How to Set Up DKIM and DMARC for Resend
To authenticate email from Resend, add three DNS records: a DKIM CNAME from your Resend dashboard, an SPF TXT record including amazonses.com, and a DMARC TXT record at _dmarc.yourdomain.com. Resend's domain verification flow handles DKIM automatically once you add the CNAME; SPF and DMARC require manual entries. If you're configuring email from scratch, our email setup guide for new SaaS frames where each of these pieces fits.
Domain verification in Resend
Log into your Resend dashboard and go to Domains. Add a new domain and enter the one you'll send from (e.g., mail.myapp.com or your main domain myapp.com). Resend will show you three DNS records to add:
- One
CNAMEfor DKIM signing - Two MX records (if you want Resend to handle inbound)
You only need the CNAME to send email. The MX records are optional; add them only if you want Resend to manage your incoming mail for this domain.
Copy the DKIM CNAME exactly and add it to your DNS provider (Route53, Cloudflare, Namecheap, etc.). The record name will look like default._domainkey.mail.myapp.com and point to default.resend.com. If you want to understand what this record actually does, see our explainer on what DKIM is. Wait for DNS propagation (usually <5 minutes), then click Verify in Resend. The dashboard will check the record and confirm DKIM is live.
Add your SPF record
Resend uses Amazon SES infrastructure, so your SPF record includes amazonses.com. Add this to your domain's DNS:
v=spf1 include:amazonses.com ~all
If you have other mail services on the same domain (e.g., transactional from Resend, team email from Google Workspace), combine them:
v=spf1 include:amazonses.com include:_spf.google.com ~all
The ~all at the end is a soft fail: messages fail SPF but still deliver. Once you're confident all authorized senders are listed, change it to -all (hard fail).
Wait 5–15 minutes for the record to propagate. Use the SPF Record Checker to verify it's live and parseable.
Create a DMARC record
DMARC is the policy layer on top of SPF and DKIM. You don't have to set a policy to benefit from reports. Start with p=none to monitor alignment without rejecting anything.
Add a TXT record at _dmarc.mail.myapp.com (or _dmarc.myapp.com if you're not using a subdomain). Use the DMARC Record Generator if you want to build the record interactively:
v=DMARC1; p=none; rua=mailto:reports@yourdomain.com
The three parts:
v=DMARC1: DMARC version (always this)p=none: monitor only; don't reject failing messagesrua=mailto:: where to send aggregate reports (optional, but see the next section)
If you're not ready to set up report collection yet, use:
v=DMARC1; p=none
Verify the record with the DMARC Record Checker.
Point reports to DMARCdrift
To get a digest email of your alignment and spoofing signals, change your rua= address:
v=DMARC1; p=none; rua=mailto:d-[your-domain-id]@in.dmarcdrift.com
You'll find your domain ID in your DMARCdrift dashboard under Domain Settings. Once the record is live, aggregate reports from mailbox providers (Gmail, Yahoo, etc.) will route to dmarcdrift. The first batch of reports arrives within 24–48 hours; timing depends on when providers generate and send them.
Verify alignment
After SPF and DKIM are live, send a test email to yourself and check the headers. Open the email in a mail client that shows raw headers (Gmail: More actions → View message source).
Look for the Authentication-Results header. You should see:
Authentication-Results: mx.google.com;
dmarc=pass (p=NONE sp=NONE dis=NONE) ...
dkim=pass ...
spf=pass ...
If you see dmarc=fail, check:
- Does the
From:domain match your DMARC domain? (If you're sending fromnoreply@mail.myapp.com, your DMARC record must be at_dmarc.mail.myapp.com.) - Is SPF passing? Check that the sending IP is listed in your SPF record (it will be if you've added
include:amazonses.com). - Is DKIM signing? Resend adds a
DKIM-Signatureheader. If it's missing, the CNAME record might not have propagated yet.
Use the Email Header Analyzer to decode the full header and spot any misalignment.
Next steps
Once your domain passes authentication, change your DMARC policy to p=quarantine or p=reject when you're confident no legitimate mail is failing. But start with p=none and monitor reports first. That's what most developers do, and what DMARCdrift is built for.
Once your DMARC record is live, aggregate reports will start arriving within 24–48 hours. DMARCdrift turns the XML into a readable digest, free for one domain.
