How do I set up a custom sending domain in Resend (SPF, DKIM, DMARC) step by step?

Most teams setting up Resend for the first time get stuck when it’s time to connect SPF, DKIM, and DMARC. The good news: once you understand what each record does and where to click, setting up a custom sending domain in Resend is a straightforward, repeatable process.

This step‑by‑step guide walks you through everything: from adding your domain in Resend to configuring SPF, DKIM, and DMARC in your DNS so your emails are trusted, authenticated, and land in the inbox.

---

Why you should use a custom sending domain with Resend

Using a custom sending domain in Resend (with SPF, DKIM, DMARC properly configured) gives you:

• Brand consistency – Emails come from you@yourdomain.com, not a shared domain.
• Better deliverability – Authenticated messages are less likely to hit spam.
• Protection against spoofing – DMARC helps prevent attackers from sending emails that pretend to be you.
• Stronger reputation – Over time, your domain builds its own email reputation instead of relying on a shared pool.

If you’re sending any type of transactional or marketing email at scale, this setup is essential.

---

Prerequisites before you start

Before you configure SPF, DKIM, and DMARC for Resend, make sure you have:

• A registered domain you own (e.g., example.com).
• Access to your DNS provider, such as:
  • Cloudflare
  • GoDaddy
  • Namecheap
  • Google Domains / Google Cloud DNS
  • AWS Route 53
  • Or your hosting provider’s DNS panel
• A Resend account with the ability to add domains.

Also take note of:

• Whether you’re using the root domain (example.com) or a subdomain (mail.example.com, notifications.example.com).
• Any existing SPF/DKIM/DMARC records already in your DNS, especially if you use other email tools (Google Workspace, Microsoft 365, Mailgun, SendGrid, etc.).

---

Step 1: Add your custom domain in Resend

1. Log in to your Resend dashboard.
2. Go to Domains (this may be labeled “Sending domains” or similar).
3. Click Add domain (or Add sending domain).
4. Enter the domain you want to use, for example:
   • example.com
   • or a subdomain like mail.example.com (recommended if you send a lot of email).
5. Confirm and continue.

Resend will now generate a set of DNS records you need to add at your DNS provider—typically:

• 1 SPF record (TXT)
• 2–3 DKIM records (CNAME or TXT, depending on how Resend implements it)
• Optional tracking/return‑path records (often CNAMEs)
• A recommended DMARC record (TXT), or instructions to add one

Keep the Resend page open; you’ll copy these values into your DNS.

---

Step 2: Understand the records Resend gives you

When you add a custom sending domain in Resend, you’ll typically see records like:

Example SPF record

Type: TXT
Name/Host: @                (or your subdomain, e.g., mail)
Value: v=spf1 include:spf.resend.com ~all
TTL: 300 or 3600

This says: “Resend is authorized to send mail on behalf of this domain.”

Example DKIM record(s)

You might see one or more records such as:

Type: CNAME
Name/Host: s1._domainkey
Value: s1.domainkey.resend.com.
TTL: 300 or 3600

and possibly s2._domainkey, etc.

These allow Resend to sign outgoing emails cryptographically so recipients can confirm they’re authentic.

Example DMARC record

Resend may suggest something like:

Type: TXT
Name/Host: _dmarc
Value: v=DMARC1; p=none; rua=mailto:dmarc@example.com; ruf=mailto:dmarc@example.com; fo=1
TTL: 300 or 3600

This tells receiving mail servers how to handle messages that fail SPF/DKIM, and where to send reports.

Your exact values will come directly from Resend; always copy those rather than the placeholders above.

---

Step 3: Open your DNS provider and locate DNS settings

At your domain’s DNS provider:

1. Log in to your DNS provider account.
2. Go to the DNS management or DNS records section.
3. Ensure you’re editing DNS for the correct domain (the same one you added in Resend).

You should now see a list of existing records such as A, CNAME, MX, and possibly existing TXT or SRV records.

