Part of the PurelyManage series.

Adding a Domain

Adding a domain in PurelyManage is a single form: enter the domain name and submit. The backend calls the PurelyMail addDomain API and the domain appears in your list.

await pmPost('/api/v0/addDomain', { domainName })

The domain will show as unhealthy immediately because no DNS records are set yet. That is expected. The next steps are ownership verification and DNS setup.

Ownership Verification

PurelyMail requires you to prove you control the domain before it will route email for it. Verification is done by adding a TXT record to your DNS with a value PurelyMail provides.

The record looks like this:

yourdomain.com  TXT  purelymail_ownership_proof=<your-token>

The ownership token is specific to your PurelyMail account, not to the domain. It is the same token for every domain you add. In PurelyManage it is read from the PURELYMAIL_OWNERSHIP_TOKEN environment variable on the backend and served to the frontend via a dedicated endpoint:

app.get('/pm/config', { preHandler: requireAuth }, async (_req, reply) => {
  return reply.send({ ownershipToken: process.env.PURELYMAIL_OWNERSHIP_TOKEN ?? null })
})

The token is never embedded in the frontend build. It is fetched at runtime, behind authentication. If you forget to set it in your .env, the panel shows a warning on the Add Domain form rather than silently failing.

Once the TXT record is in DNS, PurelyMail verifies it during its next DNS check cycle. You can trigger a recheck from the panel without waiting.

DNS Records

After ownership is verified, you need to configure the email DNS records so mail actually flows. There are six records to add:

MX (tells the internet where to deliver email for your domain):

yourdomain.com  MX  10  mailserver.purelymail.com

SPF (authorizes PurelyMail to send email from your domain):

yourdomain.com  TXT  v=spf1 include:_spf.purelymail.com ~all

DKIM (cryptographic signature for outgoing mail). PurelyMail requires three CNAME records:

purelymail1._domainkey.yourdomain.com  CNAME  key1.dkimroot.purelymail.com
purelymail2._domainkey.yourdomain.com  CNAME  key2.dkimroot.purelymail.com
purelymail3._domainkey.yourdomain.com  CNAME  key3.dkimroot.purelymail.com

DMARC (policy for handling failed authentication):

_dmarc.yourdomain.com  CNAME  dmarcroot.purelymail.com

The DKIM records are the trickiest. The _domainkey subdomain appears on your side (left of CNAME), not on the PurelyMail side (right of CNAME). Getting this backwards is an easy mistake and takes time to debug because DNS propagation delays make the feedback loop slow.

The panel shows all six records with their exact values and a copy button on each. You do not need to remember the format. It is all in the DNS panel for every domain.

DNS Health Monitoring

The Domains page shows a badge per domain for each of the four record types: MX, SPF, DKIM, DMARC. Green means passing, red means failing or not yet detected.

Clicking a domain opens a DNS detail modal with the full status of each record and the exact values to set. There is also a “Re-check DNS” button that triggers an immediate recheck rather than waiting for the next scheduled check.

Behind the scenes, DNS rechecks do not run on every page load. That would be expensive at scale: 50 domains refreshing every 60 seconds adds up to thousands of API calls per hour. Instead the panel uses a priority-based scheduler that rechecks failing domains more frequently than healthy ones, with a separate background cron for steady-state maintenance. The DNS scheduler is covered in detail in a later post.

Deleting a Domain

To delete a domain, all email users on that domain must be removed first. If any users still exist in the local cache, the delete request is rejected with a clear message telling you how many users remain and to remove them first.

This order is enforced to prevent orphaned users: PurelyMail would accept a domain deletion even with users on it, leaving those mailboxes in a broken state. The panel blocks the domain deletion until the user count is zero.

Once users are cleared, scheduling the domain deletion works the same as any other destructive action in PurelyManage: the deletion is queued for 24 hours, visible to all admins, and cancellable before execution.

The next post covers user management: creating accounts, generating passwords, toggling 2FA, and what the PurelyMail API would not let us build.