How To: Email Sender Setup

Overview

Jujama sends email on your behalf using Amazon SES. Sending from your own domain (rather than ours) means:

  • Replies go directly to a mailbox you control
  • Deliverability is based on your domain's reputation
  • Recipients see a sender address they recognize

To make this work, your IT department will need to publish three DKIM records in your domain's DNS. This is a one-time setup.

If DKIM setup isn't possible, Jujama can send from a no-reply   address on our own domain instead — but you'll lose the benefits above, and replies will not be monitored.

What You'll Provide

  • The sender email address you want to use (e.g., events@yourcompany.com  ). This should be a real, monitored mailbox. Once you provide the sender address, Jujama will generate the three DNS CNAME records for you to send to your IT contact for publication.

  • DNS access for whoever manages your domain, so they can add the three CNAME records we provide.


Why the sender mailbox needs to be monitored

When you send to a recipient address that doesn't exist, the receiving server returns a bounce. Jujama tracks these automatically, but bounce notifications and any human replies (questions, "please remove me," out-of-office, etc.) will arrive in the sender mailbox. Someone should review it periodically.

If invalid addresses aren't cleaned up, Amazon SES will eventually start silently suppressing delivery to them, which can affect your overall sending reputation.


For Your IT Dept


Jujama sends email on your behalf via Amazon SES from a sender address on your domain. To authenticate this mail, you'll need to publish three DKIM CNAME records in your domain's DNS to enable passing DKIM verification and DKIM alignment checks under DMARC. Without these records in place, mail Jujama sends on your behalf will be marked as spam or rejected at most major receivers.


Required: Three DKIM CNAME records

Based on the sender address you've chosen, Jujama will generate three CNAME records of the form:

<selector>._domainkey.<your-sending-domain>   CNAME   <selector>.dkim.amazonses.com

Publish them in DNS exactly as provided. These records must remain in place permanently — they are not a one-time verification. Removing them will break authentication.


Requirements for the sending domain

The domain the sender address is on must have:

  • A valid mailbox for the sender address, monitored for replies and bounces
  • MX records pointing to your mail server, so replies can be received

Note on inbound mail filtering

Some organizations have inbound or internal mail security that flags messages where the header From address is on your own domain but the message originated outside your infrastructure. If Jujama's mail is being quarantined by your filters after this setup, the cleanest signal to allow-list on is:

  • In the Authentication-Results  header dmarc=pass  with associatedheader.from=yourdomain.com  

A passing DMARC result is the authoritative indicator that the mail is legitimately authorized to use your domain.

Other methods may be necessary depending on your email security system, e.g. Defender, Proofpoint, etc.


Optional: Custom MAIL FROM (envelope sender)

By default, the envelope sender (Return-Path) on outbound mail will be a subdomain of amazonses.com  . You can optionally configure a custom MAIL FROM under your own domain, which adds SPF alignment in addition to DKIM alignment. This is not required — DKIM alignment alone is sufficient for DMARC to pass — but some organizations prefer it for defense in depth or other reasons.

Note that the MAIL FROM subdomain's MX must point to AWS, so it cannot be a domain or subdomain that also hosts regular user mailboxes — it needs to be a dedicated subdomain (e.g., bounce.yourcompany.com  ) used only for this purpose.

If you'd like to set this up, contact Jujama IT to coordinate the configuration.

Still need help? Contact Us Contact Us