DNS Records
Proper DNS configuration is the single biggest factor in inbox placement. This guide covers every record SendFleet uses - what each one does, how to add it, and how to verify it.
Record overview
SendFleet uses four categories of DNS record. Only the first two (domain ownership TXT and DKIM) are required to send. The remaining records improve deliverability and bounce routing.
| Record | Required? | Purpose |
|---|---|---|
| Domain ownership TXT | Required | Proves you own the domain. SES won't send until this is verified. |
| DKIM CNAMEs (×3) | Required to send | Cryptographically signs outgoing emails. Prevents spoofing and improves deliverability. |
| SPF TXT | Strongly recommended | Tells receiving servers which IPs are authorised to send for your domain. |
| MAIL FROM MX + SPF | Recommended | Routes bounces back through SES. Needed for full DMARC alignment. |
| DMARC TXT | Recommended | Policy that tells receivers what to do when SPF/DKIM fail. Blocks spoofing. |
1 - Domain ownership (TXT)
When you add a domain in the dashboard, SES gives you a unique verification token. You add it as a TXT record under _amazonses.yourdomain.com. Once SES confirms the record, domain ownership is verified.
Type: TXT Name: _amazonses.yourdomain.com Value: <token from dashboard> TTL: 300
_amazonses). Check your provider's docs to avoid adding _amazonses.yourdomain.com.yourdomain.com by mistake.After adding the record, go to Dashboard → Domains → your domain → Verify ownership. The check polls SES and updates the status immediately. If it fails, wait a few minutes and try again.
2 - DKIM (3 × CNAME)
DKIM (DomainKeys Identified Mail) attaches a cryptographic signature to every outgoing email. Receiving servers verify the signature against the public key published in your DNS. Without DKIM, many providers will flag or silently drop your email.
SES generates three CNAME records - you must add all three. Adding only some will result in intermittent signing failures.
Type: CNAME Name: <token1>._domainkey.yourdomain.com Value: <token1>.dkim.amazonses.com Type: CNAME Name: <token2>._domainkey.yourdomain.com Value: <token2>.dkim.amazonses.com Type: CNAME Name: <token3>._domainkey.yourdomain.com Value: <token3>.dkim.amazonses.com TTL: 300 (for each)
After adding all three records, click Verify DKIM in the domain detail page. Once DKIM is verified the domain becomes send-ready - you can start sending email immediately.
DKIM for BYOC domains
For BYOC domains, the tokens come from your own AWS SES account. We call ses:VerifyDomainDkim via your assumed IAM role and display the resulting tokens in the dashboard - same process, different AWS account.
3 - SPF (TXT on root domain)
SPF (Sender Policy Framework) declares which mail servers are authorised to send email for your domain. Add an include:amazonses.commechanism to your existing SPF record, or create one if you don't have it yet.
Type: TXT Name: yourdomain.com (or @ - the root domain itself) Value: v=spf1 include:amazonses.com ~all TTL: 3600
v=spf1, add include:amazonses.com inside it - do not create a second SPF record. Multiple SPF records cause permanent failures (permerror).SPF with other senders
If you send from multiple services (e.g. Google Workspace + SendFleet), combine them:
v=spf1 include:_spf.google.com include:amazonses.com ~all
4 - MAIL FROM subdomain
The MAIL FROM domain (also called the envelope sender or Return-Path) is separate from the visible From: address. By default SES uses its own MAIL FROM domain. Setting a custom MAIL FROM on a subdomain of yours (e.g. send.yourdomain.com) improves DMARC alignment and bounce routing.
