Set up Resend transactional email on a Namecheap domain that already uses Private Email

If you bought your domain through Namecheap and turned on Private Email for the apex inbox, you already have working MX records for receiving mail at addresses like info@yourdomain.com or hello@yourdomain.com. Adding Resend on top so a contact form or transactional system can send mail from the same domain is one of those tasks where every tutorial assumes a different starting state, and the official documentation does not warn you about the conflict you are about to hit.

This is exactly what we walked through when wiring up wildtechdev.com, and the configuration that finally worked is the same configuration we use on vikingsense.com. If you are reading this because Resend says your domain is "Not Verified" and you do not want to lose the email you already have, this should save you an afternoon.

The conflict you are about to hit

When you add a new sending domain in Resend, the setup wizard gives you four records to add. A DKIM TXT record at resend._domainkey, an SPF TXT record on a send subdomain, an MX record on the same send subdomain that points to feedback-smtp at amazonses.com, and an optional DMARC record. The wizard tells you to add an MX record. Namecheap's Advanced DNS panel only shows MX as a record type when Mail Settings is set to Custom MX. If your Mail Settings is currently set to Private Email, the MX type is hidden from the dropdown entirely.

If you switch Mail Settings to Custom MX without understanding what you are doing, Namecheap removes the Private Email MX records that were silently powering your inbox, and incoming mail to info@yourdomain.com stops arriving. You can break your existing email infrastructure in about thirty seconds.

The fix is to switch Mail Settings to Custom MX, then immediately re-add the Private Email MX records yourself, then add the Resend MX record on the send subdomain.

The exact records that work

Here is the full DNS configuration we used to get Resend, Private Email, and a verified DKIM key all living on the same Namecheap domain. Translate yourdomain.com to your own apex name as you read.

Host records (in the regular Advanced DNS section)

A record at @ pointing to whatever your hosting provider expects. For Vercel that is 216.198.79.1.

CNAME record at www pointing to whatever your hosting provider expects.

TXT record at @ for your SPF policy. The value should be:

v=spf1 include:send.resend.com include:privateemail.com ~all

This single line authorizes both Resend's sending IPs and Namecheap Private Email's sending IPs. If you only put include:amazonses.com here (which is what some Resend documentation suggests) you will break Private Email's ability to send mail. The include:send.resend.com is the modern equivalent and covers all of Resend's infrastructure.

TXT record at _dmarc with the value v=DMARC1; p=none; to start. You can tighten this to p=quarantine later once your domain has built reputation.

TXT record at resend._domainkey with the DKIM value Resend gives you. The value starts with p= followed by a long base64 string ending in QIDAQAB.

Mail settings (in the separate Mail Settings section)

Switch Mail Settings from Private Email to Custom MX. Then add three MX records:

MX record at @ pointing to mx1.privateemail.com with priority 10.

MX record at @ pointing to mx2.privateemail.com with priority 10.

MX record at send pointing to feedback-smtp.us-east-1.amazonses.com with priority 10.

The first two preserve your inbound mail to info@ and any other address at the apex. The third gives Resend a return path for bounce handling.

Why the apex SPF approach matters

There are two ways to make Resend happy with SPF. The wizard suggests putting v=spf1 include:amazonses.com ~all on a send subdomain. That works if you only ever want to send from addresses at send.yourdomain.com, which is not really what most people want. The apex approach in the configuration above lets you send from addresses like noreply@yourdomain.com or hello@yourdomain.com, which is what makes the email look professional in the recipient's inbox.

The trade off is that putting SPF at the apex means you need to include every provider that sends mail on your behalf. The example above includes both send.resend.com and privateemail.com because both of those services send outbound mail using your domain. If you also use a CRM or marketing tool that sends from your domain, you would add its include directive to the same record.

Verification gotchas

Resend's verification check polls DNS until all the records resolve. Namecheap's TTL on a new record is usually a few minutes, but DNS caching outside Namecheap can add up to an hour. If the Resend dashboard still says Pending after twenty minutes, do not panic. Click Verify DNS Records once, walk away, and come back later.

Once verification flips to green, the DKIM and SPF status indicators should both show as verified. The MX status indicator may stay yellow or skip the check entirely depending on which version of the Resend dashboard you are on, because the bounce subdomain MX is not strictly required for sending.

After verification

Create an API key in Resend scoped to Sending access. The key starts with re_ followed by a random string. Store it in your application's environment variables as RESEND_API_KEY.

If you are deploying through Vercel, add RESEND_API_KEY in Settings > Environment Variables for Production and Preview. Add a second variable for the from address. We use CONTACT_FROM_EMAIL with a value like WildTech Development <noreply@yourdomain.com>. Trigger a redeploy so the new environment variables are picked up by your serverless functions.

Test with a real submission through whatever form posts to your API route. If it shows as Delivered in the Resend Emails dashboard but does not arrive in your inbox, check your spam folder. Brand new sending domains land in spam for the first couple of weeks until the receiving mail providers build up reputation signals. This is normal and improves on its own as you send more legitimate mail.

What to watch out for

Some Resend documentation pages still suggest the older send subdomain pattern. If you copy and paste those records into Namecheap without thinking, you will end up with an SPF record that only authorizes Amazon SES, and Private Email will stop being able to send replies. The fix is the one in this post. Use the apex include for both providers.

If you ever want to move away from Private Email later, the Mail Settings section is where you change it. Switching back from Custom MX to Private Email re-installs the default Namecheap MX records, but it does not undo your TXT records, so DKIM and SPF stay intact across that switch.