Verifying an Email Sending Domain
To send email from you@yourcompany.com, you must prove ownership of yourcompany.com by publishing DNS records. Manage domains at Email → Domains. Add a new one at Email → Domains → New.
Add a domain
- Open Email → Domains → New.
- Enter the apex domain (e.g.,
yourcompany.com, notmail.yourcompany.com). Sending from subdomains is supported once the apex is verified. - Choose a region (US East default; EU available for residency).
- Click Add.
The domain detail page (/email/domains/<id>) opens with the records you need to publish.
DNS records you'll publish
| Record | Purpose | Required? |
|---|---|---|
| DKIM (3 CNAMEs) | Cryptographically sign each message so receivers can verify it's from you | Required |
| SPF (TXT) | Authorize Blocx's sending IPs to send for your domain | Required |
| MAIL FROM (MX + TXT) | A send.<yourdomain> subdomain we use as the bounce return path; aligns SPF with the visible From |
Required |
| DMARC (TXT) | Tell receivers what to do with mail that fails authentication; enables reporting | Strongly recommended |
| BIMI (TXT, optional) | Display your logo next to mail in supporting clients | Optional, requires a VMC |
Copy the records into your DNS provider exactly as shown on the detail page. Do not edit values or wrap them in quotes that aren't shown.
SPF gotcha
If you already have an SPF record (v=spf1 ...), merge rather than duplicate. Multiple v=spf1 TXT records is itself an SPF failure. The detail page shows a merged value you can paste, or include our include: mechanism in your existing record:
v=spf1 include:spf.otterblocx.com include:_spf.google.com -all
Verification
Blocx checks DNS automatically on a regular schedule, and you can also click Re-check now on the domain detail page to force a lookup. When all Required records resolve correctly the domain flips to Verified and you can immediately send from any address on it. Organization owners and admins are emailed when a domain finishes verifying.
Most domains verify within 5–30 minutes. Slow DNS providers (or aggressive caching) can take up to 48 hours.
Status meanings
| Status | Meaning | Next step |
|---|---|---|
| Pending | At least one record not yet detected | Wait, or re-check DNS with dig |
| Verified | All required records present | Start sending |
| Partially verified | DKIM ok but SPF or MAIL FROM missing | Add the remaining records — partial verification means deliverability suffers |
| Failed | A previously-verified record changed or was removed | Click the domain to see which |
Sending after verification
curl -X POST https://api.otterblocx.com/email/send \
-H "x-access-key-id: $BLOCX_ACCESS_KEY_ID" \
-H "x-secret-access-key: $BLOCX_SECRET_ACCESS_KEY" \
-H "Content-Type: application/json" \
-d '{
"from": "hello@yourcompany.com",
"to": "user@example.com",
"subject": "Welcome",
"html": "<p>Welcome aboard.</p>"
}'
Or with the SDK:
import { createBlocxClient, Email } from '@otterlabs/blocx'
const { client } = createBlocxClient({
accessKeyId: process.env.BLOCX_ACCESS_KEY_ID!,
secretAccessKey: process.env.BLOCX_SECRET_ACCESS_KEY!,
})
await Email.sendEmail({
client,
body: {
from: 'hello@yourcompany.com',
to: 'user@example.com',
subject: 'Welcome',
html: '<p>Welcome aboard.</p>',
},
})
Tips for deliverability
- Always set up DMARC. Start with
p=none; rua=mailto:dmarc@yourcompany.comto get reports without blocking mail. Tighten toquarantinethenrejectafter 30–60 days of clean reports. - Ramp gradually on new domains. Send a low volume at first. ISPs are wary of sudden volume spikes from unknown domains.
- Match the
Fromto a real mailbox. Unmonitorednoreply@addresses hurt engagement and trip filters. - Don't reuse domains that were previously abused. Domain reputation is sticky. Use a fresh subdomain (
mail.yourcompany.com) if needed. - Monitor Email → Reports for bounce, complaint, and engagement trends.
Troubleshooting
Use the Re-check now button on the domain detail page to force an immediate DNS lookup. If records still don't resolve:
- Run
dig CNAME blocx1._domainkey.yourcompany.com(and similar) — values must match exactly. - Some DNS providers prepend the domain to records automatically. If our shown name is
blocx1._domainkey.yourcompany.comand your DNS provider added a.yourcompany.comsuffix, you've doubled it. - Cloudflare proxies CNAMEs by default; turn off the orange cloud for DKIM CNAMEs.