Skip to content
On this page

Domain Protection

To protect your domain from unauthorized third-party email spoofing, a combination of security measures are utilized, including SPF (Sender Policy Framework), Domain Lockdown™, DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance) records. DKIM allows senders to digitally sign emails, ensuring that the content remains unaltered during transit. DMARC further enhances email security by providing a policy framework for authentication, reporting, and conformance, building upon the foundation laid by DKIM and SPF (Sender Policy Framework). These measures work together to fortify your domain against email fraud and maintain the integrity of your email communications.


This is an optional but strongly recommended step.

The standard implementation of Usend will search for a DKIM RSA public key within your domain, and if the record exists, it will only send your email when you provide the private key during the sending process. On the other hand, if a DKIM record doesn't exist, the private key won't be required.

If you want to improve your domain protection, follow these steps.

Setting Up DMARC and DKIM Records


Before starting these steps, you need to have already installed the SPF record and Domain Lockdown™. For instructions on how to set it up, please refer to this link. For assistance in completing, fill in the fields with your domain and administrative email:

1. Add DMARC record

DMARC mandates an administrative email for receiving reports and notifications, enabling monitoring, issue resolution, and control over email deliverability and brand reputation.

To add a DMARC record, access your DNS provider and add a TXT record with the following details:

_dmarc TXT v=DMARC1; p=reject; ruf=mailto:[email protected]; rua=mailto:[email protected];

Update the [email protected] email address with your own administrative email address.

2. Generate and add DKIM public key record

To implement DKIM authentication, you need to generate a DKIM private key and add it as a TXT record in your DNS settings. We have generated a public and private key pair for you, but if you prefer, you can also generate them using OpenSSL command:

Content TXT v=DKIM1; k=rsa; p=

3. Add DKIM private key to your project environment

Now, to send emails through your domain using Usend, you need to use the DKIM private key. For this, you can add it to your .env environment variables file.


4. And start sending secure emails with Usend

With these simple steps, you can now start sending secure emails.

import { Usend } from "usend-email";

const usend = new Usend({ dkimPrivateKey: process.env.DKIM_PRIVATE_KEY });
// or
// const usend = new Usend({ dkimPrivateKey: "..." });

(async () => {
  await usend.sendEmail({
    from: "[email protected]",
    to: "[email protected]",
    subject: "Hello from Usend",
    html: "<h1>It works!</h1>",

5. Done, now just confirm! 🎉

Confirm the sending of the email at[email protected].

Using OpenSSL to Generate Keys (Optional)


If you prefer, you can generate the DKIM key pair using OpenSSL. For your convenience, you can use the keys we generated for you and skip these steps.

1. Generate a private key

Generate a private key (.pem and .txt file):

openssl genrsa 2048 | tee priv_key.pem | openssl rsa -outform der | openssl base64 -A > priv_key.txt

Now, open the priv_key.txt file, copy and place the contents in the .env file as the DKIM_PRIVATE_KEY variable.

2. Generate a public key

Generate a public key (.txt file):

echo -n "v=DKIM1; k=rsa; p=" > pub_key_record.txt && \
openssl rsa -in priv_key.pem -pubout -outform der | openssl base64 -A >> pub_key_record.txt

Add the contents of the pub_key_record.txt file as a TXT record on your DNS provider.