuser account and the recipient unsubscribes or maybe even marks the email as spam, the sender can still send to the recipient using the transactional subuser account. That’s crucial, especially if the recipient expects to receive a receipt email or password reset email (mission-critical emails) from the same sender.
Another great example of this is if you’re a marketing automation platform that has customers who send email and you’ve built yourself on top of SendGrid’s infrastructure. Creating a customer-per-subuser-account approach (screenshot below) makes it so that a recipient no longer receives email from Customer A but still receives email from Customer B and Customer C.
Managing account access for team members
Account security is critical when you’re a large-scale sender with many team members needing access to your email platform. That’s what’s so great about SendGrid, as it gives various options to structure your account security.
For example, our platform provides you with the ability to enhance your account security through the use of our Teammates feature. You can access this tool within any account under Settings → Teammates. In addition, every established teammate has the choice to either access their accounts via a unique password or our single sign-on or SSO (screenshot below).
However, keep in mind that when adding teammates, it’s best to only allow parent account teammate access to the program admins who oversee the email program. Otherwise, anyone can view and access subuser accounts created under the parent account. And depending on whether you establish teammate access via a unique password or SSO, you also can either provide them with complete admin access to any account or restricted access, where you can pick and choose what features and settings they have visibility into and control over.
Again, let’s take the previous example of the architecture illustration of one marketing subuser account and a separate transactional subuser account. If you have a marketing team that only needs access to the one marketing subuser but not the transactional subuser, create their teammate access directly on the marketing subuser. This way, the marketing team won’t have visibility or access to the parent account or the other transactional subuser account. They’ll only be able to access and manage the marketing subuser account assigned to them.
Generating and authenticating domain, links branding, and reverse DNS records
When sending emails that align with best practices, it’s essential to ensure that you’ve:
- Generated and authenticated your sending domains
- Wrapped your links within your content
- Associated your domain with the IPs sending your email
To establish these foundational steps, you can either create these on subuser accounts or the parent account—there are pros and cons to each approach. For starters, only individuals with access to the parent account can generate a reverse DNS record to connect your sending domain to the IP address on the account, not subusers.
And since the parent account is the only account to add and assign IP addresses out, it also makes sense to only have the parent account generate reverse DNS records for a domain host. The screenshot below illustrates the Sender Authentication page within a parent account that includes the reverse DNS. In other words, you won’t see the reverse DNS section in the Sender Authentication section within a subuser account.
On the other hand, both parent and subuser accounts can generate domain authentication and link branding records—and there are pros and cons of creating both. Let’s begin with the pros and cons of creating the domain authentication and link branding records directly on the parent account.
The main pro for creating the domain authentication and link branding records in the parent account is that you can assign these records to multiple subuser accounts. This is especially beneficial if you want to use the same sending domain and link brandings across multiple subuser accounts without having to regenerate more records to authenticate.
You also have the luxury of managing all the DNS records in one account rather than sifting through multiple accounts to manage them. Plus, you can assign domain authentication and link branding records to subusers by either selecting Assign to a subuser in the record creation process (screenshot below) or through accessing the settings of a particular subuser via the Subuser Management link within the Settings section of the parent account (screenshot below).
Record creation process
Subuser management assignment
However, the primary con in this approach is that you can only assign one instance of domain authentication and one instance of link branding to an individual subuser account at a time. So if you’re a sender who needs to send with multiple sending domains out of one account, this approach isn’t for you.
Alternatively, you can create the domain authentication and link branding records directly in subuser accounts. The pro to this approach is that every SendGrid account has the capacity to generate up to 1500 unique domain authentication and link branding records. So if you’re a sender who needs to send from multiple sending domains within one account, you can do just that. You’re not limited to just having one assigned domain authentication record and link branding record from the parent account.
The con to this approach is that only the subuser account that created any domain authentication and link branding records can manage them. In other words, you’ll need to regenerate those records and make them unique to authenticate them in another subuser account if you want to use the same sending domain in multiple subuser accounts.
Build reliable, scalable email programs with Twilio SendGrid
Now that you understand how Twilio SendGrid email accounts work, you’re ready to build a reliable and scalable email program. Our infrastructure allows flexibility and creativity in building a truly customizable email program—but don’t worry, we’re here to guide you.
Need help standing up a brand-new email program or optimizing an existing email program on Twilio SendGrid, our Professional Services team is here for you. Reach out to your Twilio Account Executive or Customer Success Manager to discuss options today!