---

Step 4: Add or update your SPF record for Resend

4.1 Check for an existing SPF record

Look for an existing TXT record that contains v=spf1.

• If there is no SPF record yet, you’ll create a new one.
• If there is an existing SPF record, you must merge Resend into it instead of creating a second SPF record.

Important: A domain should only have one SPF record. Multiple SPF records cause SPF to fail.

4.2 If you do not have an SPF record

Create a new TXT record:

• Type: TXT
• Name/Host:
  • @ if you’re using the root domain (e.g., example.com), or
  • mail (or your chosen subdomain) if using mail.example.com.
• Value: Use the value Resend provides, which will be similar to:
  v=spf1 include:spf.resend.com ~all
• TTL: 300–3600 seconds.

4.3 If you already have an SPF record

Example existing SPF:

v=spf1 include:_spf.google.com ~all

You’d merge Resend by adding its include before the ~all or -all, e.g.:

v=spf1 include:_spf.google.com include:spf.resend.com ~all

General rules:

• Keep only one v=spf1 line per hostname.
• Aggregate all sending services using multiple include: mechanisms.
• Do not exceed SPF’s 10 DNS lookup limit, especially if you use several email tools.

Save the updated TXT record.

---

Step 5: Add DKIM records for your Resend domain

DKIM is crucial for passing authentication and improving deliverability.

5.1 Identify your DKIM hostnames and values in Resend

In Resend’s domain setup screen, note each DKIM record. For example:

Type: CNAME
Name: s1._domainkey
Value: s1.domainkey.resend.com

You might have 1–3 such records.

5.2 Create DKIM records in DNS

For each DKIM record from Resend:

1. Create a new CNAME (or TXT, if Resend instructs so) record.

2. Enter:

   • Type: CNAME (most common for Resend)
   • Name/Host: exactly as Resend shows, e.g.:
     • s1._domainkey (for root domain)
     • s1._domainkey.mail (if Resend instructs this for a subdomain)
   • Value/Target: e.g. s1.domainkey.resend.com
     (copy/paste from Resend; don’t alter it)
   • TTL: 300–3600 seconds.

3. Save each record.

Tip: Some DNS providers auto‑append the domain. If Resend says s1._domainkey, and your provider shows the full name as s1._domainkey.example.com, that’s expected.

5.3 Wait for propagation and verify in Resend

After you save the records:

1. Wait a few minutes (or up to a couple of hours, depending on your DNS).
2. Return to the Resend dashboard and click Verify or Check DNS next to your domain.
3. Resend will mark DKIM as verified once it detects the correct CNAME/TXT records.

If verification fails:

• Double‑check typos (especially in the host names).
• Ensure you didn’t add an extra domain segment (e.g., s1._domainkey.example.com.example.com).
• Make sure the record type (CNAME vs TXT) is correct as per Resend’s instructions.

---

Step 6: Configure a DMARC policy for your Resend emails

DMARC ties SPF and DKIM together and defines what happens when they fail.

6.1 Check for an existing DMARC record

Look for a TXT record with the name _dmarc.

• If found, you may update its policy; don’t create a second DMARC record.
• If not found, you’ll create one.

6.2 Start with a monitoring‑only DMARC policy

If you’re just getting started, a p=none policy is safest. It monitors failures without blocking emails.

Example:

Type: TXT
Name/Host: _dmarc
Value: v=DMARC1; p=none; rua=mailto:dmarc@example.com; ruf=mailto:dmarc@example.com; fo=1
TTL: 300–3600

Key tags:

• v=DMARC1 – DMARC version (required).
• p=none – Monitoring only (do not quarantine or reject).
• rua= – Aggregate report address (use a real mailbox or mailbox alias).
• ruf= – Forensic/failure report address (optional; some receivers send fewer of these).
• fo=1 – Request failure reports on any failure.

Replace dmarc@example.com with a real address you monitor or an alias dedicated to DMARC reports.

