Can SendGrid provide IP ranges to whitelist Webhook and Inbound Parse for firewall settings?

Objective

You may be looking to restrict access to your Event Webhook or Inbound Parse Webhook endpoint by only allowing incoming connections from SendGrid. It’s common to consider using IP allowlisting for this purpose. While we understand the desire for this kind of security, we don’t recommend relying on IP allowlisting alone due to the dynamic nature of our infrastructure. Instead, we offer other options that are ultimately more secure and reliable for protecting your webhook endpoints.

Product

Twilio Email (SendGrid)

User Account Permission/Role(s) Required 

All accounts have access to Event and Inbound Parse Webhooks

Information

Why we don’t provide fixed IP addresses

We’re generally unable to provide static IP ranges for Event Webhook or Inbound Parse endpoints. Our services run on dynamic cloud infrastructure, where the underlying IPs can change frequently to ensure security, scalability, and reliability. As a result, relying on a static list of IPs may cause disruptions if or when those IPs rotate.

Domain whitelisting is not supported

While you may be able to whitelist by domain for standard API traffic, this approach does not work for webhook traffic. With webhooks, connections come from a variety of dynamic cloud servers, and the IP addresses behind these connections change frequently. Unlike traditional servers where you could look up a domain and get a consistent set of IP addresses, there’s no reliable command or method to discover or maintain a complete list of all possible IPs used for webhook delivery.

Solutions & Best Practices

1. Use SendGrid’s Security Features:

• Event Webhook: Signed Event Webhook
  • Enable signature verification on your endpoint to confirm that incoming webhook payloads are genuinely from SendGrid.
• Inbound Parse: Signed Inbound Parse Webhook
  • This cryptographically signs every payload you receive through Inbound Parse, so you can validate authenticity regardless of the sending IP.

We strongly encourage using these verification methods for security, rather than IP-based allowlists.

2. Capture and Verify Sender IP on Your Side: If you want to track or audit where webhook traffic is coming from, you can log the sender IP address for each incoming request to your webhook.

You may optionally perform a reverse DNS lookup to check the origin. For example:

• If you notice a request from 159.26.150.39, running dig -x 159.26.150.39 will show a result like outbound-mx.sendgrid.net.

Keep in mind: Attempting to rely on DNS lookups or reverse lookups as your main security layer is not recommended. Webhook traffic comes from scalable cloud infrastructure where IPs can change frequently, making this method unreliable and insecure as a primary defense. Signature verification offers much greater security and reliability.

Additional Information

• Setting Up the Inbound Parse Webhook
• Securing Your Inbound Parse Webhook

If you need help enabling these features or have specific firewall questions, please contact our support team.