Sending

Sending domains

Register a domain, attach it to one or more email providers, and publish the DNS records each provider gives you. Nudgel polls for verification automatically.

Overview

A sending domain is a domain you own that your email providers use to sign outgoing mail with DKIM. Before a provider can sign mail on your behalf it needs to verify you control the domain. It does that by asking you to publish a DNS record containing a public key that only you could have generated — this is the provider's DKIM record.

Because Nudgel uses a bring-your-own-provider (BYO) model, each connected provider does its own DKIM signing with its own keypair. That means each provider gives you different DNS records to publish. Nudgel handles the registration calls to each provider and surfaces the records in one place — you just copy and paste them into your DNS host.

Using a subdomain like mail.example.co.keinstead of your root domain is recommended: a spike in bounces or spam complaints on email does not affect your root domain's search or web reputation.

The 2-step flow

Add the domain. Go to Settings → Sending Domains → Add sending domain and enter the domain (e.g. mail.example.co.ke).
Pick providers.Select which providers to attach — Postmark, SES, SendGrid, Mailgun, Brevo, Mailjet. Nudgel calls each provider's domain registration API on your behalf.
Publish DNS records. Each provider returns its own DKIM records. The domain detail page lists them all, grouped by provider. Copy each record into your DNS host (Cloudflare, Route 53, GoDaddy, etc.).
Wait for verification.Nudgel polls each provider's verification API every 30 seconds for the first 10 minutes, then hourly after that. The status pill in the dashboard updates automatically — no manual step needed.

DNS PROPAGATION

DNS changes can take anywhere from 5 minutes (Cloudflare) to 48 hours (some registrars). Most records propagate within 30 minutes. If your DNS has already propagated and you do not want to wait for the next poll, click Recheck on the domain detail page to force-verify immediately.

Per-provider DKIM records

Each provider returns different record types and a different number of records. Here is what to expect for each:

Provider	Record types	Count
Postmark	TXT (DKIM) + CNAME (Return-Path)	2
AWS SES	CNAME × 3 (DKIM)	3
SendGrid	CNAME × 3 (DKIM + tracking)	3
Mailgun	TXT (DKIM) + TXT (SPF) + CNAME (tracking)	3
Brevo	TXT × 2 (DKIM)	2
Mailjet	TXT (DKIM) + TXT (SPF)	2

The domain detail page shows the exact name and value for each record. Example for a Postmark attachment on mail.example.co.ke:

Type	Name	Value
`TXT`	`pm._domainkey.mail.example.co.ke`	`k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUA...`
`CNAME`	`pm-bounces.mail.example.co.ke`	`pm.mtasv.net`

SPF

SPF tells receiving servers which IP addresses are authorized to send mail from your domain. You must add each provider's include: mechanism to your SPF record. Merge all providers into a single TXT record — SPF allows only one v=spf1 record per name.

textExample — SES + Mailgun + Brevo

v=spf1 include:amazonses.com include:mailgun.org include:_spf.brevo.com ~all

Provider-specific SPF includes:

Provider	Include
AWS SES	`include:amazonses.com`
SendGrid	`include:sendgrid.net`
Mailgun (US)	`include:mailgun.org`
Mailgun (EU)	`include:eu.mailgun.org`
Brevo	`include:_spf.brevo.com`
Mailjet	`include:spf.mailjet.com`
Postmark	`include:spf.mtasv.net`

SPF 10-LOOKUP LIMIT

SPF allows a maximum of 10 DNS lookups per evaluation. Each include: costs one lookup. If you attach many providers, you may hit the cap. To fix it, flatten your record (replace nested includes with literal IP ranges) or route sends for lower-priority providers through a separate subdomain with its own SPF record.

DMARC

DMARC ties DKIM and SPF together and tells receiving servers what to do when both checks fail. Nudgel generates the DMARC TXT record for you. Two modes:

Managed (default) — Nudgel receives DMARC aggregate reports on your behalf. Aggregate data surfaces in your dashboard under Sending Domains.
Self-managed — you supply your own rua address. You receive the raw XML report emails directly and handle them yourself.

The record Nudgel generates in managed mode looks like this (published at _dmarc.mail.example.co.ke):

textManaged DMARC record

v=DMARC1; p=none; rua=mailto:dmarc@nudgel.ai; adkim=r; aspf=r

textSelf-managed DMARC record

v=DMARC1; p=none; rua=mailto:dmarc@mail.example.co.ke; adkim=r; aspf=r

The default policy is p=none (monitor only — no action taken on failures). Once you have confirmed your providers are all passing DKIM and SPF, tighten the policy:

p=quarantine — failing messages go to spam
p=reject — failing messages are blocked outright

Google and Yahoo require DMARC for senders exceeding 5,000 messages per day. Start at p=none, validate in DMARC reports, then graduate to p=reject. See DMARC concepts for a deeper walk-through.

Adding more providers later

You do not need to re-register the domain. From the domain detail page, click Attach to another provider. Nudgel calls that provider's registration API, returns the new records, and starts polling for verification. Existing provider verifications are not affected.

Detaching a provider

Detaching removes the verification row from Nudgel's dashboard and stops polling. It does not currently delete the domain registration at the provider's side — provider-side cleanup is deferred to a background job. If you need the provider domain removed immediately, do it manually in the provider's dashboard.

Manual recheck

If DNS has propagated faster than our polling interval, click Recheckon the provider row of the domain detail page. Nudgel calls the provider's verification API immediately and updates the status.

Troubleshooting

Symptom	Most likely cause
Provider stuck at Pending for >1 hour	DNS has not propagated yet. Use MXToolbox to check from multiple resolvers, then click Recheck.
CNAME record copied with a trailing dot	Some DNS hosts require the trailing dot on CNAME values; others do not. If verification fails, try adding or removing the trailing dot from the value.
TXT record value wrapped in extra quotes	Some DNS UIs wrap the value in `"`automatically. If your DNS host double-quotes the value, the record will fail. Check the raw zone file or switch to the DNS provider's API.
DKIM key too long (TXT record rejected)	DKIM public keys longer than 255 characters must be split into multiple quoted strings within the TXT record. Most DNS hosts handle this transparently; if yours does not, consult its documentation for multi-string TXT records.
Mailgun verification fails despite records being published	Make sure you selected the correct Mailgun region (US vs EU) when attaching the provider. The DKIM record names differ between regions.
SES domain verified but sends are restricted	Your SES account is still in sandbox mode. Request production access in the AWS console under SES → Account dashboard → Request production access.
SPF check fails	You have more than one TXT record starting with `v=spf1` on the same name. Merge all `include:` mechanisms into a single record.