# Introduction

Proper domain configuration is the foundation of email deliverability. When you authenticate your domain, you prove to inbox providers that emails from your domain are legitimate. This improves inbox placement and protects your brand from spoofing.

## Why Configure a Sending Domain?

Email providers like Gmail, Outlook, and Yahoo use authentication records to determine whether to trust your emails. Without proper configuration:

- Emails may land in spam or be rejected entirely
- Your domain becomes vulnerable to spoofing attacks
- Inbox providers have no way to verify you're a legitimate sender

Configuring your domain establishes your identity and builds trust with receiving servers.

## Authentication Records

Lettermint uses three DNS records to authenticate your emails:

<CardGroup cols={3}>
  <Card title="DKIM" icon="signature">
    Adds cryptographic signatures to verify email authenticity and detect tampering.
  </Card>
  <Card title="DMARC" icon="shield-check">
    Defines policy for handling authentication failures and enables reporting.
  </Card>
  <Card title="Return-Path" icon="reply" href="./spf">
    CNAME record used as the envelope sender, enabling SPF alignment.
  </Card>
</CardGroup>

:::info
SPF is handled automatically via the Return-Path CNAME. You don't need to configure a separate SPF record.
:::

## Quick Setup Overview

Setting up your domain takes just a few minutes:

1. **Add your domain** in the [Lettermint dashboard](https://dash.lettermint.co/domains?action=add_domain)
2. **Configure DNS records** with your DNS provider (Return-Path, DKIM, DMARC)
3. **Verify** in the dashboard. Lettermint checks your records automatically

Need step-by-step DNS instructions? See our [DNS provider guides](#dns-provider-guides) below.

## Subdomain vs Root Domain

We recommend using a subdomain like `mail.acme.com` instead of your root domain `acme.com` for sending transactional email:

- **Isolation**: Protects your main domain's reputation if deliverability issues occur
- **Flexibility**: Allows different sending configurations for different purposes
- **Best practice**: Separates transactional email from marketing or corporate mail

## Troubleshooting

**Verification taking too long?** DNS propagation typically happens within minutes but can take up to 48 hours. Check propagation with:

```bash
dig CNAME lm-bounces.yourdomain.com
dig TXT lettermint._domainkey.yourdomain.com
dig TXT _dmarc.yourdomain.com
```

**Common issues:**

- **Duplicate domain in hostname**: Some DNS providers auto-append your domain. If you see `lm-bounces.acme.com.acme.com`, add a trailing dot (`.`) after the hostname.
- **Cloudflare proxy enabled**: Set CNAME proxy status to "DNS only" instead of "Proxied".
- **Missing quotes**: Ensure TXT record values are properly quoted.
- **Incorrect values**: Double-check record values match exactly what's shown in your dashboard.

## DNS Provider Guides

<CardGroup cols={2}>
  <Card title="Cloudflare" icon="cloud" href="https://lettermint.co/knowledge-base/guides/add-dns-records-cloudflare">
    Add DNS records in Cloudflare
  </Card>
  <Card title="TransIP" icon="server" href="https://lettermint.co/knowledge-base/guides/add-dns-records-transip">
    Add DNS records in TransIP
  </Card>
  <Card title="Domain Chief" icon="globe" href="https://lettermint.co/knowledge-base/guides/add-dns-records-domain-chief">
    Add DNS records in Domain Chief
  </Card>
  <Card title="AWS Route 53" icon="aws" href="https://lettermint.co/knowledge-base/guides/add-dns-records-aws-route-53">
    Add DNS records in AWS Route 53
  </Card>
</CardGroup>

## Next Steps

<CardGroup cols={2}>
  <Card title="Return-Path & SPF" icon="reply" href="./spf">
    Learn how the Return-Path record enables SPF alignment.
  </Card>
  <Card title="Domain Access Control" icon="lock" href="./project-limits">
    Restrict domain usage to specific projects.
  </Card>
</CardGroup>