Domain Verification Before sending emails, you need to verify your sending domain. This ensures emails are delivered to your subscribers’ inboxes and not flagged as spam.
Why Domain Verification Matters When you send an email, receiving mail servers (Gmail, Outlook, etc.) check if the email is legitimate. Without proper verification, your emails may:
Land in spam folders
Be rejected entirely
Damage your domain’s reputation
Domain verification proves:
You own the domain - Only someone with DNS access can add the required recordsYou authorize Sequenzy to send on your behalf - The records explicitly list Amazon SES as an authorized sender
How Email Authentication Works Email authentication uses multiple protocols working together. When a receiving server gets your email:
SPF Check - “Is this server allowed to send for this domain?” → Looks up TXT record on bounce subdomainDKIM Check - “Was this email modified in transit?” → Verifies cryptographic signature using public key from CNAME records
DMARC is an additional layer that tells receiving servers what to do when authentication fails. While recommended for domain protection, it’s not required for domain verification in Sequenzy.
Required DNS Records Sequenzy requires 5 DNS records to verify your domain:
DKIM Records (3 CNAME records) DKIM adds a digital signature to every email. AWS SES signs outgoing emails with a private key, and receiving servers verify using the public key published in these records.
Type Name Value CNAME {token1}._domainkey.yourdomain.com{token1}.dkim.amazonses.comCNAME {token2}._domainkey.yourdomain.com{token2}.dkim.amazonses.comCNAME {token3}._domainkey.yourdomain.com{token3}.dkim.amazonses.com
Three tokens allow AWS SES to rotate keys without breaking email delivery.
SPF Record (1 TXT record) SPF authorizes which servers can send email for your domain. We use a bounce subdomain as the envelope sender for better deliverability tracking.
Type Name Value TXT bounce.yourdomain.comv=spf1 include:amazonses.com ~all
MX Record (1 MX record) Routes bounce notifications to AWS SES so failed deliveries are tracked and subscribers are marked as bounced.
Type Name Value Priority MX bounce.yourdomain.comfeedback-smtp.us-east-1.amazonses.com10
Optional: DMARC DMARC is not required for domain verification, but we recommend setting it up for better deliverability and domain protection. DMARC tells receiving servers what to do when authentication fails and where to send reports.
Implementing DMARC Learn how to set up DMARC for your domain with step-by-step instructions
Verification Methods Option 1: Automatic Setup with Cloudflare If your domain uses Cloudflare DNS, you can set up all records automatically with one click.
Step 1: Create a Cloudflare API Token
Go to Cloudflare Dashboard → My Profile → API Tokens
Click Create Token
Use the Edit zone DNS template or create a custom token with:
Zone - Zone - Read (to find your zone)Zone - DNS - Edit (to create records)
Set zone resources to All zones or select your specific domain
Click Create Token and copy it immediately
Step 2: Connect in Sequenzy
Go to Settings → Domains and click your domain
Click Connect Cloudflare
Paste your API token
Click Verify & Create Records
Sequenzy will validate your token, find the zone for your domain (including subdomains), and create all required DNS records automatically.
For subdomains like mail.example.com, Sequenzy automatically finds the root
zone example.com to create the records.
Option 2: Manual DNS Setup
Go to Settings → Domains and click your domain
Copy each DNS record from the verification table
Add them in your DNS provider’s control panel
Return to Sequenzy—verification happens automatically
Common DNS Providers: Provider Where to Find DNS Settings GoDaddy My Products → Domains → DNS Namecheap Domain List → Manage → Advanced DNS Route 53 Hosted zones → Select domain → Create record
DNS propagation can take up to 48 hours, though most records propagate within
15-30 minutes.
Verification Process Once you’ve added the DNS records, Sequenzy automatically monitors their status:
DNS Lookup - Checks if records exist and point to correct valuesAWS SES Verification - Once DNS is correct, AWS SES verifies the DKIM signaturesStatus Update - Domain status updates from “Pending” to “Verified”
Verification Statuses Status Description Pending Records not yet detected or still propagating Verified All records verified, ready to send emails Failed Verification failed after 72 hours—check your records
Troubleshooting Records Not Detected
Wait for propagation - DNS changes can take up to 48 hoursCheck for typos - Ensure record names and values match exactlyCheck proxy settings - For Cloudflare, DKIM records must have proxy disabled (DNS only)
Verification Timeout If verification fails after 72 hours:
Delete the domain in Sequenzy
Re-add it to get fresh DKIM tokens
Update your DNS records with the new tokens
Cloudflare Token Errors Error Solution ”Invalid API token” Check the token wasn’t revoked or expired ”Could not access zone” Ensure token has Zone - Zone - Read permission ”Failed to create record” Ensure token has Zone - DNS - Edit permission
Using Subdomains We strongly recommend sending from a subdomain (e.g., mail.example.com) rather than your root domain. This protects your domain reputation and isolates any deliverability issues.
Why Use Subdomains? Learn about reputation isolation, risk prevention, and best practices for
subdomain email sending
Best Practices
Use a subdomain - Protect your root domain’s reputation with mail.yourdomain.comConsider setting up DMARC - While optional, DMARC protects against spoofing and helps monitor email authenticationKeep tokens secure - Never share your Cloudflare API token publicly
