# Domain & DNS setup

This guide walks Admin through the initial email domain configuration required before you can start sending emails with **Engage Studio**.

The setup involves **four main steps** :

## Step 1: Prepare Email Domain Information

Before configuring your domain, collect the following information:

* **Your sending domain or subdomain**
  * We recommend using a **subdomain** to avoid conflicts with your corporate email infrastructure.
  * Example: If your brand domain is `example.com`, consider using `mail.example.com`.
* **TD Write-only APIKEY (Admin)**
  * Used to log email events to your Treasure Data tables.


## Step 2: Domain Provisioning

Domain provisioning configures your custom email-sending domain and prepare it for DNS authentication and email delivery. This step is required before DNS records can be added and your domain can be verified.

To configure your domain and sender setup, Navigate to **Engage > Sending Configurations > Create New**.

![](/assets/email-domain-configuration-2025-05-25-02-39-22.7830062272eb278d12a8841302ba04885947a8570b8610b8e4c22cbc829c9e02.5be018a0.png)

**Create Domain** requires Domain name and Write-only API key you prepared at Step1.

![](/assets/email-domain-configuration-2025-05-25-02-39-27.9b47f3adaf5d114ad00042735e8d63123bf0c75cdcc081ad6661e3f3049faaef.5be018a0.png)

![](/assets/email-domain-configuration-2025-05-25-02-39-57.a76f3ecb98ae7d3c163d55979073b808ec65ae4fcbd47545aca5d6529e96dd36.5be018a0.png)

Navigate to your new created domain. Then, click "**Start domain deployment** "

![](/assets/email-domain-configuration-2025-05-25-02-40-08.c7785d867d7f190ae20d1606b9e378ec3a4efcf5444eba1351c1dd86746cf335.5be018a0.png)

After deploy your domain (you may need to wait few mins to generate DNS records), click "**Verify DNS records** ". Then, you'll get DNS records.

![](/assets/email-domain-configuration-2025-05-25-03-08-22.b62e61847c429a289c3db1c76cdbd9368bd71e4da3bcd18765682319c8e1658d.5be018a0.png)

## Step 3: Add DNS Records to Your DNS Provider

Once Treasure Data provisions the domain, customers will receive a set of DNS records, which include:

* **SPF (Sender Policy Framework)** – TXT record that authorizes Agentic Engage powered by Amazon SES to send emails on behalf of your domain.
* **DKIM (DomainKeys Identified Mail)** – TXT record used to sign outgoing emails cryptographically, helping to verify message integrity and authenticity.
* **DMARC (Domain-based Message Authentication, Reporting, and Conformance)** – TXT record that specifies your policy for handling unauthenticated emails
  * If you already have DMARC configuration for the same domain, this DMARC is not nessesary to configure. You can ignore pending status for DMARC.
  * **Accepted DMARC Policies:**
    * `p=none : default. `This policy instructs receiving email servers to take no specific action if a message fails DMARC checks.The email is delivered as usual, regardless of the DMARC authentication result. However, DMARC reporting mechanisms can be used: the domain owner may receive reports about authentication failures, but recipients see no difference in their inboxes.
    * `p=quarantine : T`ells receiving mail systems that messages failing DMARC should be treated with suspicion. Emails that do not pass DMARC are typically delivered to the recipient's "spam" or "junk" folder, rather than the main inbox. Recipients may still be able to access the message, but it is not treated as trusted or legitimate.
    * `p=reject : `Specifies the strictest enforcement. If a message fails DMARC, it should not be accepted. Messages failing DMARC authentication are rejected at the server: they are not delivered at all, and typically the sending server receives a bounce notification. The recipient never sees the failed message in their mailbox.
* **Click Tracking (CNAME)** – CNAME record used to rewrite and track link clicks. It redirects links through Engage click tracking endpoint while preserving the original destination.
* **Image Hosting (CNAME)** – CNAME record used to serve email images from a Content Delivery Network (CDN) under your branded domain. This improves performance and helps ensure image assets are loaded securely via HTTPS, which enhances domain trust and email deliverability.
* **MX Record (Mail Exchange)** – Specifies the server responsible for accepting emails sent to your domain. Needed to process bounces and auto-replies.


Example of DNS records:

![carbon.png](/assets/carbon.566b429343cb63ddfb3eaaaa006b2bfd2b9f90ab62056a4e957f27a941d50412.5be018a0.png)

Copy the Zone file to send to your IT team.

## Step 4: Verify Your Domain

DNS verification flow is following:

1. Status starts as **SUSPENDED**
2. User clicks **"Verify Domain"** → status becomes **DEPLOYING**
3. Once records are created, Apply the configuration to your DNS system
4. User clicks **"Verify DNS"** once the configuration is completed
5. System polls vefirication status every few minutes for 72 hours
6. On success → status becomes **ACTIVE**
7. On failure → status reverts to **SUSPENDED**


Verification statuses:

* **Verified** : All records successfully validated
* **Pending** : Waiting for record propagation
* **Temporary Failure** : DNS issues detected post-verification
* **Failure** : Verification expired (after 72 hours)
  * If you see this error, please reach out to Treasure Data Support.
* **Not Started** : Verification process not yet triggered


![](/assets/email-domain-configuration-2025-05-25-09-21-26.1462e5bdf31adf71b33bc93d47188d54c06033c291f2d0048dba59aeff7765e1.5be018a0.png)

## Deployment Events

The deployment events will be executed automatically, it will take 1-2 days from start to completion. The process is successful when all of the following events are complete.

* UPDATE_TO_SECRET_COMPLETED
* UPDATE_TO_IDENTITY_COMPLETED
* UPDATE_TO_CDN_COMPLETED
* UPDATE_TO_CERTIFICATE_COMPLETED
* UPDATE_TO_ENABLE_IDENTITY_COMPLETED
* UPDATE_TO_ENABLE_CDN_COMPLETED