How to fix Klaviyo DKIM, SPF, and DMARC

---

title: "How to fix Klaviyo DKIM, SPF, and DMARC" description: "Step-by-step DNS configuration to pass DKIM, align SPF, and adopt a working DMARC policy on your Klaviyo branded sending domain — plus ongoing monitoring." slug: "how-to-fix-klaviyo-dkim-spf-dmarc" publishedAt: "2026-05-19" updatedAt: "2026-05-19" howToSteps:

• name: "Verify the current authentication state" text: "In Klaviyo, go to Settings → Domains. Confirm whether your branded sending domain is verified. Then send a test email to a Gmail address and view 'Show original' to see SPF, DKIM, and DMARC results in the message headers."
• name: "Set up your branded sending domain in Klaviyo" text: "If you haven't yet, Settings → Domains → Add Branded Sending Domain. Enter your sending subdomain (e.g., send.yourbrand.com). Klaviyo will generate CNAME records for you to publish in your DNS provider."
• name: "Publish the Klaviyo CNAME records" text: "In your DNS provider (Cloudflare, GoDaddy, Route53, etc.), create the CNAME records exactly as Klaviyo specifies. Typically three CNAMEs that handle DKIM signing keys. Save and wait 5-30 minutes for DNS propagation."
• name: "Verify the domain in Klaviyo" text: "Back in Settings → Domains, click 'Verify Domain' next to your branded sending domain. Klaviyo will check the CNAME records and update the verification status. Green check = ready. Red X = DNS records missing or incorrect."
• name: "Confirm SPF alignment" text: "Klaviyo signs with their own SPF setup via the branded subdomain — you don't typically need to add Klaviyo to your root SPF record. However, if you're sending from the same root domain via other services, confirm your overall SPF record stays under 10 DNS lookups."
• name: "Set up DMARC at policy 'none' first" text: "Add a DMARC record on your root domain: TXT record at _dmarc.yourbrand.com with value v=DMARC1; p=none; rua=mailto:dmarc@yourbrand.com. 'p=none' monitors without enforcing — required for initial discovery phase."
• name: "Monitor DMARC reports for 2-4 weeks" text: "DMARC aggregate reports arrive at the rua address daily. Use a parser (Postmark, Valimail, DMARC Analyzer) to read them. Confirm all legitimate sending domains pass authentication. Identify any unauthorized senders."
• name: "Escalate DMARC to 'quarantine' then 'reject'" text: "Once monitoring confirms only authorized sources are sending, change p=none to p=quarantine for 2-4 weeks, then p=reject. This enforces DMARC policy: unauthenticated mail goes to spam (quarantine) or is rejected outright (reject)."
• name: "Verify Gmail/Yahoo compliance" text: "After DMARC enforcement, send a test to a Gmail address. View the message headers ('Show original'). All three should show 'pass': SPF, DKIM, DMARC. If any fails, fix before relying on the configuration for high-volume sends."
• name: "Set up ongoing monitoring" text: "Schedule monthly DMARC report review. Watch for: new senders appearing (legitimate or not), authentication failures spiking, and CNAME records being silently changed. DNS-level monitoring tools or always-on services like Playbook catch these in hours rather than weeks." faq:
• q: "What's the difference between SPF, DKIM, and DMARC?" a: "SPF lists which servers are authorized to send mail from your domain. DKIM cryptographically signs each email so receivers can verify it wasn't tampered with. DMARC ties SPF and DKIM together and tells receivers what to do if mail fails authentication."
• q: "Do I need DMARC for Klaviyo?" a: "Yes, especially since Gmail and Yahoo's February 2024 bulk-sender requirements. Senders above 5,000 messages/day to Gmail or Yahoo must have a DMARC policy of at least p=none with proper alignment."
• q: "Should I set DMARC policy to p=reject right away?" a: "No. Start at p=none for at least 2-4 weeks to monitor what's actually being sent from your domain. Catching legitimate senders prevents you from accidentally blocking legitimate mail when you enforce."
• q: "Why is my DKIM not passing with my Klaviyo branded domain?" a: "Most common causes: CNAME records not published correctly, DNS propagation hasn't completed (wait up to 24 hours), CNAMEs pointing to wrong Klaviyo endpoint, or DNS provider stripping records due to character limits."
• q: "What's the right DMARC alignment mode?" a: "Relaxed alignment is standard for Klaviyo's branded subdomain setup. Strict alignment requires the From domain to match SPF/DKIM exactly, which Klaviyo's subdomain approach doesn't satisfy."
• q: "Will Klaviyo tell me if my DKIM stops passing?" a: "No. If CNAME records are removed or changed, DKIM will silently fail and deliverability drops. Detection requires DMARC reports (delayed) or active DNS monitoring."
• q: "How long does DMARC enforcement take to fully roll out?" a: "Plan 6-10 weeks total: 2-4 weeks at p=none to monitor, 2-4 weeks at p=quarantine to validate, then move to p=reject. Rushing the timeline risks blocking legitimate mail you didn't realize was being sent." related:
• klaviyo-dmarc-failure-fix
• klaviyo-branded-sending-domain-not-working
• klaviyo-gmail-yahoo-sender-requirements
• klaviyo-bounce-rate-suddenly-high

