Skip to main content

Documentation Index

Fetch the complete documentation index at: https://www.c1.ai/docs/llms.txt

Use this file to discover all available pages before exploring further.

Early access. This feature is in early access, which means it’s undergoing ongoing testing and development while we gather feedback, validate functionality, and improve outputs. Contact the C1 Support team if you’d like to try it out or share feedback.
By default, C1 sends notifications from no-reply@conductorone.com. You can instead send through your own Twilio SendGrid account so recipients see your company’s domain as the sender. This task requires the Super Admin role in C1 and an Admin-level account in SendGrid. C1 authenticates to SendGrid via a scoped API key with the Mail Send permission. No SMTP credentials or user passwords are shared, and you can revoke access at any time by deleting the API key.

Before you begin

Configure SPF, DKIM, and DMARC for your sending domain by following SendGrid’s domain authentication guide before proceeding.
You’ll need:
  • A SendGrid account with API access (all paid plans; the Free plan’s API access is sufficient for low volume).
  • Admin-level access in SendGrid to create API keys and authenticate domains.
  • Access to your DNS provider to publish CNAME records.

Step 1: Verify a sending identity

SendGrid requires every sending email to come from a verified identity. You have two options:

Option A — Single Sender Verification (for testing only)

Fastest way to send from one address, with no DNS changes required.
1
Sign in to app.sendgrid.com.
2
Navigate to Settings > Sender Authentication > Single Sender Verification > Create New Sender.
3
Fill in the sender details (from name, from email, reply-to, company address).
4
Click Create. SendGrid sends a verification email to the sender address.
5
Click the verification link in that mailbox. The sender status becomes Verified.
Emails through this sender work immediately, but deliverability will be poor because SendGrid can’t sign with your domain’s DKIM. Use this only for initial testing — switch to Option B before going to production. Authenticates your entire domain so every address on it can send, with proper SPF/DKIM alignment.
1
Navigate to Settings > Sender Authentication > Authenticate Your Domain > Get Started.
2
Select your DNS host (for example, AWS Route 53, Cloudflare) and choose whether you want SendGrid to also handle link branding (recommended: yes).
3
Enter your domain (for example, yourcompany.com). SendGrid displays 3–5 CNAME records to publish at your DNS provider.
4
Publish each CNAME record exactly as shown at your DNS provider. Host names are typically of the form s1._domainkey.yourcompany.com, em1234.yourcompany.com, etc.
5
Back in SendGrid, click Verify. If DNS has propagated, all records show a green check. If not, wait a few minutes and retry.
Once the domain is authenticated, you can send from any address on it without per-address verification.

Step 2: Create a scoped API key

Create a restricted API key that grants C1 only the Mail Send permission. This limits exposure if the key is ever compromised.
1
In SendGrid, navigate to Settings > API Keys > Create API Key.
2
Fill in:
  • API Key Name: C1 Email Sender (or similar).
  • API Key Permissions: select Restricted Access.
3
In the permissions list, set every scope to No Access except Mail Send, which should be set to Full Access.
4
Click Create & View.
5
Immediately copy the API key — SendGrid will not show it again after you leave the page. You’ll paste it into C1 in Step 3.
Why Restricted Access? A Full Access API key can also read mail activity, manage templates, edit senders, and modify billing. If the key leaks, Restricted Access limits the exposure to mail sending only, rather than full SendGrid tenant access.

Step 3: Configure the email provider in C1

Enter your verified sender and API key in C1 to activate the integration.
1
In C1, navigate to Settings > Email provider.
2
Click Edit.
3
Select Customer provided.
4
In Email service, select SendGrid.
5
Fill in the fields:
  • Sender name: The display name recipients see (for example, Governance Team).
  • Sender email address: A verified sender from Step 1. Must match exactly — either a verified Single Sender or any address on an authenticated domain.
  • Reply-to address: Usually the same as the sender address.
  • SendGrid API key: The key value you copied in Step 2.
6
Click Save.
When you save, C1 validates the API key by calling SendGrid’s GET /v3/scopes endpoint. If the key is missing, wrong, or lacks the Mail Send permission, save fails with a clear error and your previous configuration is preserved.
Sender must match a SendGrid-verified identityThe Sender email address must be either a verified Single Sender (exact match) or any address on a domain you’ve authenticated (Option B). SendGrid rejects sends from unverified senders with a 403 error.

Step 4: Verify

Send a test message to confirm C1 can send through SendGrid and that your email authentication records are passing.
1
On the Email provider page, click Send test.
2
Enter your own email address and click Send test.
3
Check your inbox. View the raw headers (in Gmail: ⋮ → Show original) and confirm SPF: PASS, DKIM: PASS with your domain as signer (only if you completed Option B in Step 1), DMARC: PASS.
4
If the message does not arrive, check the spam folder and your SendGrid Activity Feed (Activity > Email Activity) for delivery status and error details.