Skip to main content

Documentation Index

Fetch the complete documentation index at: https://segmentflow.ai/docs/llms.txt

Use this file to discover all available pages before exploring further.

Before you can send a broadcast or trigger a journey that sends email, you need to verify a sending domain. SegmentFlow.ai sends through Amazon SES on a BYODKIM configuration — you publish a few DNS records, SegmentFlow.ai polls until they verify, and then sends are unlocked. This setup happens once per domain, in the dashboard. The API has no endpoint to create or verify domains.

Use a subdomain

Send from a subdomain like mail.yourcompany.com rather than the apex yourcompany.com. This is the same advice you’ll see from Loops, Resend, and Klaviyo — and for the same reasons:
  • Reputation isolation. A deliverability problem on marketing mail won’t drag down the corporate inbox.
  • DMARC flexibility. You can ship a strict policy on the marketing subdomain without breaking other senders on the apex.
  • Cleaner DNS. Fewer record collisions with Google Workspace, Microsoft 365, or whatever else lives on the root.

What you’ll add to DNS

Open Settings → Email domains → Add domain in the dashboard. After you submit a domain, SegmentFlow.ai shows you four blocks of records to copy into your DNS provider:
TypeWhereWhat it does
MX + TXTsend.<your-domain>SPF — authorizes SES to send mail using a custom MAIL FROM.
TXT<selector>._domainkey.<your-domain>DKIM — lets recipients verify SegmentFlow.ai signed the message with your key.
TXT_dmarc.<your-domain>DMARC — tells receivers what to do with mail that fails SPF or DKIM. Optional but strongly recommended.
DKIM is bring-your-own-key — SegmentFlow.ai generates the keypair, hands you the public DKIM record, and keeps the private key in SES. You only ever paste a single TXT record. The default DMARC record SegmentFlow.ai suggests is: 
v=DMARC1; p=none; rua=mailto:dmarc@<your-domain>
p=none is monitor-only — start there. Once you’ve confirmed legitimate mail is passing, ratchet to p=quarantine and eventually p=reject.

Verifying

The domain page polls every 30 seconds and updates each record’s badge as DNS propagates. Statuses you’ll see:
  • Pending — record not visible yet from our resolvers.
  • Verifying — record found, SES is finishing its verification handshake.
  • Verified — done. Once SPF and DKIM both go green, the domain unlocks for sending.
  • Failed — record either missing, mismatched, or wrapped in quotes by the registrar (a common Cloudflare/Google Domains gotcha — paste the value without surrounding quotes).
DNS propagation usually takes a few minutes but can take up to an hour. Don’t delete and re-add the domain if it’s slow — just wait.

Registrar quirks

A few patterns we’ve seen tickets on, and the fix:
  • Cloudflare — set the SPF/DKIM TXT and MX records to DNS only (grey cloud), not proxied. Proxying breaks mail records.
  • GoDaddy — for the SPF MX record, paste the priority into the priority field, not into the value. Don’t include the priority number in the hostname.
  • Google Domains / Squarespace Domains — strip surrounding quotes from the TXT value before pasting. The UI sometimes adds them back; if verification fails, edit and remove them.
  • Wix — only allows DNS records on subdomains in some plans. If you can’t add records on send.<your-domain>, host DNS at a different registrar (point Wix’s NS records there) or upgrade.
  • Namecheap — for the DKIM TXT record, leave the .your-domain.com suffix off the host field; Namecheap appends it automatically.

Sender profiles vs domain

A verified domain authorizes the envelope sender. The From address users see still has to live on that domain (or a verified sub-domain). Configure the visible “From” name and address in Settings → Brand kit → Sender profiles — read it from the API at GET /api/v1/public/brand-kit.

Troubleshooting

  • “Domain already in use” — usually means another organization in your workspace already added it, or you previously started verification under a different account. Check Settings → Email domains across teams; if you can’t find it, contact support so we can release the lock.
  • SPF verifies but DKIM stays pending — most often a registrar that wraps the long DKIM value across multiple strings. Re-paste the value as a single string.
  • DMARC alignment failures after going to p=quarantine — confirm you’re sending from a From: address on the verified domain, not a different domain that happens to be in your brand kit.
  • Recipients still see “via amazonses.com” in Gmail — DKIM hasn’t fully propagated yet, or the From: domain doesn’t match the DKIM-signed domain. Once DKIM is verified end-to-end, the via line goes away.

Next

Once your domain is Verified, you can trigger a journey or fire a broadcast. Ahead of any large send, do a broadcast prepare first to dry-run the audience.