Verify your sending domain (SPF and DKIM)

Updated May 22, 2026

Why domain verification matters

Email providers — Gmail, Outlook, Yahoo, and others — check every inbound message against the sender domain's DNS records. If your domain doesn't publish SPF and DKIM records that authorize Yaplet to send on your behalf, receiving servers mark the message as suspicious. The result: your campaigns land in spam folders, or are silently discarded before they reach the inbox.

Yaplet will not queue campaigns from an unverified sender address. Domain verification is not optional — it is the foundation of every email you send.

What SPF and DKIM do

  • SPF (Sender Policy Framework) — a DNS TXT record that lists which mail servers are authorized to send email from your domain. Receiving servers check that Yaplet's sending infrastructure appears on that list before accepting your message.
  • DKIM (DomainKeys Identified Mail) — a set of DNS CNAME records that point to public cryptographic keys hosted by Amazon SES (Yaplet's email infrastructure). Yaplet signs every outgoing email with the matching private key. Receiving servers verify the signature to confirm the message was not altered in transit and genuinely came from your domain.

Together, SPF and DKIM prove that the email came from an authorized server and arrived intact. Most major providers also check DMARC, which is built on top of SPF and DKIM — passing both automatically satisfies the most common DMARC policies. Yaplet publishes a default DMARC record for you as part of the DNS records below.

Step 1 — Add your domain in Yaplet

  1. Go to Dashboard → Settings → Emailing → Custom Domains.
  2. Click Add domain.
  3. Enter your sending domain (e.g. yourdomain.com). Enter a subdomain (e.g. mail.yourdomain.com) only if you specifically want to send from a subdomain.
  4. If this is a brand-new domain or you have never sent bulk email from it before, toggle Need warmup on — read the Email warmup section below before deciding.
  5. Click Add. Yaplet generates a full set of DNS records and displays them in a table on the domain page. Keep this tab open while you configure DNS at your registrar.

Step 2 — Add the DNS records at your registrar

Log in to wherever you manage DNS for your domain — Cloudflare, GoDaddy, Namecheap, AWS Route 53, Google Domains, or your hosting provider's control panel. Yaplet auto-generates eight DNS records you need to add. Every one of them is required for full deliverability and link tracking — don't skip any.

# Type Name (host) Value Priority
1 CNAME {token1}._domainkey.yourdomain.com {token1}.dkim.amazonses.com
2 CNAME {token2}._domainkey.yourdomain.com {token2}.dkim.amazonses.com
3 CNAME {token3}._domainkey.yourdomain.com {token3}.dkim.amazonses.com
4 TXT yourdomain.com v=spf1 include:amazonses.com ~all
5 TXT _dmarc.yourdomain.com v=DMARC1; p=none
6 MX yourdomain.com inbound-smtp.eu-central-1.amazonaws.com 10
7 MX mail.yourdomain.com feedback-smtp.eu-central-1.amazonses.com 10
8 TXT mail.yourdomain.com v=spf1 include:amazonses.com ~all
9 CNAME link.yourdomain.com (CloudFront target shown in your dashboard)
10 CNAME (ACM validation name shown in your dashboard) (ACM validation value shown in your dashboard)

Records 1–3 (DKIM) use opaque tokens generated per domain (something like o7s2vrwryrpqfwhg6sml5myuwhwgmodi) — they are not the literal word "yaplet" and they are not interchangeable between domains. Always copy the exact names and values from your dashboard. The three CNAMEs together replace the single TXT-style DKIM record older guides described.

Record 4 (SPF) — merge if you already have one. A domain can only have one SPF TXT record at the apex. If you already have a record starting with v=spf1, do not create a second one — append include:amazonses.com to the existing record. For example, if you currently have v=spf1 include:_spf.google.com ~all, change it to:

v=spf1 include:_spf.google.com include:amazonses.com ~all

Record 5 (DMARC). Yaplet publishes a default p=none policy on the _dmarc subdomain so receiving servers always have a DMARC record to evaluate. If you already manage your own DMARC policy, keep yours — don't add a second record at _dmarc.yourdomain.com.

Record 6 (inbound MX). This routes incoming email for your domain to Yaplet's inbox. If you currently use Google Workspace or Microsoft 365 on the same apex domain, adding this MX will redirect your inbound mail to Yaplet. Use a dedicated subdomain (e.g. mail.yourdomain.com as the sending domain itself) if you don't want to disturb your existing mail setup.

Records 7–8 (MAIL FROM) live on the mail. subdomain and align the technical envelope sender with your domain for stronger deliverability.

Records 9–10 (tracking) enable click tracking on links inside your campaigns. Record 9 points link.yourdomain.com at a CloudFront distribution; record 10 validates the SSL certificate AWS Certificate Manager issues for that subdomain. The exact value of record 9 and both fields of record 10 are generated dynamically and shown in your dashboard.

CAA caveat: if your domain already publishes a CAA record at the apex, AWS Certificate Manager will only be allowed to issue the SSL certificate for link.yourdomain.com if your CAA list includes amazon.com. If you have a CAA record and it doesn't include Amazon, add 0 issue "amazon.com" to it — otherwise the tracking certificate (record 10) will silently fail to validate. Domains with no CAA record at all are fine; CAA only restricts issuance when present.

