Domain verification proves you own the domain you want to send emails from. This guide walks you through the complete process.
Table of Contents
Overview
When you add a domain to TrackPost, AWS SES requires proof of ownership. This is done by adding TXT records to your domain’s DNS.
What Gets Verified
- Domain ownership - You control the domain
- Email authentication - SPF, DKIM, and DMARC records
- Sending authorization - You’re authorized to send from this domain
DNS Records You’ll Add
| Record | Purpose | Required? |
|---|---|---|
| Domain verification TXT | Prove domain ownership | Yes |
| SPF TXT | Authorize AWS to send | Yes |
| DKIM TXT | Cryptographic signature | Yes |
| DMARC TXT | Domain policy | Recommended |
Step-by-Step Guide
Step 1: Add Domain in TrackPost
- Log in to your TrackPost Dashboard
- Navigate to Domains in the sidebar
- Click Add Domain
- Enter your domain name (e.g.,
yourcompany.com) - Click Add Domain
You’ll see a modal with DNS records to add:
Domain: yourcompany.com
Status: Pending verification
DNS Records to Add:
TXT @ "v=spf1 include:amazonses.com ~all"
TXT _amazonses "verification_token_here"
TXT selector1._domainkey "dkim_key_1"
TXT selector2._domainkey "dkim_key_2"
Step 2: Add DNS Records
Choose your DNS provider below for specific instructions:
- Cloudflare
- GoDaddy
- Route53 (AWS)
- Namecheap
- Google Domains
- Other Provider
Cloudflare DNS Setup
- Log in to Cloudflare Dashboard
- Select your domain
- Go to DNS → Records
- Click Add Record for each TXT record
Example Configuration:
| Type | Name | Content | TTL |
|---|---|---|---|
| TXT | yourcompany.com | v=spf1 include:amazonses.com ~all | Auto |
| TXT | _amazonses | verification_token_here | Auto |
| TXT | selector1._domainkey | dkim_key_1 | Auto |
| TXT | selector2._domainkey | dkim_key_2 | Auto |
| TXT | _dmarc | v=DMARC1; p=none; rua=mailto:[email protected] | Auto |
Tip
Important: In Cloudflare, the “Name” field should be the full subdomain or @ for root domain. Don’t include the main domain in the name field.
GoDaddy DNS Setup
- Log in to GoDaddy
- Go to My Products → DNS (next to your domain)
- Click Manage
- Scroll to DNS Records section
- Click Add for each record
Example Configuration:
| Type | Name | Value | TTL |
|---|---|---|---|
| TXT | @ | v=spf1 include:amazonses.com ~all | 1 Hour |
| TXT | _amazonses | verification_token_here | 1 Hour |
| TXT | selector1._domainkey | dkim_key_1 | 1 Hour |
| TXT | selector2._domainkey | dkim_key_2 | 1 Hour |
| TXT | _dmarc | v=DMARC1; p=none; rua=mailto:[email protected] | 1 Hour |
Warning
GoDaddy Quirk: GoDaddy automatically adds your domain to TXT record names. If TrackPost says to add selector1._domainkey.yourcompany.com, just enter selector1._domainkey as the Name.
Route53 DNS Setup
- Log in to AWS Console
- Go to Route53 → Hosted zones
- Click on your domain name
- Click Create record
Example Configuration:
| Record Name | Type | Value |
|---|---|---|
| yourcompany.com | TXT | “v=spf1 include:amazonses.com ~all” |
| _amazonses.yourcompany.com | TXT | “verification_token_here” |
| selector1._domainkey.yourcompany.com | TXT | “dkim_key_1” |
| selector2._domainkey.yourcompany.com | TXT | “dkim_key_2” |
| _dmarc.yourcompany.com | TXT | “v=DMARC1; p=none; rua=mailto:[email protected]” |
Tip
Route53 Note: Route53 uses full domain names. Enter the complete subdomain (e.g., _amazonses.yourcompany.com) as the record name.
Namecheap DNS Setup
- Log in to Namecheap
- Go to Domain List → Click Manage next to your domain
- Go to Advanced DNS tab
- In Host Records section, click Add New Record
Example Configuration:
| Type | Host | Value | TTL |
|---|---|---|---|
| TXT Record | @ | v=spf1 include:amazonses.com ~all | Automatic |
| TXT Record | _amazonses | verification_token_here | Automatic |
| TXT Record | selector1._domainkey | dkim_key_1 | Automatic |
| TXT Record | selector2._domainkey | dkim_key_2 | Automatic |
| TXT Record | _dmarc | v=DMARC1; p=none; rua=mailto:[email protected] | Automatic |
Google Domains DNS Setup
- Log in to Google Domains
- Select your domain
- Click DNS in the left menu
- Scroll to Custom resource records
- Click Manage custom records
Example Configuration:
| Name | Type | TTL | Data |
|---|---|---|---|
| @ | TXT | 1h | v=spf1 include:amazonses.com ~all |
| _amazonses | TXT | 1h | verification_token_here |
| selector1._domainkey | TXT | 1h | dkim_key_1 |
| selector2._domainkey | TXT | 1h | dkim_key_2 |
| _dmarc | TXT | 1h | v=DMARC1; p=none; rua=mailto:[email protected] |
Generic DNS Setup
For any DNS provider, add these TXT records:
SPF Record (Required):
- Type: TXT
- Name/Host: @ (or your domain name)
- Value:
v=spf1 include:amazonses.com ~all
Domain Verification (Required):
- Type: TXT
- Name/Host:
_amazonses(or_amazonses.yourdomain.com) - Value:
your_verification_token_here
DKIM Records (Required):
- Type: TXT (2 records)
- Name/Host:
selector1._domainkeyandselector2._domainkey - Value: DKIM public keys from TrackPost
DMARC Record (Recommended):
- Type: TXT
- Name/Host:
_dmarc(or_dmarc.yourdomain.com) - Value:
v=DMARC1; p=none; rua=mailto:[email protected]
Info
DNS Provider Variations: Different providers handle the “Name” field differently. Some require @ for root domain, some require the full domain, and some automatically append the domain. Check your provider’s documentation.
