Help Centre

TABLE OF CONTENTS

• What you'll need to decide
• How setup works
• For your IT team
  • 1. Proving ownership and signing mail (DKIM)
  • 2. Bounce handling (the Mail-From subdomain)
• Handling replies to your custom address
• Technical FAQ
• Need help?

What you'll need to decide

Before we begin, choose:

• Display name — the sender name your clients see in their inbox (e.g. X Company Compliance Team).
• Mailbox name — the part before the @ (e.g. noreply or compliance).
• Domain name — the domain the emails should come from (e.g. yourcompany.com).
• Mail-From subdomain — a dedicated subdomain used behind the scenes for bounce handling (e.g. aml.yourcompany.com). Your clients never see this — it's a purely technical address used by mail servers, and does not appear in the sender, the From address, or anywhere in the email recipients receive. It's a technical choice your IT team will usually make — the For your IT team section below explains what it's for. You can pick any subdomain that isn't already used for sending or receiving other mail.
  
  

If you have multiple offices, you can use a different display name or address per office.

Please decide all four — including the Mail-From subdomain — before contacting us. Sending them together lets us configure everything in one pass, so we won't have to come back to you for the subdomain separately. If you're unsure about the subdomain, ask your IT team (or see the section below) before getting in touch.

How setup works

1. Send us your details. Email onboarding@firstaml.com with the three details your clients will see — display name, mailbox name and domain name — plus the behind-the-scenes Mail-From subdomain (which your clients never see). Sending all four together means we can set everything up without coming back to you for more.
2. We configure sending for your domain. First AML sets this up and generates the DNS records your domain needs.
3. We send the records to your IT administrator. These prove your domain is authorised and keep your emails out of spam.
4. Your IT administrator publishes the records exactly as provided, then lets us know via onboarding@firstaml.com.
5. We validate and switch it on. Once the records check out, your emails start sending from your custom address.
   
   

Please publish the records promptly. After we issue them there is a limited window of about 24 hours for automatic verification. If the records aren't in place in time, verification has to be restarted manually, which delays go-live.

For your IT team

First AML sends email through Amazon Web Services (AWS) Simple Email Service (SES). Setting up a custom domain involves two separate things: proving you own the domain (so we can sign mail as you), and giving bounces somewhere to go. Your IT administrator simply publishes the DNS records we provide — there are no keys to manage and no access to grant.

1. Proving ownership and signing mail (DKIM)

We provide a set of CNAME records to add to your DNS. These delegate specific DNS entries (for example selector._domainkey.yourdomain.com) to First AML, which lets us cryptographically sign every outgoing message with a DKIM signature aligned to your domain. Receiving providers such as Gmail and Outlook verify this signature to confirm the message is genuinely authorised by your domain.

• Because the messages carry a valid DKIM signature aligned to your domain, they also satisfy your DMARC policy — so no changes to your existing root-domain DKIM or DMARC settings are required.
• You don't share private keys or manage any cryptographic settings — key rotation and signing are handled automatically.
  
  

2. Bounce handling (the Mail-From subdomain)

AWS SES requires a dedicated subdomain for the technical Mail-From / Return-Path address that processes bounces and complaints — this is the Mail-From subdomain you chose when sending us your details (e.g. aml.yourcompany.com). The visible From address your clients see can still use your main domain. It just needs to be a subdomain that you don't already use to send or receive other mail. For this subdomain we provide two records:

• An MX record — routes bounce and feedback handling to SES.
• An SPF (TXT) record — authorises SES to send for that subdomain.
  
  

Publish all records exactly as we supply them, and do not modify them. In particular, do not change the SPF qualifier from ~all to -all — this has broken mail delivery in the past. These are AWS requirements, not preferences, so there is no alternative configuration.

Handling replies to your custom address

It's up to you how email sent to your custom address is handled. Two common approaches:

1. A shared mailbox monitored by your AML team, or
2. A rejection rule that doesn't accept mail to the noreply mailbox and notifies the sender that it's unmonitored.

The rejection rule is usually simpler, and encourages clients to upload their information directly into First AML rather than emailing it.

Technical FAQ

For deeper technical questions your IT team may have — email security ("can anyone send as our domain?"), deliverability and spoofing (e.g. Mimecast), sharing a domain across related entities, and troubleshooting non-delivery — see the Email Integration — Technical FAQ.

Need help?

If you run into any difficulties, please contact your Customer Success Manager or email support@firstaml.com.