Help Center/Sending email domain

Sending email domain

In brief: Send outbound email from your own domain. Required for Gmail/Yahoo bulk-sender compliance.

Use the Settings → Integrations → Sending domain card to swap the "From" address on every email Certivus sends on your behalf — from the platform default to compliance@your-firm.co.uk (or whichever address you choose on your own domain).

This is part of the White-label add-on. If you see a paywall card instead of the setup form, contact us to enable the bundle.

Why bother

  • Brand consistency. KYC invites, reminders, MLRO alerts, audit notifications all appear to come from your firm, not us.
  • Deliverability. From February 2024, Gmail and Yahoo require senders mailing more than ~5,000 unique addresses per day to have aligned SPF + DKIM + DMARC on the sending domain. Without this card, those messages get routed via the Certivus shared domain — fine for low volume, increasingly throttled at scale.
  • Trust. Recipients trust compliance@your-firm.co.uk more than they trust an unfamiliar sender. Open rates and reply rates both go up.

Who can use this

  • Your firm needs the White-label add-on (a monthly retainer; one entitlement covers all four white-label cards).
  • Within your firm: firm-owners and managers can register, verify, or remove the domain.

Pick a domain

A dedicated sending subdomain is strongly recommended over your apex domain:

  • mail.your-firm.co.uk — clean, isolates SPF / DKIM / DMARC from your other mail
  • compliance.your-firm.co.uk
  • notifications.your-firm.co.uk
  • ⚠️ your-firm.co.uk (apex) — works, but mixes our sending reputation with your existing inboxes and any other tools sending from your domain (CRM, payroll, etc.). Hard to isolate problems later.

The address Certivus uses to send becomes something like compliance@mail.your-firm.co.uk — the local part is configurable in Settings → Branding under "Reply-to address."

Setup walkthrough

  1. Click "Use your own sending domain" and enter the host, e.g. mail.your-firm.co.uk. Lowercase, no protocol, no @.
  2. Add three DNS records the card shows you at your domain registrar:
    • SPF (TXT) at mail.your-firm.co.uk — value starts with v=spf1 and includes _spf.resend.com. Tells receiving mail servers we're authorised to send for your domain.
    • DKIM (CNAME) at resend._domainkey.mail.your-firm.co.uk → a target shown in your Resend dashboard. Signs every message cryptographically.
    • DMARC (TXT) at _dmarc.mail.your-firm.co.uk — value v=DMARC1; p=quarantine; rua=mailto:dmarc@mail.your-firm.co.uk. Tells receivers what to do with messages that fail SPF or DKIM (quarantine = put in spam).
  3. Click Verify. We resolve all three records using public DNS and confirm they match. DNS propagation is usually 5–30 minutes; click Verify again if any check fails.
  4. The card shows three per-check badges — SPF / DKIM / DMARC each light up green when verified. All three must be green to enable the domain.
  5. Outbound emails switch over. As soon as all three checks pass, new emails sent for your firm use the new sending domain.

DMARC policy — what to set

The card defaults to p=quarantine, which we recommend.

  • p=none — monitor only. Failures are reported but messages still deliver. Good for a 1–2 week observation period when you first deploy.
  • p=quarantine — failures go to spam. Default and recommended for production.
  • p=reject — failures are bounced. Strongest, but only safe if you're confident no legitimate sender is using your domain without SPF/DKIM. Common mistake: signing up for a new newsletter tool that sends from your-firm.co.uk and getting all those messages rejected.

You can change the policy later by editing the TXT record directly at your registrar. The card re-verifies on next click.

What changes after verification

Every outbound email from Certivus for this firm uses your domain in the From header:

  • KYC verification invites + 48h reminders
  • MLRO alerts (new SAR, overdue review, AML hit)
  • Compliance reminders (training expiring, PCP review due, audit upcoming)
  • Annual MLRO report exports
  • Internal team invitations
  • News + product updates

The reply-to address (where client replies land) is independently configurable in Settings → Branding. By default it goes to your firm's primary contact.

Removing the sending domain

Click the trash icon, confirm.

  • Outbound emails from then on use the Certivus default sending domain.
  • Messages already queued in Resend continue to use your domain until they ship (usually within seconds).
  • DNS records at your registrar become safe to delete, but leaving them in place is harmless if you might re-enable later.

Common questions

What about my existing email tools (Microsoft 365, Google Workspace)? They're independent. Certivus uses Resend for outbound transactional email; your team's normal Outlook / Gmail mailboxes are unaffected.

Will replies come to my inbox? The reply-to address is set in Settings → Branding. By default it's your firm's primary contact email. You can change this to a shared mailbox like compliance@your-firm.co.uk if you have one.

What's _spf.resend.com and why does it have to be in my SPF record? Resend is the underlying email-sending service Certivus uses (it's the closest equivalent to "Mailchimp for transactional email"). The SPF include tells receiving mail servers (Gmail, Outlook) that Resend's mail servers are authorised to send for your domain. Without it, every Certivus email gets marked as "potentially spoofed" and routed to spam.

Can I use a different ESP? Not currently. Certivus only supports Resend as the sending backend. We may add more options in future.

My DKIM record won't verify even though I copied it correctly: DKIM CNAMEs sometimes get mangled by registrars that lowercase the value or add trailing dots. The value in Resend's dashboard is the source of truth — copy it character-by-character. Cloudflare users: turn proxy mode OFF for the DKIM CNAME (orange cloud should be grey).

Bulk-sender compliance (Gmail/Yahoo Feb 2024)

If you send more than ~5,000 unique recipients per day, Gmail and Yahoo require all three of SPF + DKIM + DMARC to be aligned with the sending domain. Without this card you'd need to ask us to set up sub-tenant alignment on the platform domain. With this card it's automatic — once Verify is green for all three, you're compliant.

A p=none DMARC policy is enough to satisfy the requirement, though p=quarantine is the production-recommended setting.

Troubleshooting

SPF fails verification:

  • Your domain may already have an SPF record (one TXT record starting with v=spf1). DNS only allows ONE SPF record per host — having two breaks both. Merge our include:_spf.resend.com into the existing record rather than adding a second.

DKIM fails:

  • Copy the CNAME value from your Resend domain dashboard — not what we show on the card (we show a placeholder; the real value is what Resend gives you for your specific tenant).
  • Confirm the CNAME host is resend._domainkey.<your-domain>, not something else.

DMARC fails:

  • Confirm the TXT record at _dmarc.<your-domain> (not at the domain itself).
  • Value must start with v=DMARC1.
  • Common mistake: a typo in the rua=mailto: address.

All three pass, but emails still get marked as spam:

  • Reputation takes 2–4 weeks to build on a brand-new sending domain. Start with low-volume internal messages; ramp up gradually.
  • Don't use a brand-new TLD that doesn't have a track record yet.
  • If your existing domain has a poor reputation already (from earlier marketing campaigns), use a sub-domain like mail.your-firm.co.uk so we build reputation on a clean slate.

Didn't find what you needed?

Contact support