Skip to content

Domain authentication

Before you can send from yourdomain.com, you have to prove you own it. Until you do, sends fail with domain_not_verified.

  1. Email → Domains → Add Domain in the dashboard, or:

    Terminal window
    curl https://api.9bits.net/email/ng/v1/domains \
    -H "Authorization: Bearer $NINEBITS_EMAIL_KEY"
  2. We give you the exact records. Add them at your DNS provider.

    TypePurpose
    TXT (SPF)Authorises our servers to send for your domain.
    TXT/CNAME (DKIM)Cryptographically signs your mail so it can’t be forged in transit.
    TXT (DMARC)Tells receivers what to do with mail that fails the checks.
  3. Usually minutes; occasionally up to 48 hours depending on your registrar’s TTL.

  4. Terminal window
    curl https://api.9bits.net/email/ng/v1/domains/yourdomain.com \
    -H "Authorization: Bearer $NINEBITS_EMAIL_KEY"

    Once it reports verified, you can send.

SPF lists who may send for your domain. Without it, anyone can claim to be you, so receivers distrust the lot.

DKIM signs each message with a private key; receivers check the signature against the public key in your DNS. It survives forwarding, which SPF often doesn’t — which is why DKIM does most of the real work.

DMARC ties the two together and tells receivers what to do on failure. Start permissive and tighten once you’re confident:

v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

p=none means “don’t block anything, just send me reports”. Read the reports for a couple of weeks, confirm all your legitimate mail passes, then move to p=quarantine and eventually p=reject.

Send marketing and transactional mail from a subdomain:

mail.yourdomain.com ← transactional
news.yourdomain.com ← marketing

Reputation is tracked per-domain. If a marketing campaign gets spam complaints, that damage stays on news. and doesn’t drag down your password resets — or, worse, the CEO’s email from yourdomain.com.

Separating them is cheap now and very hard to retrofit after your root domain’s reputation is burnt.

Hard bounces and spam complaints are added to your suppression list automatically, and we won’t send to them again.

Don’t fight this. Re-sending to a hard bounce is exactly what receivers watch for when deciding whether you’re a spammer. Check the list before importing recipients:

Terminal window
curl https://api.9bits.net/email/ng/v1/suppressions \
-H "Authorization: Bearer $NINEBITS_EMAIL_KEY"