Step 3: Wait for Verification
DNS changes can take 5 minutes to 48 hours to propagate globally.
Check Propagation Status
Option 1: TrackPost Dashboard
- Go to Domains
- Check the status column
- Changes from “Pending” → “Verified”
Option 2: Command Line
# Check TXT records
dig TXT yourcompany.com
dig TXT _amazonses.yourcompany.com
dig TXT selector1._domainkey.yourcompany.com
Option 3: Online Tools
- whatsmydns.net - Check globally
- MXToolbox - DNS lookup
Typical Timeline
| Phase | Duration | Status |
|---|---|---|
| DNS Update | Instant | Changes in your DNS provider |
| Propagation | 5 min - 48 hrs | Spreading across global DNS |
| AWS Detection | 5-15 min | AWS SES sees the records |
| Verification | 1-5 min | AWS confirms domain ownership |
Step 4: Verify in TrackPost
Once DNS propagation is complete:
- Go to Domains in TrackPost dashboard
- Click on your domain
- You should see:
- Domain Status: Verified
- DKIM: Verified
- SPF: Verified
- DMARC: Verified (if added)
Understanding DNS Records
SPF (Sender Policy Framework)
Purpose: Tells email providers which servers can send email for your domain.
v=spf1 include:amazonses.com ~all
Breakdown:
v=spf1- SPF version 1include:amazonses.com- Allow AWS SES servers~all- Soft fail for other servers (mark as suspicious but don’t reject)
DKIM (DomainKeys Identified Mail)
Purpose: Cryptographically signs emails to prove they came from your domain.
How it works:
- AWS SES signs outgoing emails with a private key
- Email providers check the signature using your public key (in DNS)
- If valid, email is authenticated
DMARC (Domain-based Message Authentication)
Purpose: Tells email providers what to do with failed authentication checks.
Policies:
| Policy | Effect |
|---|---|
p=none | Monitor only (recommended to start) |
p=quarantine | Send to spam |
p=reject | Block the email |
Example with monitoring:
v=DMARC1; p=none; rua=mailto:[email protected]
Example for production:
v=DMARC1; p=quarantine; rua=mailto:[email protected]; pct=50
Warning
DMARC Warning: Start with p=none for 2-4 weeks to monitor. Only change to p=quarantine or p=reject after confirming SPF and DKIM are working correctly.
Troubleshooting
“Pending” Status for Hours
Check DNS Propagation:
dig +short TXT _amazonses.yourcompany.com
If empty: DNS hasn’t propagated yet. Wait longer (up to 48 hours).
If shows value: TrackPost should detect it soon. Try clicking “Verify” button in dashboard.
Wrong Record Errors
Common Mistakes:
Including domain in name field
- ❌ Wrong:
_amazonses.yourcompany.comin GoDaddy - ✅ Right:
_amazonses(GoDaddy adds domain automatically)
- ❌ Wrong:
Quotes in value
- ❌ Wrong:
"v=spf1 include:amazonses.com ~all" - ✅ Right:
v=spf1 include:amazonses.com ~all
- ❌ Wrong:
Wrong record type
- ❌ Wrong: Adding as CNAME
- ✅ Right: Must be TXT record
Typo in verification token
- Double-check every character matches exactly
Multiple SPF Records
If you already have an SPF record, merge them:
Before:
TXT @ "v=spf1 include:sendgrid.net ~all"
TXT @ "v=spf1 include:amazonses.com ~all"
After:
TXT @ "v=spf1 include:sendgrid.net include:amazonses.com ~all"
DKIM Keys Too Long
DKIM keys can be very long (200+ characters). Some DNS providers have limits:
Solution: Split into multiple strings:
"v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC1TaNgLlSyQMNWVLNLvyY/neDgaL2oqQE8T5illKqCgDtFHc8eHVAU+nlcaGmrKmDMw9dbgiGk1ocgZ56NR4ycfUHwQhvQPMUZw0cveel/8EAGoi/UyPmqfcPuJYSS9X" "8XnIloQb+hV/Bc/16Nw5c2iEsBbvXnmZqBTS+5IWUhrDzQIDAQAB"
Advanced: Multiple Domains
You can verify multiple domains for different purposes:
| Domain | Use Case |
|---|---|
| yourcompany.com | Main transactional emails |
| support.yourcompany.com | Support tickets |
| marketing.yourcompany.com | Marketing emails |
| notifications.yourcompany.com | System notifications |
Each domain follows the same verification process.
Next Steps
Once your domain is verified:
- Send Test Email - Verify everything works
- Check Authentication - Verify SPF/DKIM/DMARC
- Setup Webhooks - Configure event notifications
- Create Templates - Build reusable emails
Support
Still having trouble? Check these resources:
- Troubleshooting Guide - Common issues and fixes
- AWS SES Documentation - Official AWS docs
- Contact Support - Get help from our team