unMTA

Domains

Add and verify domains to authenticate your outbound email with DKIM and DMARC.

Overview

Before you can send email through your cluster, you must add and verify at least one domain. This process proves you own the domain and configures the DNS records necessary for email authentication.

Proper domain authentication improves deliverability, protects your brand from spoofing, and ensures receiving mail servers trust your messages.

Each domain belongs to a single cluster. You can add the same domain name to multiple clusters if needed—each will have its own unique DKIM keys.

Email Authentication Concepts

When you add a domain, you'll configure two types of DNS records. Here's what each one does:

DKIM (DomainKeys Identified Mail)

DKIM adds a cryptographic signature to every email you send. When a receiving mail server gets your message, it looks up your public key in DNS and verifies the signature matches. This proves:

  • The email actually came from your domain
  • The message wasn't modified in transit

When you add a domain, a unique RSA 2048-bit key pair is automatically generated. The public key goes in your DNS; the private key is securely stored and used to sign outbound messages.

DMARC (Domain-based Message Authentication, Reporting & Conformance)

DMARC builds on DKIM by telling receiving servers what to do when authentication fails. It also enables reporting so you can monitor authentication results.

The DMARC policy we recommend uses:

  • p=reject — Reject emails that fail authentication
  • adkim=s — Strict DKIM alignment (the signing domain must exactly match the From domain)
  • aspf=r — Relaxed SPF alignment

Adding a Domain

  1. Navigate to the Domains page from the sidebar
  2. Click the Add domain button
  3. Enter your domain name (e.g., example.com)
  4. Click Add domain

You'll be redirected to the domain detail page showing the DNS records you need to configure.

Domain Requirements

  • Must be a valid fully-qualified domain name (FQDN)
  • Cannot be an IP address
  • Cannot use reserved TLDs: localhost, local, test, invalid, example, localdomain
  • Must be unique within your cluster (the same domain can exist in different clusters)

DNS Records Setup

After adding a domain, you'll see two DNS TXT records that need to be added to your DNS provider:

RecordNameValue
DKIMunmta._domainkey.example.comp=MIIBIjANBg... (your unique public key)
DMARC_dmarc.example.comv=DMARC1; p=reject; adkim=s; aspf=r

Click the copy button next to each record value to copy it to your clipboard.

Provider-Specific Instructions

  1. Log in to your Cloudflare dashboard
  2. Select your domain
  3. Go to DNSRecords
  4. Click Add record
  5. For each record:
    • Type: TXT
    • Name: Enter the name from the table above (e.g., unmta._domainkey for DKIM)
    • Content: Paste the value
    • TTL: Auto
  6. Click Save

For the DKIM record, enter only unmta._domainkey as the name—Cloudflare automatically appends your domain.

  1. Open the Route 53 console
  2. Select Hosted zones and click your domain
  3. Click Create record
  4. For each record:
    • Record name: Enter the subdomain portion (e.g., unmta._domainkey for DKIM, _dmarc for DMARC)
    • Record type: TXT
    • Value: Paste the value wrapped in quotes
    • TTL: 300 (or your preference)
  5. Click Create records

The general steps for adding TXT records are similar across DNS providers:

  1. Log in to your DNS provider's management console
  2. Navigate to your domain's DNS settings (often called "DNS Management", "DNS Records", or "Advanced DNS")
  3. Add a new TXT record for each of the two records
  4. For each record, you'll need to enter:
    • Type: TXT
    • Name/Host: The record name
    • Value/Content: The record value from the table above
    • TTL: Use the default or set to 3600 (1 hour)
  5. Save your changes

Some providers automatically append your domain to the record name. If you're adding the DKIM record and your provider does this, enter only unmta._domainkey rather than the full unmta._domainkey.example.com.

DNS changes can take up to 48 hours to propagate, though most updates appear within a few minutes to a few hours.

Verifying a Domain

Once you've added the DNS records:

  1. Go to your domain's detail page
  2. Click the Verify Now button

The system queries DNS for your DKIM record. It must be correctly configured for verification to succeed.

If verification fails, you'll see which records are still pending. Double-check your DNS configuration and try again—remember that DNS propagation can take time.

What Gets Verified

RecordVerification Check
DKIMTXT record at unmta._domainkey.yourdomain.com contains your public key

DMARC is displayed in the DNS records table but is not required for domain verification. However, we strongly recommend configuring it for optimal deliverability.

Domain Status

Domains have two possible statuses:

StatusMeaning
PendingDNS records not yet verified. Email cannot be sent from this domain.
VerifiedDomain is authenticated and ready to send email.

Ongoing Monitoring

Verified domains are automatically monitored to ensure DNS records remain correctly configured. If your DNS records change or are removed:

  1. First failed check: You'll receive a warning email. The domain stays verified to give you time to fix the issue.
  2. Second consecutive failed check: The domain is downgraded to Pending status and you'll receive a notification. You'll need to fix the DNS records and verify again.

This two-strike policy prevents brief DNS issues from immediately disrupting your email sending while still catching persistent problems.

Managing Domains

Viewing Domain Details

Click any domain in the list to view its detail page, which shows:

  • Current verification status
  • All DNS records with copy buttons
  • Per-record verification status

Deleting a Domain

To delete a domain:

  1. Go to the domain's detail page
  2. Click the menu button and select Delete domain
  3. Type the domain name to confirm
  4. Click Delete domain

Deleting a domain is immediate and irreversible. Any email sent from this domain will be rejected after deletion.

API Reference

For programmatic domain management, see the Domains API documentation.

Clusters

Find your cluster's connection details for SMTP and HTTP email sending.

Credentials

Create and manage SMTP credentials to authenticate email sending through your unMTA cluster.

On this page

OverviewEmail Authentication ConceptsDKIM (DomainKeys Identified Mail)DMARC (Domain-based Message Authentication, Reporting & Conformance)Adding a DomainDomain RequirementsDNS Records SetupProvider-Specific InstructionsVerifying a DomainWhat Gets VerifiedDomain StatusOngoing MonitoringManaging DomainsViewing Domain DetailsDeleting a DomainAPI Reference