> ## Documentation Index
> Fetch the complete documentation index at: https://docs.senderz.app/llms.txt
> Use this file to discover all available pages before exploring further.

# Domains & authentication

> SPF, DKIM, DMARC and tracking records, KMS-held signing keys, and hands-off DNS auto-configuration.

To send marketing email, you verify a domain you own. Senderz then signs every message with a DKIM key that lives in AWS KMS and never leaves it.

## Adding a domain

<Steps>
  <Step title="Add">
    **Domains → Add domain**. Enter the domain you send from — typically a
    subdomain like `mail.yourstore.com`.
  </Step>

  <Step title="Publish records">
    Senderz shows the records to add, grouped: authentication (SPF, DKIM),
    return-path, DMARC, and tracking (the `track.` CNAME).
  </Step>

  <Step title="Verify (automatic)">
    A background job checks DNS every minute. Once records resolve, the domain
    flips to **Verified** — no manual Verify click needed. The Verify button
    is a check-now convenience.
  </Step>
</Steps>

## The records

<CardGroup cols={2}>
  <Card title="SPF" icon="shield">
    Authorises Senderz's infrastructure to send for your domain.
  </Card>

  <Card title="DKIM" icon="key">
    A CNAME/TXT so receivers can verify the signature. The private key is in
    KMS.
  </Card>

  <Card title="DMARC" icon="clipboard-check">
    Your policy and aggregate reporting address.
  </Card>

  <Card title="Tracking" icon="chart-line">
    A `track.` CNAME for open/click tracking on your own domain.
  </Card>
</CardGroup>

## DKIM lives in KMS

<Info>
  Your DKIM private key is generated in AWS KMS and never leaves it. Signing
  happens by calling KMS at the send worker — the application never holds the
  raw key. This is your domain's reputation, protected at the infrastructure
  level.
</Info>

## DNS auto-configuration

If your DNS provider supports Domain Connect (including Cloudflare, Route 53 and others), Senderz can write the records for you. Click **Auto-configure**, approve in your DNS provider, and the records land in your account.

<Note>
  When auto-config isn't available for your provider, Senderz degrades
  gracefully to showing the manual records to copy.
</Note>

## Verification stays fresh

The background sweep also re-checks already-verified domains. If a domain later loses its DNS records, it's **demoted** — which immediately blocks sending, because every send path gates on verified status. Demotion is fail-safe: a transient DNS blip won't false-demote. A verified→unverified transition alerts the workspace owner once; recovery alerts once more.

## Removing a domain

Deleting a domain (owner/admin) is audit-logged. Removing your **last** domain schedules the per-tenant KMS DKIM key for deletion (a pending window) — best-effort and idempotent, and re-adding a domain recreates the key.

## Sending identity per domain

Under each verified domain you manage the **sender addresses** (local parts) and a workspace-wide list of **sender names**. A verified domain authorises every local part on it — no per-address approval — because DKIM signs at the domain level. See [Email](/en/channels/email).