---

Email authentication — SPF, DKIM, and DMARC — is the difference between mail that lands in the inbox and mail that lands in spam (or doesn't get delivered at all). Since Gmail and Yahoo's bulk-sender requirements took effect in February 2024, sub-par authentication has stopped being a "nice to have" and started being a hard blocker for any brand sending serious volume on Klaviyo.

This page walks through the configuration step by step. The mechanics are mostly DNS work — adding records in your DNS provider and waiting for propagation. The judgment calls are around DMARC policy progression and the discipline of monitoring for drift afterward. Done well, the work is a one-time setup with monthly review. Done poorly, you'll spend the next year fighting bounce rate spikes and ISP throttling.

If you're starting fresh, follow top to bottom. If your authentication is partially configured and you're trying to debug a specific failure, jump to "Common mistakes" and "How to verify your setup is working" — those sections cover the most common failure points.

Prerequisites

Before starting:

• You own the sending domain. You need DNS access to add and modify records.
• You have admin access to your DNS provider. Cloudflare, GoDaddy, Route53, Namecheap, etc.
• You have a Klaviyo account with sending privileges. Settings → Domains is the relevant page.
• You have a Gmail address you can send test mail to. Gmail's "Show original" feature is the easiest way to verify SPF/DKIM/DMARC pass.

Step 1: Verify the current authentication state

In Klaviyo, Settings → Domains. Note whether you have a branded sending domain configured and whether it shows as verified.

Then send a test email from Klaviyo (a campaign in test mode, or use the "Send test" function on a flow email) to a personal Gmail address. Open the email in Gmail. Click the three-dot menu and select "Show original."

In the original view, look at the lines:

• SPF: — should show PASS
• DKIM: — should show PASS
• DMARC: — should show PASS

If any show NEUTRAL, FAIL, or are absent, you have work to do.

Step 2: Set up your branded sending domain in Klaviyo

If you don't already have a branded sending domain configured, set one up. Settings → Domains → Add Branded Sending Domain.

Enter your sending subdomain. Standard convention is send.yourbrand.com or mail.yourbrand.com — a subdomain dedicated to marketing mail. Do not use your root domain (yourbrand.com) — keeping marketing sends on a subdomain isolates reputation from your transactional and corporate mail.

Klaviyo generates three CNAME records you need to publish in DNS. They look like:

em1234.send.yourbrand.com → u1234.wl.sendgrid.net (or similar Klaviyo-managed endpoint)
s1._domainkey.send.yourbrand.com → s1.domainkey.u1234.wl.sendgrid.net
s2._domainkey.send.yourbrand.com → s2.domainkey.u1234.wl.sendgrid.net

(The exact endpoints depend on Klaviyo's current sending infrastructure — use whatever they generate for you.)