Cloudflare proxy: if your DNS lives on Cloudflare, make sure every CNAME above is set to DNS only (grey cloud), not proxied (orange cloud). Proxied CNAMEs break DKIM signature verification and ACM certificate validation.

Step 3 — Wait for DNS propagation

DNS changes take time to spread globally. Expect an hour or two for most providers; in rare cases it can take up to 48 hours. Do not proceed to the verification check until propagation is complete. You can verify propagation independently using tools like MXToolbox or Google's DNS checker by looking up your DKIM CNAMEs.

Step 4 — Verify the domain in Yaplet

  1. Return to Settings → Emailing → Custom Domains.
  2. Select your domain from the dropdown at the top of the page.
  3. Click Verify DNS.
  4. Yaplet queries your DNS for every record above. If all required records are found and valid, the domain status changes to Verified.
  5. If it fails, check the troubleshooting table below, wait a few minutes for further propagation, and try again.

Step 5 — Add a verified sender address

A verified domain alone doesn't let you send — you need at least one sender address on that domain.

  1. On the verified domain's page, click Add email.
  2. Enter the local part of the address (e.g. hello gives you [email protected]).
  3. Choose which widget this address should be associated with — replies to campaigns sent from this address will land in that widget's inbox.
  4. Click Add. The address is immediately available in campaigns and workflows.

You can add as many sender addresses as you need on a verified domain. See Set up multiple senders on one domain for team-based setups.

Email warmup — what it is and how Yaplet handles it

When you start sending bulk email from a domain with little or no sending history, inbox providers treat it with suspicion. Email warmup (sometimes called domain warmup) automatically caps your daily sending volume and grows the cap over time — so providers see a slow, steady ramp instead of a sudden flood, and your domain builds a positive reputation.

How Yaplet's warmup works

When warmup is enabled on a domain, Yaplet recalculates your daily sending limit every day at midnight UTC based on the last seven days of sending activity. Throughout the day the system also throttles outbound emails — spreading them across the day at a calculated interval (shown in seconds in the dashboard) rather than firing the full batch at once.

If you stop sending for a stretch of days, the limit ramps back down so that resuming doesn't look like a sudden spike to inbox providers. As you keep sending consistently and engagement holds up, the cap rises automatically. There's nothing to "complete" — the system runs as long as warmup stays on.

Edit your warmup parameters

On a domain with warmup enabled, you can fine-tune four values from Settings → Emailing → Custom Domains by clicking Edit sending limit on the domain:

  • Limit — a manual override of today's sending limit. Resets at the next midnight UTC recalculation. Default starting value: 300 emails/day.
  • Max limit — the ceiling. The daily limit will never grow above this value. Default: 45000 emails/day.
  • Min limit — the floor. The daily limit will never shrink below this value. Default: 300 emails/day.
  • Change factor — how aggressively the limit moves between days, expressed as a decimal multiplier (not a percentage). Default: 0.2, meaning the limit can grow or shrink by up to 20% per day. Enter 0.1 for 10% per day, 0.5 for 50% per day, and so on — do not type 20 for 20%.

The defaults work for most senders — only touch these if you have a specific deliverability strategy or guidance from Yaplet support.

Should you enable warmup?

Enable warmup if:

  • This is a new domain you have never used for email marketing.
  • You are moving to Yaplet from another provider and your domain hasn't sent recently.
  • Your subscriber list is larger than a few thousand contacts.

You can skip warmup if:

  • You are sending to a very small list (under 500 subscribers) and the domain already has a healthy email-sending history.

Shared and dedicated IPs

Yaplet currently sends all customer email from a shared IP pool. Warmup in Yaplet operates at the domain level, not the IP level — you control your domain's reputation, but you don't pick or warm a specific IP. This is the right setup for almost every sender: shared pools are pre-warmed and already have a stable reputation with major inbox providers, so individual customers don't need to build IP reputation from zero.

If you have very high sending volume and a specific business reason to need a dedicated IP, contact Yaplet support to discuss options.

Troubleshooting failed verification

Symptom Likely cause and fix
Verification fails immediately after adding records DNS hasn't propagated yet. Wait an hour or two and try again.
SPF fails, DKIM passes You may have two SPF TXT records on the domain (only one is allowed), or you forgot to add include:amazonses.com to your existing record.
DKIM fails, SPF passes One or more of the three DKIM CNAMEs is missing, has a typo, or is proxied through Cloudflare (must be DNS-only). Re-copy each name and value from the dashboard.
Tracking domain or certificate fails Either the link. CNAME is missing/proxied, or your domain has a CAA record that doesn't allow amazon.com. Add 0 issue "amazon.com" to the CAA list and re-run verification.
Domain verified but campaigns still go to spam SPF + DKIM pass but your domain has a low reputation. Enable warmup, start with a small engaged segment, and check whether a DMARC policy is failing separately.

What's next

With your domain verified, add more sender addresses for your team, then send your first campaign.

Related Articles

Send your first newsletter campaign

Read article

Import subscribers from CSV or API

Read article

Build segments with filters

Read article

Build static groups for one-off sends

Read article

Custom subscriber fields

Read article

Did this article answer your question?