Domain Verification Guide
Set up DKIM, SPF, and DMARC for your domain.
Guide
Domain Verification
Set up DKIM, SPF, and DMARC for your domain to improve deliverability and protect your sender reputation.
4 min read
Why Verify Your Domain?
Email authentication proves to receiving servers that your emails are legitimate and haven't been tampered with. Without it:
- Emails are more likely to land in spam folders
- Spammers can spoof your domain to send phishing emails
- Your sender reputation can be damaged by abuse
The Three Pillars of Email Auth
- DKIM — Signs emails cryptographically to prove they weren't modified
- SPF — Declares which servers can send email for your domain
- DMARC — Tells receivers what to do with emails that fail DKIM/SPF checks
Automatic DNS Management
The Wraps CLI can automatically create all required DNS records during wraps email init if you have the appropriate environment variables set for your DNS provider.
| DNS Provider | Required Environment Variable | Optional |
|---|---|---|
| AWS Route53 | (uses AWS credentials) | AWS_PROFILE |
| Vercel DNS | VERCEL_TOKEN | VERCEL_TEAM_ID |
| Cloudflare | CLOUDFLARE_API_TOKEN | CLOUDFLARE_ZONE_ID |
Setup Instructions
Vercel DNS
Create an API token at vercel.com/account/tokens
terminal.sh
export VERCEL_TOKEN=your_token_here# Optional: for team accountsexport VERCEL_TEAM_ID=team_xxxxxCloudflare
Create an API token at dash.cloudflare.com/profile/api-tokens. The token needs Zone.DNS (Edit) permission.
terminal.sh
export CLOUDFLARE_API_TOKEN=your_token_here# Optional: auto-detected if not setexport CLOUDFLARE_ZONE_ID=your_zone_idAWS Route53
No additional setup required if you have a hosted zone for your domain. The CLI uses your existing AWS credentials.
Skip manual DNS setup
With automatic DNS management, you can skip Steps 2-4 below. The CLI will create DKIM, SPF, DMARC, and MX records for you during wraps email init.
Manual DNS Setup
If you prefer to add DNS records manually, or your DNS provider isn't supported, follow the steps below.
1Add Your Domain to SES
Using Wraps CLI
terminal.sh
npx @wraps.dev/cli email domains add -d yourdomain.comUsing AWS Console
- Open the Amazon SES console
- Go to Identities → Create identity
- Select Domain as the identity type
- Enter your domain name and click Create
2Set Up DKIM
After adding your domain, SES generates 3 DKIM tokens. You need to add these as CNAME records in your DNS.
Get Your DKIM Records
terminal.sh
npx @wraps.dev/cli email domains get-dkim -d yourdomain.comSES will display 3 CNAME records that you need to add to your DNS:
Add Records to Your DNS
Copy all 3 CNAME records and add them in your DNS provider (Route 53, Cloudflare, Namecheap, etc.). The format looks like:
DKIM Records
# You'll get 3 CNAME records like this:abc123._domainkey.yourdomain.com → abc123.dkim.amazonses.comdef456._domainkey.yourdomain.com → def456.dkim.amazonses.comghi789._domainkey.yourdomain.com → ghi789.dkim.amazonses.com
Important: Record Name Format
Copy the exact record names from SES. Don't add extra underscores or modify them. Some DNS providers automatically append your domain, so you may only need to enter the part before your domain name.
3SPF (Automatic)
Good news: SPF is automatic!
When you send through Amazon SES, the MAIL FROM domain is a subdomain of amazonses.com, which already has SPF configured. No additional setup required.
If you want to use a custom MAIL FROM domain (advanced), see the AWS documentation.
4Set Up DMARC
DMARC tells receiving mail servers what to do when emails fail authentication checks. SES will prompt you to set up DMARC:
Add this TXT record to your DNS:
DMARC Record
# Add this TXT record to your DNS:Name: _dmarc.yourdomain.comType: TXTValue: v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.comDMARC Policy Options
| Policy | Value | Action |
|---|---|---|
| Monitor | p=none | No enforcement, just collect reports |
| Quarantine | p=quarantine | Send failing emails to spam |
| Reject | p=reject | Reject failing emails entirely |
Recommended: Start with quarantine
Use p=quarantine to start. Once you've confirmed all legitimate emails pass, you can upgrade to p=reject.
5Verify Your Setup
After adding DNS records, verify everything is configured correctly:
terminal.sh
npx @wraps.dev/cli email domains verify -d yourdomain.comDNS propagation takes up to 72 hours
DKIM verification typically completes within a few hours, but can take up to 72 hours for DNS to propagate worldwide.
Troubleshooting
Domain still shows "Pending" after 72 hours
- Double-check CNAME record names match exactly (no extra underscores)
- Some DNS providers auto-append your domain — you may need to remove it from the record name
- Try adding a trailing period (.) to the CNAME value for fully qualified domain names
- Ensure the underscore (_) is present in record names
DMARC reports show failures
- Ensure DKIM records are correctly published
- Check that you're sending from a verified identity
- If using a custom MAIL FROM domain, verify SPF is configured
Verification Checklist
- Domain added to SES
- 3 DKIM CNAME records added to DNS
- Domain status shows "Verified" in SES
- DMARC TXT record added to DNS
Next Steps
Request Production Access
Now that your domain is verified, request production access for faster approval.
Production AccessSend Your First Email
Start sending authenticated emails with the Wraps SDK.
Email Quickstart