Receive Emails with SendGrid (Inbound Parse)
Overview
SendGrid’s Inbound Parse Webhook receives emails for a specific hostname/subdomain, parses the message, and POSTs it to your webhook as multipart/form-data.
Key differences vs Resend:
- •SendGrid posts the full parsed email (text/html/headers/attachments) directly to your webhook.
- •There is no official signature verification for Inbound Parse (unlike SendGrid Event Webhook). You must secure the endpoint yourself.
Quick Start
- •Create MX record pointing to
mx.sendgrid.netfor a dedicated hostname (recommended: subdomain). - •Configure Inbound Parse in SendGrid Console with a receiving domain + destination URL.
- •Handle the webhook: parse
multipart/form-data, readtext,html,headers, and attachments. - •Secure the endpoint (basic auth, allowlists, size limits).
DNS / MX Setup
Create an MX record for a dedicated hostname:
| Setting | Value |
|---|---|
| Type | MX |
| Host | parse (or another subdomain) |
| Priority | 10 |
| Value | mx.sendgrid.net |
Recommendation: Use a subdomain to avoid disrupting existing email providers (e.g., parse.example.com).
Inbound Parse Configuration
In SendGrid Console:
- •Settings → Inbound Parse
- •Add Receiving Domain and Destination URL
- •Example receiving address:
anything@parse.example.com
Webhook Payload (Multipart/Form-Data)
SendGrid posts data like:
- •
from,to,cc,subject - •
text,html - •
headers(raw email headers) - •
envelope(JSON with SMTP envelope data) - •
attachments(count) - •
attachmentX(file content; filename in part)
Example fields (varies by config):
code
from: "Alice <alice@example.com>"
to: "support@parse.example.com"
subject: "Help"
text: "Plain text body"
html: "<p>HTML body</p>"
headers: "...raw headers..."
envelope: {"to":["support@parse.example.com"],"from":"alice@example.com"}
attachments: 2
attachment1: <file>
attachment2: <file>
Security Best Practices
Because Inbound Parse has no signature verification, treat inbound data as untrusted:
- •Require basic auth on the webhook URL.
- •Allowlist sender domains if appropriate.
- •Limit request size (e.g., 10–25 MB) to avoid abuse.
- •Validate content-type (
multipart/form-data). - •Do not execute or render HTML without sanitization.
- •Protect against prompt injection if forwarding to AI systems.
Examples
See: