primitive docs
primitive app

Domains

Inbound and outbound on a custom domain are independent. Both run on the same set of DNS records you already understand: MX for inbound, DKIM / SPF / DMARC / TLS-RPT for outbound. The dashboard generates exact values for your domain; this page explains what each record does.

1. Add the domain

From the dashboard, add a domain. You can also call POST /api/v1/domains with { "domain": "yourdomain.com", "enable_outbound": true }. Primitive generates a verification token (and a DKIM keypair, if outbound is enabled) and returns the records you need to publish.

If MX for the domain already points at another provider (Google Workspace, Fastmail, etc.), the dashboard surfaces a conflict warning and offers to use a subdomain instead (e.g. mail.yourdomain.com) so you don't accidentally intercept your team's mail.

2. Inbound records

Two records, both required: MX routes mail, _primitive TXT proves ownership.

; Inbound (required)
@                       MX    10 mx1.primitive.dev.
_primitive              TXT   "<verification-token-from-dashboard>"

3. Outbound records

To send from @yourdomain.com, publish these too. Without them, Primitive denies outbound on this domain with cannot_send_from_domain.

; Outbound (required to send from this domain)
; <selector> is generated per-domain (e.g. pri-a3f2c8b1d4e5f607)
<selector>._domainkey   TXT   "v=DKIM1; k=rsa; p=<public-key-from-dashboard>"
@                       TXT   "v=spf1 include:mymx.dev ~all"
_dmarc                  TXT   "v=DMARC1; p=none; rua=mailto:[email protected]"
_smtp._tls              TXT   "v=TLSRPTv1; rua=mailto:[email protected]"

Per-domain DKIM key (selector is pri- followed by 16 hex chars; rotation is handled in place). If you already publish an SPF record, merge our include into it instead of adding a second SPF record. TLS-RPT is published at _smtp._tls per RFC 8460.

4. Verification

Primitive polls DNS automatically while you're on the verify step. There's also a Check now button if you want to force a check. You can verify programmatically with POST /api/v1/domains/{id}/verify.

Two phases:

  1. Inbound verified: MX and ownership-TXT both resolve. Mail can flow in.
  2. Outbound verified: DKIM signature validates and SPF/DMARC/TLS-RPT parse correctly. Outbound from this domain unlocks.

DNS propagation usually takes a few minutes. Some providers (a few cellular networks, certain country-level resolvers) can take hours.

Helpers in the dashboard

BIND-format zone file export, automatic TXT chunking for providers that cap strings at 255 chars, and a one-click jump into your DNS provider's editor when we can detect it.

Plan limits

Free orgs can claim one custom domain. Paid plans don't have a domain cap. The managed *.primitive.email subdomain doesn't count toward this limit.