DMARCdrift
DMARCdrift
Vendor setup

Configure Resend for DMARC alignment

Configure DKIM and SPF for Resend by verifying a custom domain, so your transactional emails pass DMARC alignment and appear correctly in reports.

Resend passes DMARC through DKIM. When you add a custom domain in Resend, it generates DKIM keys and provides the DNS records you need to publish. Resend also provides a Return-Path record for SPF alignment.

Add and verify a domain in Resend

  1. Go to Resend > Domains and click Add Domain.
  2. Enter your sending domain (for example, yourdomain.com or a subdomain like mail.yourdomain.com).
  3. Resend provides three DNS records to publish:
    • Two DKIM TXT records at resend._domainkey.yourdomain.com and a rotation selector
    • One Return-Path MX or CNAME record for bounce handling

Publish all three records in your DNS provider. Return to the Domains panel in Resend and click Verify. Resend checks all records and marks the domain verified when they resolve correctly.

DKIM records

The DKIM records Resend provides look like:

resend._domainkey.yourdomain.com  TXT  "v=DKIM1; k=rsa; p=MIGf..."

Resend uses the selector resend. After publishing and verifying, outbound mail will be signed with your domain's keys and d=yourdomain.com in the DKIM signature.

Return-Path and SPF alignment

Resend provides a Return-Path CNAME to align the envelope sender with your domain:

bounces.yourdomain.com  CNAME  feedback-smtp.us-east-1.amazonses.com

The exact CNAME target varies by region (Resend runs on Amazon SES infrastructure). Check the Resend dashboard for your exact record. Set the Return-Path domain in Resend to bounces.yourdomain.com.

With this configured, the envelope sender domain (bounces.yourdomain.com) shares the organizational domain with yourdomain.com, passing SPF alignment under relaxed mode.

Subdomains for transactional email

If you configure Resend on a subdomain (like mail.yourdomain.com), DKIM alignment still passes because relaxed mode matches organizational domains: yourdomain.com is the organizational domain for both mail.yourdomain.com and yourdomain.com. If your DMARC record uses strict DKIM alignment (adkim=s), you'd need the DKIM d= to match exactly — for a subdomain setup, configure your From address to use the subdomain as well.

What to expect in DMARCdrift

With DKIM configured and verified, Resend traffic appears as:

  • Source: Amazon SES IP ranges (Resend runs on SES infrastructure)
  • DKIM result: pass, d=yourdomain.com with selector resend
  • SPF result: pass if you configured the Return-Path CNAME
  • DMARC result: pass

Amazon SES IPs are shared across many senders. You may see other senders grouped under the same IP blocks in your reports. DMARCdrift attributes traffic to sources based on DKIM signing domain and sending IP, so your verified Resend mail will be identifiable by its DKIM d= value.


Next: SendGrid setup: DKIM and SPF for SendGrid.

See also: DKIM alignment: how DKIM signing passes DMARC. Relaxed vs strict alignment: when subdomain DKIM signing affects alignment.

Ask AI about this page:ClaudeChatGPT