Before you can send email from your own domain (e.g. [email protected]), you need to register the domain with SES and prove you own it by publishing DNS records. This guide walks through every step.
What DNS records are required
| Record type | Purpose |
|---|
| CNAME × 3 | DKIM — proves Wraps/SES is authorised to sign email on your behalf |
| TXT | SPF — tells receiving servers which IPs may send from your domain |
| TXT | DMARC — instructs receivers what to do with unauthenticated mail |
All three record types are required for good deliverability. Skipping DMARC is the single most common reason email lands in spam.
Step-by-step setup
Add the domain to SES
wraps email domains add -d yourapp.com
yourapp.com with AWS SES and generates the DKIM signing keys.Get the DKIM CNAME records
wraps email domains get-dkim -d yourapp.com
abc123._domainkey.yourapp.com → abc123.dkim.amazonses.com
def456._domainkey.yourapp.com → def456.dkim.amazonses.com
ghi789._domainkey.yourapp.com → ghi789.dkim.amazonses.com
Add SPF and DMARC records
Add the following TXT records at your DNS provider.SPF — add at yourapp.com (or merge into an existing SPF record):v=spf1 include:amazonses.com ~all
_dmarc.yourapp.com:Start with p=none to collect reports without blocking mail, then tighten to p=quarantine or p=reject once you’ve confirmed all legitimate senders are covered.
Wait for DNS propagation
DNS changes typically propagate within 5–30 minutes. In rare cases (especially with long TTLs) it can take up to 48 hours.You can monitor progress without waiting:wraps email domains verify -d yourapp.com
Verify the domain is active
Once DNS has propagated, the verify command shows a success message:✓ DKIM 3/3 CNAME records verified
✓ SPF v=spf1 include:amazonses.com ~all
✓ DMARC v=DMARC1; p=none; rua=mailto:[email protected]
yourapp.com. Managing domains
List all domains
Shows every domain registered in SES along with its verification status.
Remove a domain
wraps email domains remove -d yourapp.com
-f / --force to skip the confirmation prompt.
Removing a domain from SES immediately stops all email sending from that domain. This action cannot be undone.
Common DNS record examples
SPF
If you already have an SPF record, add include:amazonses.com to it rather than creating a second TXT record (a domain can only have one SPF record):
# Before
v=spf1 include:_spf.google.com ~all
# After
v=spf1 include:_spf.google.com include:amazonses.com ~all
DMARC
# Monitoring only (safe to start here)
v=DMARC1; p=none; rua=mailto:[email protected]
# Quarantine (move failing mail to spam)
v=DMARC1; p=quarantine; rua=mailto:[email protected]
# Reject (block failing mail entirely)
v=DMARC1; p=reject; rua=mailto:[email protected]
Run a deliverability audit
After your domain is verified, run a full deliverability audit to catch any configuration issues:
wraps email check yourapp.com