Step 3: Publish the Klaviyo CNAME records

In your DNS provider, create the three CNAME records exactly as Klaviyo specifies. Be especially careful about:

• Subdomain prefix. The record name should be the exact subdomain Klaviyo provides — including any tokens like em1234.
• Target value. The CNAME target must match exactly — case-sensitive in some providers.
• TTL. Default TTLs (usually 1 hour to 1 day) are fine. Don't set absurdly short TTLs.

Save the records. DNS propagation typically takes 5-30 minutes but can take up to 24 hours. Use dig or a DNS lookup tool to verify:

dig em1234.send.yourbrand.com CNAME

Should return your Klaviyo target endpoint.

Step 4: Verify the domain in Klaviyo

Back in Settings → Domains in Klaviyo, click "Verify Domain" or "Re-check status." Klaviyo will query DNS for the CNAME records you just published.

• Green check: All records valid. You're authenticated.
• Yellow warning: Some records valid, others not. Re-check the failing ones in DNS.
• Red X: Records missing or incorrect. Re-publish in DNS and wait for propagation.

If you've waited 30+ minutes after publishing and verification still fails, the most common causes are: CNAME target typo, subdomain prefix wrong, or DNS provider auto-modifying the record (some providers strip trailing dots or add their own).

Step 5: Confirm SPF alignment

Klaviyo's branded sending domain handles SPF independently via the subdomain CNAME setup. You typically don't need to add Klaviyo to your root domain's SPF record.

However: confirm your overall SPF record (if you have one on your root domain for other services) stays under the 10-DNS-lookup limit. Each include: in an SPF record counts as one lookup. Exceeding 10 causes SPF to fail wholesale across all your sending sources.

If you have a heavy SPF record (with Google Workspace, Microsoft 365, and several SaaS senders), consider an SPF flattening service or selective consolidation.

Step 6: Set up DMARC at policy 'none' first

DMARC is a TXT record on _dmarc.yourbrand.com. Add:

v=DMARC1; p=none; rua=mailto:dmarc@yourbrand.com; ruf=mailto:dmarc@yourbrand.com; pct=100; aspf=r; adkim=r

Key components:

• p=none — policy of "monitor only." No enforcement yet.
• rua= — where DMARC aggregate reports go. Set up a dedicated inbox or DMARC parsing service.
• pct=100 — apply policy to 100% of mail (irrelevant at p=none but standard).
• aspf=r; adkim=r — relaxed alignment for SPF and DKIM. Required for Klaviyo's subdomain-based setup.

Publish the record. Wait for DNS propagation.

Step 7: Monitor DMARC reports for 2-4 weeks

DMARC aggregate reports start arriving at your rua= address daily (or near-daily) from major receivers (Gmail, Yahoo, Outlook, etc.).

Reading raw XML reports is unpleasant. Use a parser:

• Free / low-cost: Postmark's DMARC Digests, DMARC Report
• Mid-tier: Valimail, DMARC Analyzer
• Enterprise: Sendmarc, dmarcian

The parser will show:

• All sources sending from your domain
• Which sources pass SPF, DKIM, or both
• Volume of authenticated vs unauthenticated mail

Goal of this monitoring period: confirm only legitimate senders are sending, and they all pass. Catch any forgotten senders (an old contact form on a forgotten subdomain, a transactional email provider you forgot to authenticate).

Step 8: Escalate DMARC to 'quarantine' then 'reject'

Once 2-4 weeks of p=none monitoring confirms clean authentication, move to enforcement.

