DNS records explained

The five record types

1. MX (Mail Exchanger)

MX @ 10 inbound-smtp.us-east-1.amazonaws.com.

Tells the internet where to deliver mail for your domain. When someone sends to [email protected], their mail server looks up your MX record and connects to that host.

Caution

Your domain probably already has an MX record (maybe Cloudflare Email Routing, Google Workspace, or a mail forwarder). Replacing it routes all new inbound mail through SuperMail. Mail in transit to the old MX will still land there during propagation; give it 24-48 hours before assuming mail is lost.

2. _amazonses TXT (domain verification)

TXT _amazonses "abc123..."

Proves to AWS SES that you control the domain. Without this SES won’t let us send or receive on your behalf.

3. DKIM CNAMEs

CNAME selector1._domainkey <random>.dkim.amazonses.com.

Three CNAMEs that point to SES-managed DKIM keys. SES signs every outbound message with these keys; recipients’ mail servers verify the signature against your DNS. This is the single biggest deliverability factor - missing DKIM means mail lands in spam.

4. SPF TXT

TXT @ "v=spf1 include:amazonses.com ~all"

Authorizes SES to send mail on behalf of your domain. If you already have an SPF record (e.g. for Mailchimp), merge the include:amazonses.com into it - don’t add a second SPF record. Example merged record:

v=spf1 include:_spf.google.com include:amazonses.com ~all

5. DMARC TXT

TXT _dmarc "v=DMARC1; p=none; rua=mailto:[email protected]"

Instructs recipients what to do with mail that fails SPF or DKIM alignment. p=none is the safest default (report but don’t reject). Once you’re confident everything is signed properly (check the aggregate reports at the rua address for a week or two), upgrade to p=quarantine and eventually p=reject.

Domain-wide vs subdomain

The examples above use @ (the apex). If you’re adding mail.yourdomain.com instead:

• Use mail instead of @ for MX.
• Use _amazonses.mail for the verification TXT.
• Use selector1._domainkey.mail, selector2._domainkey.mail, selector3._domainkey.mail for DKIM.
• SPF on the subdomain too: v=spf1 include:amazonses.com ~all at mail.
• DMARC at _dmarc.mail.

Per-registrar tips

• Cloudflare - disable the proxy (orange cloud) on DKIM/MX records. They must be DNS-only.
• Namecheap - the apex @ record is entered as blank or @; don’t type the domain name.
• Google Domains - use the “Custom records” section, not the “Synthetic records” shortcuts.
• Porkbun - TXT values need to be wrapped in quotes in their DNS editor.