EmailSendX Docs
EmailSendX Docs
/
Docs/Deliverability/DNS Setup

DNS Setup

Correct DNS records are the foundation of email deliverability. This reference page shows the exact record formats for SPF, DKIM, DMARC, BIMI, and custom tracking domains.

Use the DNS checker in your workspace

After adding records, verify them in Workspace Settings → Sending Domains → (your domain) → Check DNS. EmailSendX shows each record's status in real time. DNS propagation typically takes a few minutes to a few hours.

SPF Record

SPF (Sender Policy Framework) tells receiving mail servers which services are authorized to send email from your domain. Add a TXT record to your domain's DNS.

TypeHostValue
TXT@v=spf1 include:amazonses.com ~all
bash
# Full SPF record example for yourdomain.com
yourdomain.com.  IN  TXT  "v=spf1 include:amazonses.com ~all"

# If you also send from other services (e.g. Google Workspace):
yourdomain.com.  IN  TXT  "v=spf1 include:amazonses.com include:_spf.google.com ~all"

# ~all means "soft fail" — recommended over -all for initial setup
# -all (hard fail) is stricter but can block legitimate mail if misconfigured

One SPF record per domain

You can only have one SPF TXT record per domain. If you already have an SPF record, add include:amazonses.com to the existing record rather than creating a new one. Multiple SPF records will cause SPF failure.

DKIM Records

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to your outgoing emails. Receiving servers verify the signature to confirm the email wasn't tampered with in transit. AWS SES provides DKIM CNAME records to add to your DNS.

TypeHostPoints to
CNAMEabc123def456._domainkey.yourdomain.comabc123def456.dkim.amazonses.com
CNAMExyz789ghi012._domainkey.yourdomain.comxyz789ghi012.dkim.amazonses.com
CNAMEjkl345mno678._domainkey.yourdomain.comjkl345mno678.dkim.amazonses.com
bash
# DKIM CNAME records (AWS SES provides 3 per domain)
# Get the exact values from: AWS SES → Verified identities → (your domain) → DKIM

# Format: {selector}._domainkey.{yourdomain} → {selector}.dkim.amazonses.com

abc123def456._domainkey.yourdomain.com  CNAME  abc123def456.dkim.amazonses.com
xyz789ghi012._domainkey.yourdomain.com  CNAME  xyz789ghi012.dkim.amazonses.com
jkl345mno678._domainkey.yourdomain.com  CNAME  jkl345mno678.dkim.amazonses.com

The exact selector values are generated per domain by AWS SES. Find them in AWS Console → SES → Verified identities → (your domain) → DKIM signatures. EmailSendX also shows these in Settings → Sending Domains → DNS Records.

DMARC Record

DMARC (Domain-based Message Authentication, Reporting, and Conformance) tells receiving servers what to do when SPF or DKIM checks fail, and where to send reports. Start with p=none (monitor only) and graduate to p=quarantine then p=reject once you've confirmed all legitimate senders are covered by SPF/DKIM.

TypeHostValue
TXT_dmarcv=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; pct=100
bash
# Step 1: Monitor-only (start here)
_dmarc.yourdomain.com  TXT  "v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; pct=100"

# Step 2: Quarantine (after reviewing reports — moves suspect mail to spam)
_dmarc.yourdomain.com  TXT  "v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com; pct=100"

# Step 3: Reject (strongest — blocks non-authenticated email outright)
_dmarc.yourdomain.com  TXT  "v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com; pct=100"

# rua = email address to receive aggregate reports (daily XML reports)
# pct = percentage of mail to apply policy to (100 = all)

BIMI (Brand Indicators for Message Identification)

BIMI displays your brand logo in the email client inbox next to your email, increasing recognition and trust. Supported by Gmail, Yahoo Mail, and Apple Mail.

Prerequisites:

  • DMARC policy must be p=quarantine or p=reject (not p=none)
  • Logo must be an SVG file hosted at a public HTTPS URL
  • For Gmail specifically, a Verified Mark Certificate (VMC) is required. VMCs are issued by DigiCert or Entrust (~$1,499/year).
bash
# BIMI TXT record (without VMC — works in Yahoo Mail and Apple Mail)
default._bimi.yourdomain.com  TXT  "v=BIMI1; l=https://yourdomain.com/assets/logo.svg;"

# BIMI TXT record (with VMC — required for Gmail)
default._bimi.yourdomain.com  TXT  "v=BIMI1; l=https://yourdomain.com/assets/logo.svg; a=https://yourdomain.com/assets/vmc.pem;"

# SVG requirements:
# - Square aspect ratio (1:1)
# - Solid background (no transparency)
# - Maximum 32KB file size
# - Valid SVG Tiny PS format (not all SVGs qualify)

Custom Tracking Domain

By default, all tracked links and open pixels pass through EmailSendX's shared tracking domain. You can configure a custom subdomain (e.g., track.yourdomain.com) for better branding and deliverability.

bash
# Add this CNAME to your DNS:
track.yourdomain.com  CNAME  tracking.emailsendx.com

# Replace "tracking.emailsendx.com" with the specific CNAME target
# provided in your workspace settings — contact support@emailsendx.com
# for your workspace's specific CNAME target if it differs.

After adding the CNAME, go to Workspace Settings → Sending Domains → Tracking Domain, enter track.yourdomain.com, and click Verify.

One tracking domain per workspace

Each workspace supports one custom tracking domain. All campaigns in the workspace will use this domain for open pixels and click redirect URLs.

DNS Checker

After adding DNS records, verify them in the EmailSendX dashboard:

  1. Go to Workspace Settings → Sending Domains.
  2. Click your domain name.
  3. Click Check DNS Records. EmailSendX queries DNS in real time and shows status for SPF, DKIM, DMARC, and tracking domain.
  4. Green checkmarks mean the record is correctly configured. Red X means the record is missing or incorrect.

If a record shows as failing immediately after you added it, wait 15–60 minutes for DNS propagation and check again.

All records configured?

Test your inbox placement before a large send using a seed list service like GlockApps.

Deliverability overviewGDPR & compliance