Use a subdomain
Send from a subdomain likemail.yourcompany.com rather than the apex yourcompany.com. This is the same advice you’ll see from Loops, Resend, and Klaviyo — and for the same reasons:
- Reputation isolation. A deliverability problem on marketing mail won’t drag down the corporate inbox.
- DMARC flexibility. You can ship a strict policy on the marketing subdomain without breaking other senders on the apex.
- Cleaner DNS. Fewer record collisions with Google Workspace, Microsoft 365, or whatever else lives on the root.
What you’ll add to DNS
Open Settings → Email domains → Add domain in the dashboard. After you submit a domain, SegmentFlow.ai shows you four blocks of records to copy into your DNS provider:| Type | Where | What it does |
|---|---|---|
MX + TXT | send.<your-domain> | SPF — authorizes SES to send mail using a custom MAIL FROM. |
TXT | <selector>._domainkey.<your-domain> | DKIM — lets recipients verify SegmentFlow.ai signed the message with your key. |
TXT | _dmarc.<your-domain> | DMARC — tells receivers what to do with mail that fails SPF or DKIM. Optional but strongly recommended. |
p=none is monitor-only — start there. Once you’ve confirmed legitimate mail is passing, ratchet to p=quarantine and eventually p=reject.
Verifying
The domain page polls every 30 seconds and updates each record’s badge as DNS propagates. Statuses you’ll see:- Pending — record not visible yet from our resolvers.
- Verifying — record found, SES is finishing its verification handshake.
- Verified — done. Once SPF and DKIM both go green, the domain unlocks for sending.
- Failed — record either missing, mismatched, or wrapped in quotes by the registrar (a common Cloudflare/Google Domains gotcha — paste the value without surrounding quotes).
Registrar quirks
A few patterns we’ve seen tickets on, and the fix:- Cloudflare — set the SPF/DKIM
TXTandMXrecords to DNS only (grey cloud), not proxied. Proxying breaks mail records. - GoDaddy — for the SPF
MXrecord, paste the priority into the priority field, not into the value. Don’t include the priority number in the hostname. - Google Domains / Squarespace Domains — strip surrounding quotes from the TXT value before pasting. The UI sometimes adds them back; if verification fails, edit and remove them.
- Wix — only allows DNS records on subdomains in some plans. If you can’t add records on
send.<your-domain>, host DNS at a different registrar (point Wix’s NS records there) or upgrade. - Namecheap — for the DKIM TXT record, leave the
.your-domain.comsuffix off the host field; Namecheap appends it automatically.
Sender profiles vs domain
A verified domain authorizes the envelope sender. The From address users see still has to live on that domain (or a verified sub-domain). Configure the visible “From” name and address in Settings → Brand kit → Sender profiles — read it from the API atGET /api/v1/brand-kit.
Troubleshooting
- “Domain already in use” — usually means another organization in your workspace already added it, or you previously started verification under a different account. Check Settings → Email domains across teams; if you can’t find it, contact support so we can release the lock.
- SPF verifies but DKIM stays pending — most often a registrar that wraps the long DKIM value across multiple strings. Re-paste the value as a single string.
- DMARC alignment failures after going to
p=quarantine— confirm you’re sending from aFrom:address on the verified domain, not a different domain that happens to be in your brand kit. - Recipients still see “via amazonses.com” in Gmail — DKIM hasn’t fully propagated yet, or the
From:domain doesn’t match the DKIM-signed domain. Once DKIM is verified end-to-end, thevialine goes away.