Skip to content

Signing (SPF & DKIM)

Currently, Treezor API sends email to your end users during their onboarding and password reset.

When Treezor sends emails on behalf of your domain names, two technologies must be configured to ensure proper delivery.

Thumbs icon

Best practice – Make sure you configure emails properly

Otherwise, emails Treezor sends on your behalf are likely to be considered as spam or display warning messages such as "The sender is not who they claim to be".

SPF

The Sender Policy Framework is declared in the DNS zone of your domain name.

It enumerates the servers explicitely allowed to send emails on your behalf (aka sending emails ending in @your-domain-name.tld)

Info icon

Information – You must add Treezor IP addresses to the SPF record of your DNS zone

These IP addresses are provided by Treezor and allow Treezor to send email on your behalf.

SPF record example

ini
company-name.tld. 3599 IN TXT "v=spf1 mx include:company-name.spf.treezor.co -all"

DKIM

The DomainKeys Identified Mail is a private/public key pair technology, the public key lives in the DNS zone of your domain name.

This technology allows Treezor to sign outgoing emails, and empowers the recipient into checking the signature of a received email against the public key.

Info icon

Information – You must add the DKIM key in a TXT record of your DNS zone

The Treezor public DKIM key is provided by your Treezor Account Manager and allows Treezor to send emails on your behalf.

DKIM record example

ini
treezor._domainkey.company-name.tld. 3599 IN TXT "k=rsa; p=QsABSUqGDCh7GOBexnj+apFT[...]NlVDzn3c4aPMoPJROgyd7v1rI2"