Skip to main content

Domain Setup

Every email sent through Relay must come from a verified domain. Domain verification proves you own the domain and configures email authentication (SPF, DKIM, DMARC) to maximize deliverability and prevent spoofing.

Adding a Domain

  1. Go to Domains in the left sidebar
  2. Click Add Domain
  3. Enter your domain (e.g., yourmsp.com) — do not include http:// or subdomains
  4. Relay creates an SES identity and generates the required DNS records

After adding, the domain shows a Pending status (yellow clock icon) until verified.

DNS Records

Relay generates five DNS records for each domain. Click the copy icon next to each record to copy it.

DKIM Records (3 CNAME Records)

DKIM (DomainKeys Identified Mail) cryptographically signs outgoing emails so recipients can verify they haven't been tampered with.

TypeNameValue
CNAMEselector1._domainkey.yourmsp.comselector1._domainkey.amazonses.com
CNAMEselector2._domainkey.yourmsp.comselector2._domainkey.amazonses.com
CNAMEselector3._domainkey.yourmsp.comselector3._domainkey.amazonses.com
ℹ️The exact selector names are generated by SES and will be unique to your domain. The values shown above are examples.

SPF Record (1 TXT Record)

SPF (Sender Policy Framework) tells receiving mail servers which servers are authorized to send email for your domain.

TypeNameValue
TXTyourmsp.comv=spf1 include:amazonses.com ~all

If you already have an SPF record, add include:amazonses.com to it rather than creating a second TXT record. Multiple SPF records cause verification failures.

DMARC Record (1 TXT Record)

DMARC (Domain-based Message Authentication, Reporting & Conformance) tells receivers what to do with emails that fail SPF or DKIM checks.

TypeNameValue
TXT_dmarc.yourmsp.comv=DMARC1; p=quarantine; rua=mailto:[email protected]
💡Start with p=quarantine and move to p=reject once you've confirmed all legitimate email sources are authenticated. The rua address receives aggregate DMARC reports.

Verifying a Domain

  1. After adding all DNS records to your DNS provider, return to the Domains page
  2. Click Verify next to your domain
  3. Relay checks each DNS record for propagation
  4. Records that pass show a green checkmark; records still propagating show a yellow clock
  5. Once all records are verified, the domain status changes to Verified (green checkmark)

DNS propagation typically takes 15–30 minutes but can take up to 48 hours depending on your DNS provider's TTL settings.

Using Subdomains

You can verify a subdomain like mail.yourmsp.com instead of the root domain. This is useful when:

  • You want to separate transactional email reputation from marketing email
  • Your root domain already has complex DNS records
  • You're running multiple email services from the same domain

To use a subdomain, enter it when adding the domain (e.g., mail.yourmsp.com) and add the DNS records under that subdomain.

Multiple Domains

You can verify multiple domains per tenant. Common patterns:

  • Primary domain for client-facing notifications (yourmsp.com)
  • Support subdomain for ticket replies (support.yourmsp.com)
  • Internal domain for system alerts (internal.yourmsp.com)

Each domain requires its own set of DNS records and independent verification.

Inbound Routing per Domain

Verified domains can optionally enable inbound email routing. When enabled, emails sent to addresses on that domain are processed by Relay's inbound routing engine and forwarded to PSA, CRM, or Portal.

See Inbound Routing for configuration details.

Removing a Domain

  1. Click the delete icon next to the domain
  2. Confirm the deletion

Removing a domain deletes the SES identity and immediately stops all email sending from that domain. Any emails in transit will still be delivered, but new sends will fail.

⚠️Removing a verified domain is irreversible. You'll need to re-add and re-verify the domain if you want to use it again.

Common Verification Failures

IssueCauseFix
DKIM records not foundCNAME records not added or still propagatingAdd all 3 CNAME records and wait 15–30 minutes
SPF record invalidMultiple SPF TXT records on the same domainMerge into a single SPF record: v=spf1 include:amazonses.com include:other.com ~all
DMARC record missing_dmarc TXT record not addedAdd the DMARC TXT record to _dmarc.yourmsp.com
Domain stuck on PendingDNS provider caching old recordsLower TTL values, clear DNS cache, or wait up to 48 hours
Verification passes then failsDNS records were removed or modified after verificationRe-add the original DNS records and re-verify