Atmosphere Mail

Three records put a sending domain in good standing: dual DKIM, SPF, and DMARC.

What you need

Each domain you enroll needs four DNS records. Enrollment shows the exact values; this page explains what each one does and how to verify it.

Two DKIM TXT records (RSA and Ed25519)
One SPF TXT record
One DMARC TXT record

DKIM (dual signature)

Every outbound message carries two DKIM signatures: one from your domain, and one from d=atmos.email. The dual signature lets the relay pool reputation across members at the atmos.email level while keeping your domain's DKIM aligned for DMARC.

Your domain's signature uses two algorithms (RSA and Ed25519) so mailbox providers can pick whichever they prefer. The records look like:

<selector>r._domainkey.yourdomain.com  TXT  "v=DKIM1; k=rsa; p=<public-key>"
<selector>e._domainkey.yourdomain.com  TXT  "v=DKIM1; k=ed25519; p=<public-key>"

The selector is a short identifier issued at enrollment. The r and e suffixes mark the algorithm.

Verifying DKIM is live

dig +short TXT <selector>r._domainkey.yourdomain.com

Should return a v=DKIM1; k=rsa; p=... record. Do the same for the e selector.

SPF

SPF authorizes the relay's IP to send on behalf of your domain. Add this TXT record at your domain's apex:

@  TXT  "v=spf1 ip4:87.99.138.77 -all"

The -all suffix is a hard fail: receivers reject any source not in the list. If you also send from another service (e.g. a transactional provider), include their include: mechanism here too.

Verifying SPF

dig +short TXT yourdomain.com

Look for the v=spf1 record in the output.

DMARC

DMARC tells receivers what to do when SPF or DKIM alignment fails. The recommended record:

_dmarc  TXT  "v=DMARC1; p=reject; adkim=r; aspf=r; rua=mailto:postmaster@atmos.email"

Field meanings:

p=reject: receivers should reject mail that fails alignment.
adkim=r: relaxed DKIM alignment. Tolerates subdomain DKIM, which is what the relay does.
aspf=r: relaxed SPF alignment.
rua=mailto:postmaster@atmos.email: aggregate DMARC reports flow back to the relay so we can spot misconfiguration. You can add your own address too.

Verifying DMARC

dig +short TXT _dmarc.yourdomain.com

Alignment, in plain language

"Alignment" is the rule that ties an authentication signal back to the domain in the From: header. DMARC requires at least one of SPF or DKIM to align.

Your DKIM signature uses d=yourdomain.com, which aligns with the From: header. ✓
The relay's d=atmos.email signature does not align with your domain. That's fine; only one needs to align.
SPF aligns through the envelope return-path (MAIL FROM). The relay's return-path is on a subdomain of atmos.email, which is why DMARC needs aspf=r (relaxed) to consider it. In practice, DKIM alignment is the load-bearing one.

The labeler step

Once DKIM is live in DNS, the labeler issues a verified-mail-operator label on your DID. The relay watches for this label and uses it as proof of DNS authentication. See Atproto labels for what each label means and how to query them.

If the labeler can't verify your DKIM (because the DNS record is missing, mistyped, or hasn't propagated yet), enrollment will retry. You can check status at /account.

Back to docs