Sending Domains
Add and verify sending domains with DKIM, SPF, and DMARC records.
Every email sent through Molted Email must come from a verified domain. This protects your sender reputation and ensures email providers trust your messages.
Why verification is required
Unverified domains are blocked by the policy engine with no_verified_domain. This prevents unauthorized sending and protects the platform's shared IP reputation.
Adding a domain
molted domains add yourdomain.comThe response includes the DNS records you need to configure:
{
"id": "dom_abc123",
"domain": "yourdomain.com",
"status": "pending",
"dnsRecords": [
{ "type": "TXT", "name": "yourdomain.com", "value": "v=spf1 include:..." },
{ "type": "TXT", "name": "molted._domainkey.yourdomain.com", "value": "v=DKIM1;..." },
{ "type": "TXT", "name": "_dmarc.yourdomain.com", "value": "v=DMARC1;..." },
{ "type": "MX", "name": "yourdomain.com", "value": "10 mx.molted.email" }
]
}You can also add domains through Dashboard > Domains in the portal.
DNS records
DKIM
A TXT record that adds a cryptographic signature to your outgoing emails. Recipients use this to verify the email was sent by an authorized server and wasn't tampered with in transit.
SPF
A TXT record on your domain that authorizes Molted Email's sending servers. This tells recipient mail servers that our IPs are allowed to send email for your domain.
DMARC
A TXT record that specifies what recipient servers should do with emails that fail DKIM or SPF checks. We recommend starting with a p=none policy and moving to p=quarantine or p=reject once you've confirmed everything works.
MX
An MX record that routes inbound email to Molted Email for receiving on this domain.
One-click DNS setup
If your DNS provider supports the Domain Connect protocol, you can skip manual record configuration entirely. Run dns-check to find out:
molted domains dns-check <domainId>curl "https://api.molted.email/v1/agent/domains/DOMAIN_UUID/domain-connect" \
-H "Authorization: Bearer YOUR_API_KEY"If one-click setup is available, the response includes a redirect URL. Open this URL to configure all DNS records automatically at your provider -- no manual copy-pasting required.
{
"supported": true,
"redirectUrl": "https://your-dns-provider.com/v2/domainTemplates/providers/molted.email/services/moltedemail/apply?..."
}After completing the redirect flow, run molted domains verify <domainId> to confirm the records are in place.
If one-click setup is not available, you need to add the DNS records manually at your registrar. Use molted domains get <domainId> to see the required records and their current verification status.
{
"supported": false,
"reason": "DNS provider does not support Domain Connect"
}This step is optional. If you prefer to add DNS records manually, skip dns-check and go straight to adding records at your registrar.
Supported providers include Cloudflare, Vercel, and any other DNS host that implements Domain Connect.
Verification
After adding the DNS records at your registrar, verify them:
molted domains verify <domainId>DNS propagation typically takes a few minutes but can take up to 48 hours. Re-run verify if it initially fails.
Once verified, the domain status changes to Active and you can start sending.
Managing domains
# List all domains
molted domains list
# Get domain details including per-record DNS status
molted domains get <domainId>When a domain is in a terminal status (verified or failed), per-record dnsRecords[*].status values stuck at pending / not_started are reconciled to match the parent status and the response includes dnsRecordsStale: true. This avoids the misleading case where the cached per-record statuses say "pending" while the domain itself has already failed verification. To pull live statuses straight from the provider, run domains verify.
Removing a domain
molted domains remove <domainId>Destructive action. Removing a domain deletes its DNS verification and sending configuration. Any mailbox with an address on this domain will fail sends with no_verified_domain until the domain is re-added and verified. There is no confirmation prompt -- the domain is removed immediately.
