uMail Domain Verification & DNS Setup

This guide documents the complete process for verifying the mallnline.com domain with Resend and configuring DNS authentication records (SPF, DKIM, DMARC) at Network Solutions. These records ensure outbound transactional emails from the alerts subgraph are properly authenticated and delivered to recipients' inboxes.

Policy: @mallnline.com is reserved for internal platform use only (e.g., noreply@, support@, press@). Malet Owner addresses will use a separate domain in future uMail phases.

Prerequisites

Access to Network Solutions Account Manager (domain owner)
Access to Resend Dashboard (with RESEND_API_KEY)
mallnline.com domain owned and active

Architecture Overview

The Mallnline email infrastructure uses a dual-provider model:

Direction	Provider	Purpose
Outbound (transactional)	Resend API	Order confirmations, welcome emails, OTPs, alerts
Inbound (mailbox)	Network Solutions (Roundcube)	`info@mallnline.com`, forwarding aliases

DNS authentication records (SPF, DKIM, DMARC) tell receiving mail servers that Resend is authorized to send emails on behalf of @mallnline.com. Without these records, emails may land in spam or be rejected entirely.

┌─────────────────┐     ┌──────────────┐     ┌─────────────────┐
│  alerts subgraph│────▶│  Resend API  │────▶│ Recipient Inbox │
│  (NestJS)       │     │  (outbound)  │     │ (Gmail, etc.)   │
└─────────────────┘     └──────────────┘     └─────────────────┘
                              │                      │
                              │                      ▼
                              │               ┌─────────────┐
                              └──────────────▶│ DNS Check:  │
                                              │ SPF ✓       │
                                              │ DKIM ✓      │
                                              │ DMARC ✓     │
                                              └─────────────┘

Step 1: Retrieve DNS Records from Resend

Log in to the Resend Dashboard
Click "Add Domain" → enter mallnline.com
Resend generates the DNS records you need to add

Resend DNS Records Panel — shows the 4 records (DKIM, SPF MX, SPF TXT, DMARC) that need to be added at your DNS provider

Resend provides 4 records across 3 categories:

#	Category	Record Type	Hostname	Purpose
1	DKIM	TXT	`resend._domainkey`	Cryptographic email signing
2	SPF	MX	`send`	Mail exchanger for SPF subdomain
3	SPF	TXT	`send`	SPF policy for Resend sending
4	DMARC	TXT	`_dmarc`	Anti-spoofing policy

Toggle "Enable Sending" to ON. Leave "Enable Receiving" OFF — inbound mail is handled by Network Solutions/Roundcube.

⚠️ Do NOT enable receiving — this would require changing MX records and would break the existing info@mallnline.com Roundcube inbox.

Step 2: Navigate to Network Solutions DNS Panel

Log in to Network Solutions Account Manager
Click Domains in the left sidebar
Click on mallnline.com
Scroll down to "Advanced Tools"
Click "Manage" next to "Advanced DNS Records"

Network Solutions Advanced DNS Records panel — shows existing A, CNAME, MX, and TXT records for mallnline.com

⚠️ Do NOT use "Custom Nameservers" or "Manage Nameservers (DNS)" — those control which nameservers run the domain. The "Advanced DNS Records" panel is for adding individual DNS records.

The existing records you'll see:

Type	Name	Value	Status
A	`*`, `email`, `ftp`, `imap`, `mail`	`66.96.162.x` IPs	✅ Do not modify
CNAME	`_acme-challenge`	Let's Encrypt (SSL)	✅ Do not modify
MX	`@`	`mx.mallnline.com`	✅ Critical — do not modify
TXT	`@`	Google site verification	✅ Do not modify
TXT	`@`	`v=spf1 ip4:66.96.128.0/18...`	✅ Do not modify

Step 3: Add Resend DNS Records

Click "+ Add Record" (top right) and add each record from the Resend dashboard.

