Employees should use 2FA for their accounts and Sendgrid seems to offer this; for password stored in sending applications one can use combination of password and IP ACLs but I don't know if SendGrid allows to set IP ACLs for senders. While 2FA is not a panacea it significantly reduces rick.
One can send newsletters using a subdomain like news.acmecorp.com and have Sendgrid's IPs in SPF record only for this subdomain and not for the main domains (though most recipient would not notice change from say @acmecorp.com to @news.acmecorp.com).
One can send newsletters using a subdomain like news.acmecorp.com and have Sendgrid's IPs in SPF record only for this subdomain and not for the main domains (though most recipient would not notice change from say @acmecorp.com to @news.acmecorp.com).