Why domain verification matters
Email providers — Gmail, Outlook, Yahoo, and others — check every inbound message against the sender domain's DNS records. If your domain doesn't publish records that authorize Yaplet to send on your behalf, receiving servers treat your message as suspicious: your campaigns land in spam folders, or are rejected before they reach the inbox.
Yaplet will not queue campaigns from an unverified sender address. Verifying your domain is the foundation of every email you send — and the good news is that the setup page now checks your DNS for you, so you're never guessing whether a record went live.
What SPF and DKIM do
- SPF (Sender Policy Framework) — a DNS TXT record listing which mail servers may send email from your domain. Receiving servers check that Yaplet's infrastructure is on that list before accepting your message.
- DKIM (DomainKeys Identified Mail) — DNS CNAME records pointing to public cryptographic keys hosted by Amazon SES (Yaplet's email infrastructure). Yaplet signs every outgoing email; receiving servers verify the signature. DKIM is the record that actually verifies your domain for sending.
Most major providers also check DMARC, which builds on SPF and DKIM — passing both satisfies the most common DMARC policies. Yaplet publishes a default DMARC record for you as part of the records below.
Step 1 — Add your domain
- Go to Settings → Emailing → Domains.
- Click Add domain.
- Enter your sending domain (e.g.
yourdomain.com— just the domain, nohttps://orwww.). Use a subdomain likemail.yourdomain.comonly if you specifically want to send from one. - Click Add.
Yaplet generates your DNS records, requests an SSL certificate for link tracking, and opens the Setup tab. There's no "Need warmup" toggle anymore — sending speed is managed automatically (see how warmup works now).
Step 2 — Add the DNS records
The Setup page organizes records into three groups by what they do, and shows a live status next to each one: Found in DNS, A different value is set — check it, or Not detected yet — add it or wait for propagation. Add them at your DNS provider (Cloudflare, GoDaddy, Namecheap, Route 53, your host's control panel) — the page re-checks automatically every 20 seconds, so you don't have to refresh.
Sending — required
The records that authenticate your mail. Add all of these.
| Type | Name (host) | Value | Priority |
|---|---|---|---|
| CNAME (×3) | {token}._domainkey.yourdomain.com | {token}.dkim.amazonses.com | — |
| TXT | yourdomain.com | v=spf1 include:amazonses.com ~all | — |
| TXT | _dmarc.yourdomain.com | v=DMARC1; p=none | — |
| MX | mail.yourdomain.com | feedback-smtp.eu-central-1.amazonses.com | 10 |
| TXT | mail.yourdomain.com | v=spf1 include:amazonses.com ~all | — |
The three DKIM CNAMEs use opaque per-domain tokens (something like o7s2vrwryrpqfwhg6sml5myuwhwgmodi) — always copy the exact names and values from your dashboard.
Receiving — optional
Add this single inbound MX record only if you want incoming email for your domain (like customer replies) to land in your Yaplet inbox. Skip it if you only need to send — for example, newsletters. Don't add it if your domain already runs on Google Workspace or Microsoft 365, or it will reroute your existing mail.
| Type | Name (host) | Value | Priority |
|---|---|---|---|
| MX | yourdomain.com | inbound-smtp.eu-central-1.amazonaws.com | 10 |
Secure links — optional, recommended
These let Amazon issue an SSL certificate so your campaign's tracking links can be branded. They work in parallel with sending, so add them at the same time. The link. record only appears once the certificate is issued.
| Type | Name (host) | Value |
|---|---|---|
| CNAME | (ACM validation — shown in your dashboard) | (shown in your dashboard) |
| CNAME | link.yourdomain.com (after cert issued) | (CloudFront target — shown in your dashboard) |
Already have an SPF record? A domain can only have one SPF TXT record at the apex. Don't add a second — merge
include:amazonses.cominto your existing one. For example, changev=spf1 include:_spf.google.com ~alltov=spf1 include:_spf.google.com include:amazonses.com ~all.
On Cloudflare, set every CNAME (the DKIM records and the link-tracking record) to DNS only — the grey cloud, not the orange one. A proxied CNAME breaks DKIM and SSL validation. Yaplet detects your DNS provider and shows tips like this automatically.