Record 1: DKIM (TXT)

Add TXT Record dialog — Type: TXT, Refers to: Other Host, Host Name: resend._domainkey, TXT Value: DKIM key string, TTL: 1 Hour

Field	Value
Type	`TXT`
Refers to	Select "Other Host"
Host Name	`resend._domainkey`
TXT Value	Copy the full DKIM value from Resend (starts with `p=MIG...`)
TTL	`1 Hour`

Network Solutions auto-appends .mallnline.com, creating the full record: resend._domainkey.mallnline.com

Record 2: SPF — MX Record

Field	Value
Type	`MX`
Refers to	Select "Other Host"
Host Name	`send`
Mail Server	Copy the MX value from Resend (e.g., `feedback-smtp.us-east-1.amazonses.com`)
Priority	`10`
TTL	`1 Hour`

Record 3: SPF — TXT Record

Field	Value
Type	`TXT`
Refers to	Select "Other Host"
Host Name	`send`
TXT Value	Copy the full SPF TXT value from Resend (e.g., `v=spf1 include:amazonses.com ~all`)
TTL	`1 Hour`

Record 4: DMARC — TXT Record

Field	Value
Type	`TXT`
Refers to	Select "Other Host"
Host Name	`_dmarc`
TXT Value	Copy the DMARC value from Resend (e.g., `v=DMARC1; p=none; ...`)
TTL	`1 Hour`

Step 4: Verify in Resend

Return to the Resend dashboard
Click "I've added the records"
Resend will check DNS propagation — this usually completes within minutes but can take up to 48 hours
Once verified, the domain status will show ✅ Verified

Verification via CLI

You can also verify DNS propagation from the terminal:

# Check DKIM
dig resend._domainkey.mallnline.com TXT +short

# Check SPF (subdomain)
dig send.mallnline.com TXT +short
dig send.mallnline.com MX +short

# Check DMARC
dig _dmarc.mallnline.com TXT +short

# Check existing MX (should be unchanged)
dig mallnline.com MX +short
# Expected: mx.mallnline.com (priority 30)

Step 5: Update Environment Variables

Once Resend confirms domain verification, the FROM_EMAIL environment variable is already configured:

# .env (root) and apps/auth/.env
FROM_EMAIL=noreply@mallnline.com

The fallback in gmail-alerts.service.ts also defaults to noreply@mallnline.com:

const from =
  this.configService.get('FROM_EMAIL') || 'noreply@mallnline.com';

⚠️ Do not deploy the noreply@mallnline.com sender until Resend verification is complete. Resend will reject emails from unverified sender domains.

Email Delivery Test

After verification, test end-to-end delivery:

npx -y tsx apps/alerts/scripts/verify-email-delivery.ts your-email@gmail.com

Check the received email headers for:

SPF: PASS
DKIM: PASS
DMARC: PASS

Platform Functional Mailboxes

These addresses are provisioned via Network Solutions Standard Email forwarding (same mechanism as dev@mallnline.com → Gmail):

Address	Purpose	Forward To
`info@mallnline.com`	General inquiries	✅ Roundcube inbox (active)
`dev@mallnline.com`	Developer inquiries	✅ `mallnline.dev@gmail.com` (active)
`support@mallnline.com`	Support tickets	→ shared Gmail
`press@mallnline.com`	Media inquiries	→ shared Gmail
`noreply@mallnline.com`	Transactional outbound	Resend sender only (no inbox)
`dmarc@mallnline.com`	DMARC aggregate reports	→ `dev@` forward
`accessibility@mallnline.com`	Accessibility feedback	→ `support@` forward

Troubleshooting

Records not propagating

DNS propagation can take up to 48 hours. If records aren't showing after a few hours:

Double-check the Host Name field — Network Solutions auto-appends .mallnline.com
Ensure there are no typos in the TXT values (copy-paste directly from Resend)
Try lowering TTL to 1 Hour for faster updates

"Custom Nameserver" confusion

Network Solutions has multiple DNS-related pages:

Custom Nameservers — Creates ns1.yourdomain.com records. Not what you need.
Manage Nameservers (DNS) — Changes which DNS servers run your domain. Not what you need.
Advanced DNS Records — Adds individual A/CNAME/MX/TXT records. This is the correct page.

Emails still going to spam

If SPF/DKIM/DMARC all pass but emails land in spam:

Check sender reputation via Google Postmaster Tools
Ensure FROM_EMAIL matches the verified domain (noreply@mallnline.com)
DMARC is in p=none (monitoring) mode initially — escalate to p=quarantine after 2-4 weeks of clean reports

Alerts Resilience — DLQ retry system and delivery tracking for the alerts subgraph
Invite Notification Pipeline — Organization invite emails using Resend
Alert Templates UI — Handlebars email template system
Notification Connection Modes — Multi-channel delivery (email, push, in-app)