PushMail.dev

DNS Setup & Troubleshooting

Configure DNS records for email authentication, click tracking, and deliverability. Provider-specific instructions and fixes for common issues.

Required DNS Records

PushMail requires several DNS records to authenticate your sending domain, enable click tracking with SSL, and improve deliverability.

RecordTypePurpose
_pushmail.yourdomain.comTXTDomain ownership verification
DKIM (2 records)CNAMEEmail authentication — proves emails are from your domain
Return PathCNAMEBounce handling — aligns the envelope sender with your domain
Link Branding (2 records)CNAMEClick tracking SSL — prevents certificate errors on tracked links
SPFTXTSender authorization — tells receiving servers which IPs can send for your domain

All CNAME records are shown in your dashboard after adding a domain. Copy the exact values — they are unique to your account.

Common Issues

Symptom: Recipients see NET::ERR_CERT_COMMON_NAME_INVALID or "Your connection is not private" when clicking links in your emails.

Cause: The link branding CNAME record is either missing, misconfigured, or proxied through a CDN (like Cloudflare's orange cloud) which prevents SendGrid from provisioning an SSL certificate for your tracking subdomain.

Fix:

  1. Go to your dashboard → Domains → select the affected domain
  2. Check that the Link Branding CNAME records show as "Verified"
  3. If the records are pending, add them to your DNS provider
  4. If you use Cloudflare: Make sure the CNAME is set to DNS only (gray cloud icon), not Proxied (orange cloud). Proxied records break SSL certificate provisioning.

PushMail automatically monitors link branding health and will attempt to re-provision SSL certificates when issues are detected.

DKIM Not Validating

Symptom: DKIM records show as "Pending" in your dashboard even after adding the CNAME records.

Common causes:

  • Wrong CNAME target — Double-check you copied the full target value (it's long and contains your DKIM selector)
  • Proxied records — If using Cloudflare, DKIM CNAMEs must be DNS only (gray cloud)
  • Propagation delay — DNS changes can take up to 48 hours, though most complete within minutes
  • Conflicting records — Check for existing DKIM records at the same hostname

SPF Too Many Lookups (PermError)

Symptom: SPF validation fails with a "too many DNS lookups" error.

Cause: SPF records are limited to 10 DNS lookups. Each include: directive counts as one lookup, and nested includes count too.

Fix:

  • Audit your SPF record: v=spf1 include:sendgrid.net ~all
  • Remove includes for services you no longer use
  • If you use many services (Google Workspace, Microsoft 365, Mailchimp, etc.), consider an SPF flattening service
  • SendGrid's include:sendgrid.net typically uses 3-4 lookups on its own

Emails Going to Spam

Common causes:

  • Missing DMARC — Add a DMARC record: _dmarc.yourdomain.com TXT "v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com"
  • SPF alignment failure — Your Return Path CNAME must be set up for SPF to align with your sending domain
  • New domain/IP — New sending domains need warming. Start with small volumes and increase gradually
  • Content issues — Avoid spam trigger words, include an unsubscribe link, maintain a good text-to-image ratio

Provider-Specific Instructions

Cloudflare

Critical: All email-related CNAME records (DKIM, Return Path, Link Branding) must be set to DNS only (gray cloud icon). Proxied records (orange cloud) will cause SSL certificate errors on click tracking links and break DKIM validation.

Go to the Cloudflare dashboard and select your domain
Click DNS in the sidebar
Click Add record
Set Type to CNAME
Enter the Name — paste only the subdomain part (Cloudflare appends your domain)
Enter the Target — paste the full target domain from your PushMail dashboard
Click the orange cloud icon to toggle it to DNS only (gray cloud)
Click Save

Repeat for each CNAME record. For TXT records (ownership verification, SPF), follow the same steps but select TXT as the type and enter the value in the Content field.

AWS Route 53

Open the Route 53 console and go to Hosted zones
Select your domain's hosted zone
Click Create record
Enter the Record name — Route 53 appends the domain automatically, so enter only the subdomain part
Set Record type to CNAME
Enter the Value (target domain from PushMail)
Click Create records

TXT record values in Route 53 must be enclosed in double quotes, e.g. "pushmail-verification=abc123".

GoDaddy

Sign in to GoDaddy and go to My Products
Find your domain and click DNS (or Manage DNS)
Click Add under the DNS Records section
Select CNAME as the Type
Enter the Host — enter only the subdomain part (GoDaddy appends the domain automatically)
Enter the Points to value (target domain from PushMail)
Set TTL to 1 Hour
Click Save

If after saving you see something like example.com.example.com, you entered the full domain. Edit the record to use only the subdomain part.

Namecheap

Sign in to Namecheap and go to Domain List
Click Manage next to your domain
Go to the Advanced DNS tab
Click Add New Record
Select CNAME Record as the Type
Enter the Host — use only the subdomain part (without your domain)
Enter the Value (target domain from PushMail)
Click the green checkmark to save

Google Domains (Squarespace)

Sign in to Squarespace Domains (formerly Google Domains)
Select your domain
Go to DNS in the left sidebar
Scroll to Custom records and click Manage
Click Add record
Set Type to CNAME, enter the host name and data
Click Save

DigitalOcean

Go to the DigitalOcean control panel
Click NetworkingDomains
Select your domain
In the CNAME tab, enter the hostname and target
Click Create Record

DigitalOcean requires a trailing dot on CNAME target values (e.g. sendgrid.net.).

Azure DNS

Go to the Azure portal → DNS zones
Select your DNS zone
Click + Record set
Enter the Name, set Type to CNAME, enter the Alias
Click OK

Vercel

Go to your Vercel dashboard → Project → SettingsDomains
Add a CNAME record with the required host and value
Or use the CLI: vercel dns add yourdomain.com subdomain CNAME target.domain.com

Other Providers

For DNS providers not listed above:

  1. Sign in to your DNS provider's management console
  2. Navigate to DNS settings for your domain
  3. Add each record (CNAME or TXT) using the exact values from your PushMail dashboard
  4. Important: If your provider supports proxied records, make sure email CNAME records are set to DNS only (not proxied)
  5. DNS changes can take up to 48 hours to propagate, though most complete within 1-2 hours

Automatic Health Monitoring

PushMail continuously monitors your domain's DNS and link branding health:

  • CNAME verification — Checks that all required records exist and point to the correct targets
  • Proxy detection — Detects if CNAME records are accidentally proxied through Cloudflare
  • SSL monitoring — Verifies that click tracking subdomains have valid SSL certificates
  • Auto-repair — When SSL issues are detected, PushMail automatically triggers re-provisioning with SendGrid

If an issue requires action on your end (like disabling proxy on a CNAME), you'll see a warning in your dashboard with specific instructions for your DNS provider.

Email Providers

PushMail supports 10 email providers via BYOK (Bring Your Own Key). Connect your own SendGrid, SES, Postmark, Mailgun, or any supported provider to send through your own infrastructure.

Website Tracking

Track page views and custom events on your website with a lightweight JavaScript snippet. Tie anonymous visitors to known contacts.

On this page

Required DNS RecordsCommon IssuesSSL Certificate Error on Click Tracking LinksDKIM Not ValidatingSPF Too Many Lookups (PermError)Emails Going to SpamProvider-Specific InstructionsCloudflareAWS Route 53GoDaddyNamecheapGoogle Domains (Squarespace)DigitalOceanAzure DNSVercelOther ProvidersAutomatic Health Monitoring