Set up SPF, DKIM & DMARC for Resend (fix “via resend.com”)

Your Resend emails show “via resend.com” in Gmail, or drop into spam, and you're not sure which DNS records make them authenticate as your own domain.

Check your domain first — 10 seconds, free, no signup.
See your DMARC policy, SPF lookup count and every issue explained in plain English.
Run the free check →

What this means

Resend reaches DMARC compliance through DKIM, not SPF. The SPF domain Resend uses is a subdomain of its own infrastructure, so SPF can only align in relaxed mode — but Resend lets you sign DKIM with your own domain, so DKIM aligns and that is what carries DMARC for you. Until you verify a custom domain in Resend, mail is sent from Resend's shared domain and Gmail shows the tell-tale “via resend.com”. Source: Resend Docs — Implementing DMARC · verified 2026-07-18.

What to do about it

Step 1. Add and verify your own domain in Resend (Domains → Add Domain) — the shared-domain fallback is what triggers “via resend.com”.
Step 2. Add the DKIM records Resend generates exactly as shown — DKIM is the mechanism that gives you DMARC alignment here.
Step 3. Optionally enable Resend's Custom Return Path so the SPF subdomain is under your domain too (relaxed SPF alignment).
Step 4. Publish a DMARC record on your root domain — minimum v=DMARC1; p=none; rua=mailto:you@yourdomain — then run the free check below to confirm dkim=pass and dmarc=pass.

Frequently asked

Will adding these records break the email I already send?

No. Adding SPF includes and DKIM records (whether TXT or CNAME) only adds authentication — it never blocks mail. The only step that can affect delivery is tightening your DMARC policy to quarantine or reject, and that comes later, once reports confirm every legitimate sender passes.

The platform says it “handles DMARC” — do I still need my own record?

Yes. Most platforms handle DKIM (and sometimes SPF) so their mail can pass, but the DMARC record is published on your own domain and controlled by you — it's what tells receivers to act on failures. Providers rarely publish it for you, and you want your own rua= address to see the reports.

How do I confirm it actually worked?

Send yourself a test message and check the headers for dkim=pass and dmarc=pass — or run the free check below on your domain to see SPF, DKIM and DMARC state, and which sending services currently align, in one place.

Don't want to babysit DNS records?
DMARCKeeper monitors your reports, names every sender, and walks you to full p=reject protection.
Start free monitoring →