CAA records are handled for you. If your domain has a CAA record that blocks Amazon from issuing the link-tracking certificate, Yaplet shows a warning and adds the exact record you need: a CAA record on
yourdomain.comwith value0 issue "amazon.com". If you have no CAA record at all, you don't need one — it only affects link tracking, not sending.
Prefer a bulk import? Click Export records at the top of the Setup page to download every record as one zone file — a Cloudflare-tuned file (with the CNAMEs pre-set to "DNS only") or a portable BIND file — then import it in a single step. This only works at providers that accept a zone file (Cloudflare, or any BIND-based host); registrars like GoDaddy and Namecheap can't import files, so there you add the records with the copy buttons instead.
Step 3 — Yaplet verifies for you
There's no manual "Verify" button anymore. After you add the records, Yaplet checks DNS automatically — every 20 seconds, and again whenever you return to the tab. A Re-check status button forces an immediate check. A single badge tracks where you stand:
| Badge | What it means |
|---|---|
| DNS records needed | The required authentication records aren't in your DNS yet. Add them. |
| Verifying — almost there | Your records are detected; AWS is verifying the domain — usually 5–60 minutes. |
| Verified for sending | Done. You can send from this domain. |
You can close the page and come back — it re-checks when you return, so there's nothing to sit and wait for. Stuck? Click Ask AI for help: Yaplet's assistant reads your live DNS and tells you exactly which records are still missing and where to add them.
Turn on branded link tracking
Link tracking rewrites the links in your emails through a link.yourdomain.com subdomain so Yaplet can measure clicks. It has its own switch on the Setup page:
- The switch is locked until your SSL certificate is issued — add the Secure-links records first.
- Once the certificate is issued, the
link.record appears. You can flip the switch on even before that record propagates: tracking stays pending and turns on by itself once the record resolves. Until then your links are sent untouched, so nothing breaks. - Turning it off reverts to plain, untracked links.
Add a verified sender address
A verified domain alone doesn't let you send — you need at least one sender address on it.
- On the verified domain, open the Emails tab and click Add email.
- Enter the local part (e.g.
hellogives[email protected]). - Choose which widget the address is linked to — replies to campaigns from it land in that widget's inbox.
- Click Add. The address is available in campaigns and workflows immediately.
Add as many sender addresses as you need. For team setups, see Set up multiple senders on one domain.
How warmup and deliverability work now
Warmup is fully automatic — there are no limits to set by hand. When you send from a new domain, inbox providers are cautious because it has no history. Yaplet handles this for you: it ramps your sending volume up gradually, increasing speed for each email provider (Gmail, Apple, Microsoft, and the rest) as long as your bounce and complaint rates stay healthy, and pulling back automatically if they climb.
There's nothing to configure and nothing to "finish" — the only thing you control is your list quality. You can watch how you're doing on the Deliverability tab, which shows a health score for each provider. See Monitor your email deliverability for how to read it.
By default all Yaplet mail goes out from a shared, pre-warmed IP pool — the right choice for almost everyone. High-volume senders who want a reputation entirely their own can enable a dedicated IP.
Troubleshooting
| Symptom | Likely cause and fix |
|---|---|
| A record still shows "Not detected yet" after a while | DNS hasn't propagated. Give it an hour or two; the page keeps re-checking. Double-check you entered only the host part if your provider appends the domain automatically. |
| A record shows "A different value is set" | A record exists at that name but the value doesn't match — re-copy the exact value from your dashboard and check for a stray space or duplicate record. |
| DKIM won't verify | One of the three DKIM CNAMEs is missing, mistyped, or proxied through Cloudflare (must be DNS-only). Re-copy each name and value. |
| Link tracking won't turn on | The SSL certificate isn't issued yet. Add the Secure-links records (including the CAA record if Yaplet flagged one), then wait for AWS to issue the certificate. |
| Domain verified but campaigns still go to spam | SPF and DKIM pass but the domain has low reputation. Send to a small, engaged segment first and watch the Deliverability tab. |
What's next
With your domain verified, add more sender addresses for your team, then send your first campaign.