A guided walkthrough — read it, listen to it, or follow along step-by-step. Every section explains what to do, why it matters, and includes a 🔊 Read aloud button so you can listen instead of read.
You'll add four new DNS records and modify one existing record at Hostinger. Then ping Brevo's system to re-verify, and switch the worker to send from a clean @360degreelogicalmktg.com address.
Imagine you receive a letter that looks like it's from your bank, but the return address on the envelope is from some random P.O. box you've never seen. You'd be suspicious, right? That's exactly what happens to our portal emails today. The email arrives at Gmail, but Gmail looks at the return-path and sees "brevosend.com" — not our domain. It's not necessarily spam, but Gmail's filters give it a yellow flag.
After this setup, our emails will carry a DKIM signature — a cryptographic stamp that says "this email is genuinely from 360degreelogicalmktg.com". Gmail verifies the stamp by checking a public key we'll publish in DNS. If the stamp matches, Gmail trusts the email. That's the whole game.
This is not optional before real brand clients sign in. Their corporate spam filters are far stricter than personal Gmail. Without domain authentication, our magic-link invites won't reach them at all.
smtp.google.com) — incoming email is unaffected. The A/AAAA records pointing the domain at your VPS — also unaffected.
Hostinger hPanel (your nameservers are ns1/ns2.dns-parking.com — Hostinger's default).
When you bought the domain name 360degreelogicalmktg.com, you bought it through Hostinger. They're the registrar — the official keeper of that domain's records. Even though our website runs on a server (the VPS), the "phonebook" that tells the rest of the world how to reach our domain lives at Hostinger.
That phonebook is called DNS (Domain Name System). And Hostinger's panel for editing it is called hPanel. We verified your nameservers point to ns1.dns-parking.com and ns2.dns-parking.com — these are Hostinger's default. So yes, you manage DNS at Hostinger.
Click Copy on each Name and Value to paste into Hostinger. Tick the checkbox once saved.
Think of these as five different signs you're posting at your domain's front gate, each answering a different question:
Record 1 (brevo-code): "Yes, the person who created the Brevo account really does own this domain." It's a one-time ownership proof.
Records 2 & 3 (DKIM): "Here are our public signing keys. If you receive an email signed with the matching private keys, you can trust it's really from us." Two keys for redundancy.
Record 4 (SPF): "These are the only servers allowed to send email pretending to be us." We're adding Brevo to the list (Google is already there).
Record 5 (DMARC): "Here's our policy if an email fails the above checks. For now, just monitor — don't actually block anything."
What does "@" mean? It's shorthand for "the domain itself", i.e., 360degreelogicalmktg.com with no subdomain in front.
What's a CNAME? It's an alias. "Whenever someone asks for brevo1._domainkey.360degreelogicalmktg.com, point them to b1.360degreelogicalmktg-com.dkim.brevo.com". Brevo manages the actual signing key on their side.
@ (the one that contains v=spf1 include:_spf.google.com ~all). Do NOT add a second v=spf1 TXT — RFC 7208 only allows one SPF record per domain; a duplicate causes both to silently fail at most receivers.
What does each part mean? v=spf1 is the version tag. include:_spf.google.com says "anyone Google's published list authorizes". include:spf.brevo.com is the new addition for Brevo. ~all is a soft-fail rule: "any other server is suspicious but don't outright reject yet".
p=none = monitor only, never blocks email. Completely safe. Pick the alt value if you want a copy of DMARC aggregate reports yourself.MX → smtp.google.com · Google Workspace inbound mail. Leave alone — Brevo only handles outbound, not inbound.
A / AAAA at @ → your VPS IP (91.108.106.134 etc.) · Web traffic. Unrelated to email.
The MX record tells the rest of the world where to deliver mail addressed to your domain. Yours currently routes everything to Google — that's your business Gmail. If you edit it, incoming email stops working immediately across the whole company. Brevo has nothing to do with this; Brevo is only about sending, not receiving.
The A and AAAA records point your domain name to a specific server IP address — the server that hosts your website. If you edit those, the website goes down. Again, unrelated to email.
You should see two TXT lines for the root (the SPF and the brevo-code), both DKIM CNAMEs resolving to b1./b2.360degreelogicalmktg-com.dkim.brevo.com, and the DMARC TXT line. Any empty line = Hostinger save didn't apply — go back and re-save.
dig is a command-line tool built into every Linux system. It directly asks the public DNS system "what records exist for this name?" without any caching layer in the way.
This is how you confirm that DNS propagation is complete. Saving in Hostinger isn't enough — the change needs to spread to public name servers around the world. Until that happens, Brevo's verification will fail. dig tells you whether the rest of the internet can now see your new records.
Success looks like "verified":true,"authenticated":true in the GET response. Before that, you'll see the 400 "domain cannot be authenticated" message — that's the normal pre-DNS state, not an error.
curl is a command-line tool that makes web requests. The first call (PUT /authenticate) tells Brevo "go check my DNS now". The second call (GET /) reads back the current status. Brevo's checks are asynchronous — you ask, they go off and verify, you check back later for the result.
