Skip to content
SushiSend Docs

DKIM and MAIL FROM

Three things need to be true for your mail to land in inboxes:

  1. DKIM — cryptographic signature that proves SushiSend is allowed to send for your domain.
  2. SPF — lists the IP ranges allowed to send on behalf of your MAIL FROM subdomain.
  3. MAIL FROM alignment — the envelope-from domain matches the visible From domain’s organization.

SushiSend wires all three automatically. Here’s what each record does.

DKIM (three CNAMEs)

<selector-1>._domainkey.yourdomain.com   CNAME   <selector-1>.dkim.amazonses.com
<selector-2>._domainkey.yourdomain.com   CNAME   <selector-2>.dkim.amazonses.com
<selector-3>._domainkey.yourdomain.com   CNAME   <selector-3>.dkim.amazonses.com

Once all three resolve, DKIM verification flips to verified and every outbound message gets a DKIM-Signature: header automatically.

MAIL FROM subdomain

mail.yourdomain.com   MX    10   feedback-smtp.us-east-1.amazonses.com
mail.yourdomain.com   TXT   "v=spf1 include:amazonses.com ~all"

Using a custom MAIL FROM (mail.yourdomain.com instead of the default shared subdomain) keeps bounce handling and SPF alignment clean, which materially improves deliverability.

DMARC (you add this)

SushiSend doesn’t publish a DMARC record for you because the policy is your decision. A safe starting value:

_dmarc.yourdomain.com   TXT   "v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; fo=1"

Move from p=none to p=quarantine to p=reject as your reports confirm everything is signed. See the Deliverability section for recommended rollout pacing.