Domain rate limits
Each domain has per-minute, per-hour, and per-day send limits. View current limits and usage:
molted domains rate-limits <domainId>curl "https://api.molted.email/v1/agent/domains/DOMAIN_UUID/rate-limits" \
-H "Authorization: Bearer YOUR_API_KEY"{
"maxPerMinute": null,
"maxPerHour": 100,
"maxPerDay": 1000,
"perMinute": null,
"perHour": { "used": 12, "limit": 100, "remaining": 88 },
"perDay": { "used": 47, "limit": 1000, "remaining": 953 }
}The top-level maxPerMinute|Hour|Day fields mirror what the set endpoint returns, so the same field names work whether you're configuring or observing. The perMinute|Hour|Day objects carry usage detail and are null for windows with no custom limit.
Set custom rate limits
molted domains rate-limits set <domainId> --max-per-hour 100 --max-per-day 1000| Flag | Type | Description |
|---|---|---|
--max-per-minute <n> | number | Max sends per minute. |
--no-max-per-minute | boolean | Remove custom per-minute limit (revert to default). |
--max-per-hour <n> | number | Max sends per hour. |
--no-max-per-hour | boolean | Remove custom per-hour limit (revert to default). |
--max-per-day <n> | number | Max sends per day. |
--no-max-per-day | boolean | Remove custom per-day limit (revert to default). |
Use --no-max-per-* flags to clear a custom limit and revert to the platform default.
Open & click tracking
Open and click tracking are off by default for every domain. You can opt in per domain -- either when adding the domain or later.
Tracking only becomes active once a tracking subdomain (e.g. links.yourdomain.com) is configured and its CNAME record is verified. When you enable tracking without naming a subdomain, it defaults to links.
# Enable at creation
molted domains add yourdomain.com --click-tracking --open-tracking
# Enable on an existing domain
molted domains tracking <domainId> --click --open
# Disable click tracking, keep open tracking
molted domains tracking <domainId> --no-clickcurl -X PATCH "https://api.molted.email/v1/agent/domains/DOMAIN_UUID/tracking" \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{ "openTracking": true, "clickTracking": true, "trackingSubdomain": "links" }'The response includes a refreshed dnsRecords array with the new Tracking CNAME you need to add at your registrar. Add it, then run molted domains verify <domainId> to activate tracking.
Flag (add) | Flag (tracking) | Description |
|---|---|---|
--open-tracking | --open / --no-open | Insert a tracking pixel to measure opens. |
--click-tracking | --click / --no-click | Rewrite links through your tracking subdomain to measure clicks. |
--tracking-subdomain <name> | --subdomain <name> | Tracking subdomain label (defaults to links). |
Click tracking affects deliverability. It rewrites every link in your emails to redirect through your tracking subdomain. Leave it off for purely transactional mail unless you need click metrics. A tracking subdomain can be changed but never removed once set, and changes are limited to once every 24 hours.
Domain warmup
New domains start with reduced daily send limits to build sender reputation gradually. The warmup schedule:
| Days since first send | Daily limit |
|---|---|
| 0 - 7 | 100 emails |
| 7 - 14 | 500 emails |
| 14 - 28 | 2,000 emails |
| 28+ | 10,000 emails |
These limits are enforced per domain by the policy engine. Sends blocked by the warmup limit return reason warmup_limit_exceeded.
Check warmup status
molted domains warmup <domainId>curl "https://api.molted.email/v1/agent/domains/DOMAIN_UUID/warmup" \
-H "Authorization: Bearer YOUR_API_KEY"{
"allowed": true,
"dailyLimit": 500,
"usedToday": 42,
"warmupDay": 9
}Skip warmup
If you have an established sending history and are migrating a domain to Molted, you can skip the warmup ramp.
molted domains warmup skip <domainId>curl -X POST "https://api.molted.email/v1/agent/domains/DOMAIN_UUID/warmup/skip" \
-H "Authorization: Bearer YOUR_API_KEY"Skipping warmup removes the daily volume restriction entirely. Only do this if your domain already has a strong sending reputation -- skipping warmup on a cold domain can hurt deliverability.
Related
- One-Click Domain Setup with Domain Connect -- skip manual DNS configuration with supported providers
- DMARC Reports -- upload and analyze DMARC aggregate reports
- Sender Addresses & Domain Rate Limits -- configure sender address and per-domain throttling
- Rate Limits -- tenant-level rate limits and usage