The BREVO_API_KEY in your env file is what proves the request is from you. Without it, Brevo wouldn't let just anyone trigger verifications on your account. The key is loaded into a shell variable so it never appears in your terminal history.
Until now, the worker has been sending from business@360degreelogicalmktg.com — the one specific email Brevo verified for us at the very beginning of this whole journey (the "single sender" step). That worked, but it was a workaround.
With the whole domain now authenticated, any local-part on the domain works. Pick something cleaner and more purpose-fit — no-reply@, notifications@, recce@, whatever. This looks more professional in your client's inbox.
Step 7.1 · Update worker env
Edit /root/360lm-web/.env:
Step 7.2 · Recreate the worker
Step 7.3 · Smoke test
Hi — this email is sent from the authenticated @360degreelogicalmktg.com domain.
no-reply@360degreelogicalmktg.com (not business@11449036.brevosend.com). In Gmail, click the 3-dot menu → "Show original" → verify DKIM=PASS for 360degreelogicalmktg.com, SPF=PASS, and DMARC=PASS.Step 7.4 · After 24h of green
Go back to Hostinger and bump the TTL on all five records back to 3600 (or your domain's default).
v=spf1 include:_spf.google.com ~all (remove the include:spf.brevo.com token).BREVO_FROM_EMAIL=business@360degreelogicalmktg.com in .env and recreate the worker.smtp.google.com MX) is untouched throughout — no risk to incoming email at any step.This whole process only adds new outgoing-email permissions on top of your existing setup. We never edit the records that handle incoming mail or website traffic. Even if every DNS change you make ends up wrong, the worst case is: outgoing emails from the Recce Portal don't deliver until you fix or remove the bad records. Your customer Gmail keeps working. Your website keeps working. Your team's email keeps working.
Every technical term used in this guide, defined plainly. Click 🔊 next to any term to hear it read aloud.
The phone book of the internet. Translates a domain name like 360degreelogicalmktg.com into the server's actual IP address. It also publishes other facts about your domain — where email should be delivered, who's allowed to send email as you, etc. Each fact is one DNS record.
The company you bought the domain from. They're the official record-holder. For this domain, that's Hostinger. You log into their panel (hPanel) to make DNS changes.
The actual computer that answers DNS queries for your domain. Yours are ns1.dns-parking.com and ns2.dns-parking.com — Hostinger's defaults. This tells us "DNS is managed at Hostinger".
Maps a domain (or subdomain) to an IP address — a numeric server location. AAAA is the same idea for IPv6 addresses. Your A record points to your VPS where the website runs. Editing this would take the website down.
Tells the world where to deliver incoming email for your domain. Yours points to smtp.google.com — Google Workspace. We never touch this; Brevo only handles outgoing mail.
A free-text label attached to your domain. Doesn't route anything by itself — just a string of text others can read. Used here for the brevo-code (ownership proof), SPF (sender policy), and DMARC (failure policy). You can have multiple TXT records at the same name, but only one starting with v=spf1.
An alias. Instead of pointing to an IP, it points to another hostname. We use it for the two DKIM keys — aliasing names under our domain to corresponding names inside Brevo's domain. Brevo hosts the actual keys; we just publish the pointer.
A TXT record listing "these servers are allowed to send email pretending to be me". Receivers check this to detect spoofers. Only one SPF record allowed per domain — a duplicate makes both invalid and breaks delivery. That's why we EDIT the existing one when adding Brevo.
A cryptographic signature added to every outgoing email. Brevo signs the email with a private key; the receiver fetches your public key by following our two CNAMEs to Brevo and verifies the signature. If it matches, the email is provably authentic and untampered.
The policy layer on top of SPF and DKIM. Tells receivers what to do if an email fails verification (do nothing / quarantine / reject). p=none = monitor only, safe. Also requests aggregate reports back, so you know if anyone's trying to spoof your domain.
How long DNS caches around the world remember a record before re-checking. Lower TTL = faster updates, slightly more nameserver load. 300 seconds (5 min) is good during rollout so Brevo's verification poll converges quickly. After it's green for 24h, bump back to 3600.
The spread of a new DNS change from your registrar out to caches and resolvers around the world. Usually takes minutes to hours. Until it completes, some parts of the internet still see the old record. dig tells you the current state.
An email-sending service (formerly Sendinblue). We use them for transactional emails — magic-link invites, weekly digests, response notifications. Free tier: 300/day. The point of this guide is making their emails appear authentically as your emails.
Hostinger's web control panel at https://hpanel.hostinger.com. You manage your domains there, including DNS records. All five record changes in this guide happen inside hPanel.
A command-line tool built into Linux that directly queries DNS. You run it on the VPS to check whether your new records are visible from the public DNS. If dig shows the records, the world can see them; if not, propagation isn't done.
Email triggered by a specific action — a magic-link invite, a weekly digest, a notification. Not marketing. The Recce Portal only sends transactional email.