This page provides detailed instructions for configuring the DNS records required to verify your sending domain and ensure optimal email deliverability.
Quick Setup Checklist
Follow these steps to configure your domain:
| Step | Record | Status |
|---|---|---|
| 1 | Add 3 DKIM CNAME records | ⬜ |
| 2 | Add SPF TXT record | ⬜ |
| 3 | Add Return Path CNAME record | ⬜ |
| 4 | Add DMARC TXT record (recommended) | ⬜ |
| 5 | Click "Verify DNS" in dashboard | ⬜ |
DNS Propagation Time
DNS changes typically take 5-30 minutes to propagate, but can take up to 48 hours in some cases. If verification fails, wait a few minutes and try again.
Overview of Email Authentication
Email authentication uses three key technologies to prove your emails are legitimate:
| Technology | Purpose | Record Type |
|---|---|---|
| DKIM | Cryptographically signs emails to prove authenticity | CNAME (x3) |
| SPF | Specifies which servers can send email for your domain | TXT |
| DMARC | Defines policy for handling authentication failures | TXT |
All Three Matter
While only DKIM and SPF are strictly required, adding DMARC significantly improves deliverability and provides visibility into email authentication issues.
DKIM (DomainKeys Identified Mail)
DKIM adds a digital signature to your emails that receiving servers can verify. Send.dev uses three DKIM selectors for key rotation and redundancy.
Required DKIM Records
Add these three CNAME records to your DNS:
| Name | Type | Value |
|---|---|---|
send1._domainkey.mail.yourdomain.com | CNAME | send1.dkim.send.dev |
send2._domainkey.mail.yourdomain.com | CNAME | send2.dkim.send.dev |
send3._domainkey.mail.yourdomain.com | CNAME | send3.dkim.send.dev |
Use Your Actual Domain
Replace mail.yourdomain.com with your actual sending subdomain in all examples.
How DKIM Works
1. You send email via Send.dev API
2. Send.dev signs the email with your domain's private key
3. Receiving server fetches your public key from DNS
4. Signature is verified, proving the email is authenticDKIM Verification
To verify your DKIM records are correctly configured:
# Check DKIM record
dig CNAME send1._domainkey.mail.yourdomain.com
# Expected output should show:
# send1._domainkey.mail.yourdomain.com. CNAME send1.dkim.send.dev.SPF (Sender Policy Framework)
SPF specifies which mail servers are authorized to send email on behalf of your domain.
Required SPF Record
Add this TXT record to your DNS:
| Name | Type | Value |
|---|---|---|
mail.yourdomain.com | TXT | v=spf1 include:spf.send.dev ~all |
SPF Explained
v=spf1 # SPF version 1
include:spf.send.dev # Authorize Send.dev servers
~all # Soft fail for unauthorized serversMerging SPF Records
Important: You can only have ONE SPF record per domain. If you already have an SPF record (e.g., for Google Workspace), you need to merge them:
Before (Invalid - Two SPF records):
v=spf1 include:_spf.google.com ~all
v=spf1 include:spf.send.dev ~allAfter (Valid - Merged):
v=spf1 include:_spf.google.com include:spf.send.dev ~allCommon SPF Combinations
| Services | SPF Record |
|---|---|
| Send.dev only | v=spf1 include:spf.send.dev ~all |
| Send.dev + Google Workspace | v=spf1 include:_spf.google.com include:spf.send.dev ~all |
| Send.dev + Microsoft 365 | v=spf1 include:spf.protection.outlook.com include:spf.send.dev ~all |
| Send.dev + Mailchimp | v=spf1 include:servers.mcsv.net include:spf.send.dev ~all |
SPF Verification
# Check SPF record
dig TXT mail.yourdomain.com
# Expected output should include:
# "v=spf1 include:spf.send.dev ~all"DMARC (Domain-based Message Authentication)
DMARC tells receiving servers what to do when DKIM or SPF checks fail, and provides reporting on email authentication.
