Domain Authentication

Without proper domain authentication, your emails are far more likely to land in spam or be rejected outright. Here's why:

• Deliverability: ISPs like Gmail, Outlook, and Yahoo use SPF, DKIM, and DMARC results as major signals in spam scoring. Authenticated emails consistently land in the inbox at higher rates.
• Sender reputation: Authentication ties your sending activity to your domain, letting you build a sender reputation over time. Without it, you're sending as an anonymous IP.
• Phishing protection: DMARC prevents others from spoofing your domain to send phishing emails that appear to come from you.
• Gmail & Yahoo requirements (2024): Since February 2024, Gmail and Yahoo require bulk senders (5,000+ emails/day to their users) to have SPF or DKIM, a DMARC policy, and one-click unsubscribe. Failing these requirements causes deferrals and rejections.

SPF is a DNS TXT record that lists the mail servers authorized to send email from your domain. When a receiving server gets an email from you, it checks your domain's SPF record to verify the sending server is on the list.

Adding an SPF record

Add a TXT record to your domain's DNS with the following structure:

# DNS TXT record for your domain (e.g., yourdomain.com)
Type:  TXT
Name:  @  (or leave blank — represents the root domain)
Value: v=spf1 include:amazonses.com ~all

# ~all = softfail (recommended to start)
# -all = hardfail (reject unauthorized senders — use after testing)

SPF has a limit of 10 DNS lookups per record. Each include: counts as one lookup. If you're including many providers, consider using SPF flattening tools to stay under the limit.

DKIM adds a cryptographic signature to every outgoing email. The receiving server uses a public key published in your DNS to verify the signature, confirming the email hasn't been altered in transit and genuinely came from your domain.

Unlike SPF, DKIM signs the message content itself — so even if an email is forwarded, the DKIM signature remains valid.

Getting your DKIM keys

Your email provider generates the DKIM key pair. The private key is stored on the provider's servers; you publish the public key in your DNS.

# SES generates 3 CNAME records for DKIM. Find them in:
# AWS Console → SES → Verified identities → [your domain] → DKIM

# Example (your actual values will differ):
Type:  CNAME
Name:  abc123def456._domainkey.yourdomain.com
Value: abc123def456.dkim.amazonses.com

Type:  CNAME
Name:  xyz789ghi012._domainkey.yourdomain.com
Value: xyz789ghi012.dkim.amazonses.com

Type:  CNAME
Name:  jkl345mno678._domainkey.yourdomain.com
Value: jkl345mno678.dkim.amazonses.com

# Add all three CNAME records to your DNS

DMARC (Domain-based Message Authentication, Reporting, and Conformance) builds on top of SPF and DKIM. It lets you tell receiving servers what to do when an email from your domain fails both SPF and DKIM checks — and sends you reports so you can monitor your domain's authentication health.

Recommended rollout strategy

Start with a monitoring-only policy and progressively tighten it once you're confident all legitimate sending sources are authenticated:

# Start here — collect reports without affecting delivery
Type:  TXT
Name:  _dmarc.yourdomain.com
Value: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

# p=none: take no action on failures, just report
# rua: where to send aggregate reports (daily summary from each ISP)
# Stay at p=none for at least 2-4 weeks while reviewing reports

By default, EmailSendX rewrites links in your campaigns to track clicks and serves the open-tracking pixel from an EmailSendX-owned domain (track.emailsendx.com). Setting up a custom tracking domain moves this to a subdomain you control (e.g., track.yourdomain.com).

Benefits of a custom tracking domain:

• Links in your emails stay on your domain, which looks more professional.
• Reputation is tied to your domain, not a shared platform domain.
• Some spam filters are more suspicious of generic email platform tracking domains.

Setup

# Step 1: Choose a subdomain (e.g., track.yourdomain.com or click.yourdomain.com)

# Step 2: Add a CNAME record in your DNS
Type:  CNAME
Name:  track           (creates track.yourdomain.com)
Value: tracking.emailsendx.com
TTL:   3600

# Step 3: In EmailSendX:
# Workspace Settings → Deliverability → Custom Tracking Domain
# Enter: track.yourdomain.com
# Click: Verify & Activate

# EmailSendX will provision an SSL certificate automatically.
# Once active, all new links in campaigns use your custom domain.

EmailSendX includes a built-in DNS checker that shows the current status of all authentication records for your sending domains.

Go to Workspace Settings → Sending Domains → [your domain]. You'll see a status table:

• Green checkmark: Record found and valid.
• Yellow clock: Record detected but DNS propagation is still in progress (can take up to 48 hours).
• Red X: Record not found or incorrect. The exact expected value is shown so you can cross-check with your DNS provider.

EmailSendX checks each record independently — you can have SPF passing while DKIM is still propagating. A domain is considered fully authenticated only when all three records (SPF, DKIM, DMARC) show green.