SendFleet automatically configures send.yourdomain.com as the MAIL FROM subdomain when you add a domain. You need to add two DNS records for it:
# MX - routes bounces to SES (replace region with your SES region) Type: MX Name: send.yourdomain.com Value: 10 feedback-smtp.us-east-1.amazonses.com TTL: 300 # SPF - authorises SES to send from this subdomain Type: TXT Name: send.yourdomain.com Value: v=spf1 include:amazonses.com ~all TTL: 3600
| SES Region | MX Value |
|---|---|
| us-east-1 | feedback-smtp.us-east-1.amazonses.com |
| us-west-2 | feedback-smtp.us-west-2.amazonses.com |
| eu-west-1 | feedback-smtp.eu-west-1.amazonses.com |
| eu-central-1 | feedback-smtp.eu-central-1.amazonses.com |
| ap-southeast-1 | feedback-smtp.ap-southeast-1.amazonses.com |
| ap-southeast-2 | feedback-smtp.ap-southeast-2.amazonses.com |
| ap-northeast-1 | feedback-smtp.ap-northeast-1.amazonses.com |
| ap-south-1 | feedback-smtp.ap-south-1.amazonses.com |
| ca-central-1 | feedback-smtp.ca-central-1.amazonses.com |
| sa-east-1 | feedback-smtp.sa-east-1.amazonses.com |
The dashboard shows your region-specific value. After adding the records, click Verify MAIL FROM in the domain detail page.
5 - DMARC (TXT on _dmarc subdomain)
DMARC (Domain-based Message Authentication, Reporting & Conformance) tells receiving servers what to do when an email fails SPF or DKIM checks. It also enables aggregate reporting so you can monitor who is sending on behalf of your domain.
Type: TXT Name: _dmarc.yourdomain.com Value: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com TTL: 3600
DMARC policy options
| Policy (p=) | Effect | When to use |
|---|---|---|
| none | Monitor only. Failed emails are still delivered. | Start here. Collect reports before enforcing. |
| quarantine | Failed emails go to spam/junk. | After validating your sending sources are all aligned. |
| reject | Failed emails are bounced outright. | Fully enforced. Maximum protection against spoofing. |
p=none and a rua reporting address. After reviewing reports and confirming your SPF and DKIM are both aligned, move to p=quarantine, then eventually p=reject. Jumping straight to reject before alignment is confirmed will cause legitimate email to be dropped.Complete DNS checklist
Use this as a reference when setting up a new sending domain.
| Record | Type | Where | Status indicator |
|---|---|---|---|
| Domain ownership | TXT | _amazonses.yourdomain.com | Dashboard → SES status badge |
| DKIM key 1 | CNAME | <token1>._domainkey.yourdomain.com | Dashboard → DKIM badge |
| DKIM key 2 | CNAME | <token2>._domainkey.yourdomain.com | ↑ |
| DKIM key 3 | CNAME | <token3>._domainkey.yourdomain.com | ↑ |
| SPF | TXT | yourdomain.com | Dashboard → SPF badge |
| MAIL FROM MX | MX | send.yourdomain.com | Dashboard → MAIL FROM badge |
| MAIL FROM SPF | TXT | send.yourdomain.com | ↑ |
| DMARC | TXT | _dmarc.yourdomain.com | Dashboard → DMARC badge |
Troubleshooting
| Problem | Likely cause | Fix |
|---|---|---|
| Ownership verification keeps failing | Record not yet propagated, or wrong subdomain prefix added. | Wait 15–30 min. Use dig TXT _amazonses.yourdomain.com to confirm the record is visible before clicking Verify. |
| DKIM fails after adding records | Only 1–2 of 3 CNAMEs added, or provider added a trailing dot incorrectly. | Confirm all three CNAME records with dig CNAME <token>._domainkey.yourdomain.com. |
| SPF permerror in mail headers | Two SPF TXT records exist on the root domain. | Merge into a single v=spf1 ... ~all record. Delete the duplicate. |
| MAIL FROM shows Pending forever | MX record missing or pointing to wrong region endpoint. | Confirm the MX value exactly matches your SES region's feedback-smtp hostname. |
| DMARC alignment failing | SPF aligns on SES's default MAIL FROM, not your domain. | Set up the custom MAIL FROM subdomain (Step 4) so the Return-Path aligns with your domain. |
Checking records with dig
You can verify any DNS record from your terminal without waiting for the dashboard check:
# Domain ownership TXT dig TXT _amazonses.yourdomain.com # DKIM CNAME (replace token1 with your actual token) dig CNAME token1._domainkey.yourdomain.com # SPF on root domain dig TXT yourdomain.com # MAIL FROM MX dig MX send.yourdomain.com # DMARC dig TXT _dmarc.yourdomain.com