Recommended DMARC Record
Add this TXT record to your DNS:
| Name | Type | Value |
|---|---|---|
_dmarc.mail.yourdomain.com | TXT | v=DMARC1; p=none; rua=mailto:dmarc@send.dev |
DMARC Policy Options
| Policy | Behavior | When to Use |
|---|---|---|
p=none | Monitor only, don't reject | Initial setup, testing |
p=quarantine | Send failures to spam | After monitoring shows healthy auth |
p=reject | Reject failures entirely | Maximum protection, well-established domain |
DMARC Progression
We recommend gradually increasing your DMARC policy:
Week 1-2 (Monitoring):
v=DMARC1; p=none; rua=mailto:dmarc@send.devWeek 3-4 (Partial Quarantine):
v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc@send.devWeek 5+ (Full Quarantine):
v=DMARC1; p=quarantine; rua=mailto:dmarc@send.devFinal (Reject):
v=DMARC1; p=reject; rua=mailto:dmarc@send.devDMARC Tags Explained
| Tag | Description | Example |
|---|---|---|
v | DMARC version (always DMARC1) | v=DMARC1 |
p | Policy for domain | p=none, p=quarantine, p=reject |
pct | Percentage of messages to apply policy | pct=25 (25%) |
rua | Email address for aggregate reports | rua=mailto:dmarc@send.dev |
ruf | Email address for forensic reports | ruf=mailto:forensic@yourdomain.com |
sp | Policy for subdomains | sp=reject |
adkim | DKIM alignment mode | adkim=s (strict) or adkim=r (relaxed) |
aspf | SPF alignment mode | aspf=s (strict) or aspf=r (relaxed) |
Return Path (Bounce Handling)
The return path record allows Send.dev to properly handle bounces.
Required Return Path Record
| Name | Type | Value |
|---|---|---|
bounce.mail.yourdomain.com | CNAME | bounce.send.dev |
This enables:
- Proper bounce handling and reporting
- Better deliverability (aligned return path)
- Accurate bounce metrics in your dashboard
DNS Provider Instructions
Cloudflare
- Log in to Cloudflare Dashboard
- Select your domain
- Go to DNS → Records
- Click Add record for each record
- For CNAME records, disable proxy (grey cloud)
Disable Proxy
Cloudflare proxy must be disabled (grey cloud icon) for all email DNS records.
AWS Route 53
- Log in to AWS Console
- Go to Route 53 → Hosted zones
- Select your domain
- Click Create record for each record
- For CNAMEs, omit the trailing dot
GoDaddy
- Log in to GoDaddy
- Go to Domain Settings → DNS
- Click Add under DNS Records
- Select record type and enter values
Namecheap
- Log in to Namecheap
- Go to Domain List → Manage
- Select Advanced DNS
- Click Add New Record
Google Domains (Squarespace)
- Log in to Google Domains / Squarespace Domains
- Select your domain
- Go to DNS → Custom records
- Add each record
Verification Tools
Online Tools
- MXToolbox - Check all DNS records
- DMARC Analyzer - Validate DMARC
- Mail Tester - Test email deliverability
Command Line
# Check DKIM
dig CNAME send1._domainkey.mail.yourdomain.com
# Check SPF
dig TXT mail.yourdomain.com
# Check DMARC
dig TXT _dmarc.mail.yourdomain.com
# Check Return Path
dig CNAME bounce.mail.yourdomain.comTroubleshooting
"DNS record not found"
- Wait for propagation - DNS changes can take up to 48 hours
- Check record name - Ensure exact match (including subdomain)
- Check record type - CNAME vs TXT matters
- Check for typos - Copy-paste from dashboard to avoid errors
"SPF too many lookups"
SPF has a limit of 10 DNS lookups. If you exceed this:
- Remove unnecessary
include:statements - Use IP addresses directly instead of includes where possible
- Consider using an SPF flattening service
"DKIM signature failed"
- Verify all 3 DKIM CNAME records exist
- Check for trailing dots (some providers add them)
- Ensure CNAME targets are correct
- Wait for propagation and retry
"DMARC record not found"
- Check record is at
_dmarc.prefix - Ensure it's a TXT record (not CNAME)
- Verify syntax starts with
v=DMARC1;
Complete DNS Record Summary
For domain mail.yourdomain.com:
| Name | Type | Value | Purpose |
|---|---|---|---|
send1._domainkey.mail.yourdomain.com | CNAME | send1.dkim.send.dev | DKIM |
send2._domainkey.mail.yourdomain.com | CNAME | send2.dkim.send.dev | DKIM |
send3._domainkey.mail.yourdomain.com | CNAME | send3.dkim.send.dev | DKIM |
mail.yourdomain.com | TXT | v=spf1 include:spf.send.dev ~all | SPF |
_dmarc.mail.yourdomain.com | TXT | v=DMARC1; p=none; rua=mailto:dmarc@send.dev | DMARC |
bounce.mail.yourdomain.com | CNAME | bounce.send.dev | Bounces |
Next Steps
- Domain Setup - Add and verify your domain
- Sending Emails - Start sending emails
- Best Practices - Optimize deliverability