Two CNAMEs and one TXT record at your DNS provider — once. Then we manage DKIM rotation, SPF flattening, and DMARC progression on our zone. Q3 2026 MTA-STS · TLS-RPT · BIMI · 100+ blocklist surveillance — all included on the same delegation when they land.
Most teams are sending from your-domain.com within an hour of access. DMARC walks to enforcement automatically over the next six weeks.
Tell us acme.com. We generate a unique slug for you, like acme-com-a3f1b8, that you'll never have to think about. The slug is your namespace on our zone.
At your DNS provider: ed1._domainkey.acme.com CNAME → acme-com-a3f1b8.dkim.emaildigit.com; _dmarc.acme.com CNAME → acme-com-a3f1b8.dmarc.emaildigit.com; and acme.com TXT → v=spf1 include:_spf.emaildigit.com ~all. We don't touch your root A/MX, your nameservers, or anything else.
Inside 5 minutes we publish DKIM (RSA 2048), SPF (flattened SES IPs), and DMARC at p=none. Over the next 6 weeks we walk DMARC to p=reject with reporting throughout. Future key rotations happen on our zone — your DNS is never touched again.
Every record below is published, monitored, and rotated on a schedule. Misconfigurations alert before they affect deliverability. You'll see them in the dashboard but you won't have to touch them.
_spf.emaildigit.com, which we keep flattened to the current AWS SES IP list. When AWS rotates IPs, we re-flatten our record — your DNS keeps working untouched.p=none. 6-step progression to p=reject pct=100. Safety gates require alignment ≥ 95% before each promotion. RUA reports ingested + summarized in the dashboard.Most deliverability tools surface 40 metrics and let you figure out which ones matter. Email Digit will compose one daily score from five weighted components — and tell you which one moved when the number changes.
When it ships: alerts the minute your sending domain or any of its IPs appears on a blocklist. We'll temporarily reroute sending through a clean pool while we work on the delist request.
The Valimails and dmarcians of the world tell you what's broken. Email Digit fixes it — because we're already sending your mail.
Yes, one click. You're only delegating a subdomain via CNAME, not handing over your nameservers. Remove the CNAMEs and the records stop resolving — your root domain, every other subdomain, and your existing DNS records are untouched throughout. We also offer a full export of historical DMARC reports and DKIM key history on request.
Trust gradient. Nameserver delegation means we'd run your whole DNS — your apex A record, your CDN, your Google verification token. That's far more access than you need to give for email infrastructure. Two CNAMEs + a TXT is the minimum we need to do the job, so it's what we ask for.
SPF must live as a TXT record at the apex of your domain (acme.com, not _spf.acme.com) — DNS rules forbid putting a CNAME alongside other records there. DKIM and DMARC can be CNAMEs to our zone, so those two move to managed delegation. Net: one ongoing TXT (SPF, set once), two CNAMEs that we manage forever.
Default schedule is 6 weeks: 2 weeks at p=none, 4 weeks at p=quarantine pct=50, then p=reject. We hold position if we see legitimate mail being affected — your forwarding rules, third-party senders, anything not aligned gets surfaced before we tighten policy.
Score crossing thresholds (when shipped): 90 → 80 creates a Sev-3 incident with diagnosis. 80 → 70 Sev-2, sending throttled. Below 70 sending pauses until root cause is resolved.
Q3 2026. The DNS TXT record will be included. The Verified Mark Certificate (VMC) is a $99/year add-on because Entrust and DigiCert charge us a fee per VMC issued. We handle the filing on your behalf.
Three records. One-time setup. Six weeks to enforcement. You write the email.