Overview
A Domain represents a local mail domain that the server recognises as its own. Without a matching Domain object, the server treats messages addressed to that domain as external and refuses delivery for them. The Domain is therefore the anchor for every downstream decision that depends on domain ownership: local-recipient resolution, DKIM signing, TLS certificate issuance, and the publication of DNS policy records.
DNS records
Stalwart can publish and maintain a domain's DNS records directly against a managed zone, removing the need to copy records into a provider web console by hand. The feature is driven by the Domain object and relies on a separately configured DnsServer (found in the WebUI under Settings › Network › DNS › DNS Providers) that carries the credentials and transport details for the zone. See DNS providers for the DnsServer setup itself; this page covers the lifecycle once a DnsServer is in place.
TLS certificates
Every Domain that terminates TLS (for SMTP on submission and port 25, IMAP, JMAP, HTTP services, and so on) requires a certificate whose Subject Alternative Names cover the host names used for those services. The Domain object decides whether that certificate is supplied by the operator or obtained automatically from an ACME certificate authority.
DKIM key rotation
Periodic DKIM key rotation limits the impact of key compromise and is a recommended operational practice for any mail domain that signs outbound messages. When rotation is enabled, the server takes over the full lifecycle of DKIM keys for a domain: generating new keys on schedule, publishing them in DNS ahead of use, switching signing over to the new key, and retiring old keys once they are no longer required for verification of in-flight messages.