Phase 1: p=quarantine. Change the policy:

v=DMARC1; p=quarantine; rua=mailto:dmarc@yourbrand.com; pct=100; aspf=r; adkim=r

This tells receivers to send unauthenticated mail to spam. Monitor for 2-4 weeks. Watch for:

• Increased complaints from internal users or customers about legitimate mail going to spam
• New unauthenticated sources appearing in DMARC reports

Phase 2: p=reject. Once quarantine looks clean:

v=DMARC1; p=reject; rua=mailto:dmarc@yourbrand.com; pct=100; aspf=r; adkim=r

This tells receivers to reject unauthenticated mail outright. The highest enforcement level. Gmail and Yahoo's bulk-sender requirements consider p=reject the gold standard.

Step 9: Verify Gmail/Yahoo compliance

Send a test email from Klaviyo to a Gmail address. Open in Gmail. "Show original."

You should see:

SPF: PASS
DKIM: PASS
DMARC: PASS

All three. If any are NEUTRAL or FAIL, fix before relying on the configuration for production sending.

Send another test to a Yahoo address (if you have one) and verify the same.

Step 10: Set up ongoing monitoring

Authentication setup is not "set and forget." DNS records get accidentally deleted. CNAMEs get modified during DNS migrations. New senders get added without proper configuration. Schedule:

• Monthly: Review DMARC reports. Watch for new senders, authentication failure trends, volume changes.
• Quarterly: Verify CNAME records are still in place and correct via DNS lookup.
• After any DNS change: Re-send a test to Gmail and verify SPF/DKIM/DMARC all pass.

Active DNS monitoring tools (DNSCheck, MXToolbox, or always-on monitoring like Playbook) catch DNS drift in hours rather than the weeks DMARC reports require.

Common mistakes

• DMARC policy jumped to p=reject without monitoring. Legitimate mail gets blocked before you discover unauthenticated sources. Always start at p=none.
• CNAME target typo. A single character wrong breaks DKIM. Re-check against Klaviyo's exact specification.
• SPF record exceeded 10 lookups. Causes SPF to fail across all senders.
• DMARC alignment set to strict. Klaviyo's branded subdomain doesn't satisfy strict alignment. Always use aspf=r, adkim=r (relaxed).
• rua mailbox not monitored. DMARC reports pile up without review. Critical signals missed.
• DNS provider auto-modifying records. Some providers strip trailing dots or add prefixes. Verify the published record matches Klaviyo's specification exactly via dig or DNS lookup.

How to verify your setup is working

After completing setup, weekly checks:

• DMARC reports show >95% authentication pass rate. Anything lower indicates a configuration issue or unauthorized sender.
• Test sends to Gmail show SPF/DKIM/DMARC all PASS in Show original.
• Klaviyo dashboard shows branded domain still verified. No red X on Settings → Domains.
• Bounce rate stays under 0.5%. Auth failures often manifest as bounces before they show in DMARC reports.

Monthly:

• DMARC parser shows no new unauthenticated senders
• CNAME records still in place (DNS lookup confirms)
• No spam-complaint rate increases that would indicate inbox-placement degradation

What can quietly break this later

CNAME records deleted during a DNS provider migration. Common during ops changes — DNS migration tools sometimes drop CNAMEs they don't recognize. DKIM silently fails.

DKIM key rotation in Klaviyo's infrastructure. Klaviyo occasionally rotates DKIM keys. If they update their CNAME targets and you haven't updated your DNS, your DKIM stops passing. Watch for any Klaviyo notifications about infrastructure changes.

Unauthorized senders appear on your domain. A forgotten subdomain gets used by an attacker. A SaaS tool gets connected by another team member without authentication. DMARC reports will show this.

Subdomain reputation drift independent of authentication. Authentication passes but inbox placement degrades. This is more about list hygiene and content than auth, but auth health is the foundation.

Klaviyo's branded domain endpoint changes. Rare, but possible. Verify against Klaviyo's current setup quarterly.

Each of these is invisible from Klaviyo's UI by default. Klaviyo doesn't actively monitor your authentication state or DMARC reports. Detection requires either active DMARC monitoring or a service like Playbook that checks DNS state and authentication on an hourly cadence — closing the days-to-weeks gap that DMARC reports leave open.