Domain Verification
How email authentication works and what you need to set up.
Overview
Before sending emails from your domain, you need to verify ownership by adding a DKIM DNS record. This is the only DNS change required — we handle SPF on our infrastructure automatically.
One DNS record. Unlike other providers that require multiple records, eml.dev only needs a single DKIM TXT record on your domain.
DKIM Authentication
DKIM (DomainKeys Identified Mail) cryptographically signs every email so receiving servers can verify it genuinely came from your domain. When you add a domain in eml.dev, we generate a unique 2048-bit RSA key pair for you.
Setup
- 1 Add your domain in the Domains section of your dashboard.
- 2 Copy the TXT record shown (host and value) and add it to your DNS provider.
- 3 Click Verify once DNS has propagated (can take up to 48 hours).
Example DNS Record
Host: eml._domainkey Type: TXT Value: v=DKIM1; k=rsa; p=MIIBIjANBgkq...
Field names vary by provider. "Host" may appear as "Name", "Subdomain", or "Record name" depending on your DNS provider. Enter only eml._domainkey, not the full domain.
SPF — Handled For You
SPF (Sender Policy Framework) authorizes which servers can send email. Unlike other email providers, you do not need to add an SPF record to your domain.
Here's why: SPF is checked against the envelope sender (Return-Path), not the From address your recipients see.
Since we use our own domain (bounces.eml.dev) for the envelope sender, our SPF record covers it automatically.
bounce-...@bounces.eml.dev — SPF checked here (our domain)
you@yourdomain.com — what recipients see (your domain)
DMARC Alignment
DMARC requires that either SPF or DKIM aligns with the From domain. Since the envelope sender is on our domain, SPF cannot align with your From address. That's expected and standard for email service providers.
Instead, DMARC passes via DKIM alignment: we sign every email with your domain's DKIM key, which matches your From address. This is the same approach used by Postmark, SendGrid, and other major providers.
| Check | Result | Aligns? |
|---|---|---|
| SPF | Pass (on bounces.eml.dev) | No (different domain) |
| DKIM | Pass (on your domain) | Yes |
| DMARC | Pass (via DKIM alignment) | |
Custom Return-Path Optional
By default, DMARC passes via DKIM alignment alone — no extra setup needed. For additional redundancy, you can configure a custom return-path so that SPF also aligns with your From domain.
This works by adding a CNAME record that points a subdomain on your domain to our bounce server. When configured, the envelope sender uses your subdomain instead of bounces.eml.dev, giving you SPF alignment under DMARC's relaxed mode.
Setup
- 1 Add a CNAME record at your DNS provider with the values shown on your domain's detail page.
- 2 Wait for DNS propagation (can take up to 48 hours).
- 3 Click Verify on your domain's detail page.
Example DNS Record
Host: eml-bounces Type: CNAME Value: bounces.eml.dev
How It Works
Once verified, emails sent from your domain will use eml-bounces.yourdomain.com as the envelope sender instead of bounces.eml.dev.
Because eml-bounces.yourdomain.com is a subdomain of your From domain, SPF now aligns under DMARC relaxed mode.
| Check | Result | Aligns? |
|---|---|---|
| SPF | Pass (on eml-bounces.yourdomain.com) | Yes (relaxed) |
| DKIM | Pass (on your domain) | Yes |
| DMARC | Pass (via both DKIM + SPF alignment) | |
Not required. DKIM alignment alone is sufficient for DMARC to pass. The custom return-path adds redundancy — if DKIM ever fails to verify, SPF alignment acts as a fallback.