Appearance
Domains & verification
Every email you send must come from a domain you've verified with SendGrail. Verification proves you control the domain and lets SendGrail DKIM-sign your mail so receiving servers trust it.
You set up domains in the dashboard; once verified, they're usable from the send API immediately.
Apex or subdomain?
You can verify an apex domain (example.com) or a subdomain (mail.example.com). A subdomain is recommended:
- It isolates your sending reputation. If transactional mail has a bad week, your apex domain — and any other mail on it — is unaffected.
- It keeps DNS records tidy and separate from records you already run on the apex.
A common choice is mail. or notifications. in front of your real domain.
Add a domain
- In the dashboard, go to Domains → Add domain.
- Enter the domain name.
- Choose an AWS region — pick the one closest to your recipients. This affects send latency and cannot be changed later; to move regions, add the domain again in the new region and delete the old one.
- Click Add domain.
Under Advanced options you can also set a custom Return-Path subdomain (default send) and a tracking subdomain up front — both are optional and can be configured later from the domain's Configuration tab.
| Region | Code |
|---|---|
| North Virginia | us-east-1 |
| Ireland | eu-west-1 |
| São Paulo | sa-east-1 |
| Tokyo | ap-northeast-1 |
Publish the DNS records
After adding the domain, the Records tab on its detail page lists the DNS records to publish. Add them at your DNS provider (Cloudflare, Route 53, your registrar, etc.).
| Records | Type | Purpose |
|---|---|---|
| DKIM (×3) | CNAME | Cryptographically sign every message so receivers can verify it genuinely came from your domain. |
| MAIL FROM | MX | Route bounces and complaints back to AWS so delivery events reach you. Priority 10. |
| SPF | TXT | Authorize AWS SES to send for your domain. |
| DMARC | TXT | Optional, but recommended. Tells receivers how to handle mail that fails authentication (v=DMARC1; p=none; to start — monitor before enforcing). |
Each row gives you a Name (the host field) and a Value (the content field). Use the copy buttons — a single mistyped character fails verification. DKIM, SPF and MAIL FROM are required to verify; DMARC is optional and not checked by verification.
Cloudflare users
Set the three DKIM CNAME records to DNS only (grey cloud, not the orange proxy). Proxied CNAMEs to AWS hostnames won't resolve correctly for verification.
One SPF record per host
DNS allows only one TXT SPF record per hostname. If the MAIL FROM subdomain already has an SPF record, merge the entries instead of adding a second.
Verify
With the records published, click I've added the records on the domain's detail page. SendGrail asks AWS for the current DKIM and MAIL FROM status and shows the result:
| Status | Meaning | What to do |
|---|---|---|
| Verified | Both DKIM and MAIL FROM passed. | You can send from this domain now. |
| Pending | DNS hasn't propagated, or AWS hasn't picked it up yet. | Wait a few minutes, then Recheck from the domain's menu. |
| Failed | A record is missing or incorrect. | Re-check each value against the dashboard, fix it, and recheck. |
Propagation usually takes a few minutes, sometimes up to an hour. A low TTL isn't required — "Auto" is fine.
You don't have to keep clicking: SendGrail also re-checks pending domains automatically once a day and flips them to verified as soon as AWS confirms the records — so a domain whose DNS propagates overnight verifies itself. AWS stops trying after about 7 days, at which point a still-pending domain is marked failed.
Domain states
A domain is always in one of three states:
pending— added, not yet verified. Sends from it are rejected.verified— ready to send.failed— verification didn't pass. Fix DNS and re-verify.
A send from an unverified domain fails with a 422 — see Errors.
Configuration tab
The domain's Configuration tab holds everything that isn't a DNS record: the Return-Path subdomain, region, verification timestamps, the tracking setup, and a Danger zone with the delete action.
Delete a domain
Deleting is irreversible, so it asks you to type the domain name to confirm (⌘↵ / Ctrl↵ to confirm, Esc to cancel). You can delete from:
- the row menu on the domains list,
- the Danger zone on the Configuration tab, or
- multi-select — tick several domains and use the Delete action in the bar that appears, typing the count (e.g.
3 domains) to confirm.
Deleting removes the domain from SendGrail — you can't send from it again until you re-add and re-verify it — and does not touch your DNS records. Leave them if you plan to re-add the domain later, or remove them at your DNS provider.
Next steps
- API keys — create the token your app sends with.
- Open & click tracking — optional per-domain engagement tracking, served from a branded subdomain.