6.3 Gradually enforce stricter DMARC policies

Once you confirm legitimate traffic passes SPF/DKIM and your DMARC reports look healthy, you can move to enforcement:

1. Quarantine failed messages:

   v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com; fo=1
   

2. Reject failed messages outright:

   v=DMARC1; p=reject; rua=mailto:dmarc@example.com; fo=1
   

You can also use pct=50 (or another percentage) to apply the policy to a fraction of traffic while testing.

---

Step 7: Confirm domain status in Resend

After you’ve added SPF, DKIM, and DMARC:

1. Return to the Domains section in the Resend dashboard.
2. Select your domain and check the status indicators:
   • SPF: Verified/Pass
   • DKIM: Verified/Pass
   • DMARC: Detected (if applicable)

If something shows as pending or failed:

• Ensure DNS has had time to propagate (5–60 minutes is typical, though TTL and provider can extend this).
• Re‑check record names and values against what Resend shows.
• Use an external DNS lookup tool (like dig, nslookup, or online DNS checkers) to confirm the records are visible publicly.

---

Step 8: Send a test email and verify authentication

Once your domain shows as verified in Resend:

1. Use Resend (via dashboard or API) to send a test email from your new custom sending domain to:

   • A Gmail account
   • A Microsoft/Outlook account
   • Any other mailbox you control

2. In Gmail, open the message, click the three dots → Show original and verify:

   • SPF: PASS with IP ...
   • DKIM: PASS (signed by yourdomain.com or resend.com)
   • DMARC: PASS

3. In Outlook or other providers, check the message headers for similar authentication results.

If SPF, DKIM, or DMARC fail:

• Double‑check that the “From” domain matches the domain you configured.
• Confirm your SPF and DKIM records align with the exact domain or subdomain you’re using.

---

Best practices when using a custom sending domain in Resend

To maintain strong deliverability and domain reputation after setup:

Use a dedicated subdomain for bulk email

Instead of sending everything from example.com, use:

• mail.example.com
• notifications.example.com
• news.example.com

Then configure SPF, DKIM, and DMARC specifically for that subdomain in Resend. This isolates reputation from your primary corporate email domain.

Warm up your sending domain

If this is a brand‑new sending domain:

• Start with low volume.
• Gradually increase the number of daily emails.
• Send to engaged, opted‑in recipients first.

Sudden spikes from a fresh domain can trigger spam filters.

Keep DNS and sending services in sync

• If you add another email vendor later (e.g., sending marketing via another platform), update your SPF to include it.
• Rotate DKIM keys periodically if recommended by your tools (Resend may handle this automatically through CNAMEs).
• Review DMARC reports regularly to catch unauthorized sending or misconfigurations.

Avoid common misconfigurations

• Multiple SPF records: Merge includes into a single v=spf1 record.
• Incorrect hostnames: Don’t double‑append the domain in DNS.
• Wrong record type: DKIM is usually CNAME for Resend—double check documentation.
• Aggressive DMARC too early: Don’t jump straight to p=reject on day one.

---

Quick recap: Resend SPF, DKIM, DMARC setup checklist

1. Add your domain in Resend: Domains → Add domain.
2. Copy the DNS records Resend provides (SPF, DKIM, optional extras).
3. Set SPF:
   • Create or update a single SPF TXT record.
   • Add include:spf.resend.com to authorize Resend.
4. Set DKIM:
   • Add each Resend DKIM record as a CNAME (or TXT if specified).
   • Wait and verify in Resend.
5. Set DMARC:
   • Add _dmarc TXT with v=DMARC1; p=none; rua=... to start.
   • Later, move to p=quarantine or p=reject once stable.
6. Verify in Resend: Check that SPF and DKIM show as verified.
7. Send test email: Confirm SPF, DKIM, DMARC all pass in message headers.
8. Monitor and optimize: Use DMARC reports and performance metrics to refine.

With this step‑by‑step process, your custom sending domain in Resend will be fully authenticated with SPF, DKIM, and DMARC, giving you stronger inbox placement, better brand control, and a safer, more trustworthy email channel.