Klaviyo branded sending domain not working — DNS to fix

---

title: "Klaviyo branded sending domain not working — DNS to fix" description: "Diagnose a Klaviyo branded sending domain that won't verify — CNAME mismatches, DKIM key length, SPF include limits, and sending-from-subdomain gotchas — with the DNS fix for each." slug: "klaviyo-branded-sending-domain-not-working" publishedAt: "2026-05-19" updatedAt: "2026-05-19" painCluster: 3 intent: 8 tier: 2 faq:

• q: "Why isn't my Klaviyo branded sending domain verifying?" a: "The most common cause is a CNAME record mismatch — either the record points to the wrong value, has stray whitespace, or your DNS provider auto-appended the domain to the value. Open your DNS provider, find each CNAME Klaviyo requested, and verify the record value exactly matches what Klaviyo's verification page shows. Whitespace and trailing dots matter."
• q: "How long does it take for a Klaviyo branded sending domain to verify?" a: "Klaviyo polls DNS every few minutes during initial setup, so verification typically completes within 5-15 minutes of the DNS records propagating. DNS propagation itself can take from a few minutes to 48 hours depending on TTL settings on your domain. If verification hasn't completed after 24 hours, the issue isn't propagation — it's a record value mismatch."
• q: "Why does Klaviyo say my DKIM key is too short?" a: "Klaviyo uses 2048-bit DKIM keys, which are longer than some DNS providers' default character limits for TXT record values (255 characters). Most providers handle this by splitting the value across multiple strings, but some don't. If your DNS provider's TXT record truncates the value, DKIM verification will fail. Use a provider that supports long TXT records, or contact support to split the value correctly."
• q: "What's the SPF include limit and why does it matter?" a: "SPF records allow up to 10 DNS lookups per evaluation. Each 'include:' directive uses one or more lookups. If your domain's SPF already includes Google Workspace, Microsoft 365, and several other services, adding Klaviyo's include can push you over the limit. Once over, your SPF fails for all senders, not just Klaviyo. Audit your existing includes before adding Klaviyo's."
• q: "Should I send from my root domain or a subdomain?" a: "Subdomain. Klaviyo recommends sending from a dedicated subdomain like 'send.yourbrand.com' or 'email.yourbrand.com' rather than your root domain. This isolates email sender reputation from your root domain's reputation (which protects your main site from email-driven reputation damage) and simplifies DNS configuration. Most senders should follow this default."
• q: "Can I verify the branded sending domain is actually being used?" a: "Yes. Send a test email. Open it. View the email headers (in Gmail: click the three-dot menu → 'Show original'). The 'Mailed-by' and 'Signed-by' fields should show your branded domain, not Klaviyo's default sender. If they show Klaviyo's domain, the branded sending isn't active even if it's verified."
• q: "Will Klaviyo notify me if my branded domain stops verifying later?" a: "Klaviyo shows the current verification status but doesn't proactively alert if DNS records are removed or modified. A domain that verifies today and is broken next month will sit in a broken state until you check it manually. This is one of the patterns continuous monitoring catches that one-time configuration doesn't." related:
• klaviyo-gmail-yahoo-sender-requirements
• klaviyo-dmarc-failure-fix
• how-to-fix-klaviyo-dkim-spf-dmarc

---

A Klaviyo branded sending domain that won't verify is one of the more frustrating setup tasks because the failure modes are invisible from inside Klaviyo. The verification page reads "Pending" or "Failed" with limited context. The DNS provider's UI shows the records as added. Something in between isn't matching, and the troubleshooting requires understanding both sides of the DNS-to-Klaviyo handshake.

This page is written for the operator in the middle of that setup — branded domain not verifying after the records are supposedly in place. Each failure mode below identifies a specific reason verification can fail and the DNS fix for it. The fixes are concrete; you'll be back in the DNS provider's panel.

Quick diagnosis checklist

• Open Klaviyo's branded-domain verification page. Note which records are showing as "Pending" or "Failed." Different records fail for different reasons.
• Use a DNS lookup tool (mxtoolbox.com, dnschecker.org). Look up each record Klaviyo requested. Verify the record exists, has the expected type (CNAME, TXT), and has the exact expected value.
• Check for trailing dots, whitespace, and case differences. DNS providers handle these inconsistently. A value with a trailing dot in one provider may need to be entered without one in another.
• Verify the records are on the right subdomain. A record for send.yourbrand.com placed at the root domain won't work, and vice versa.
• Confirm your existing SPF record doesn't exceed the 10-lookup limit. Add Klaviyo's include and count total lookups.
• Wait at least 30 minutes after adding records before reverifying. DNS propagation isn't instant.

1. CNAME record value mismatch

This is the single most common failure mode. The record exists in your DNS provider, but the value doesn't exactly match what Klaviyo expected. The mismatch can be invisible — extra whitespace, a trailing dot the provider auto-added, a typo, or the provider auto-appending the domain to the value.

How to verify. Use dig or an online DNS lookup tool to query the CNAME record. Compare the returned value character-for-character to Klaviyo's expected value. Common discrepancies:

• DNS provider auto-appended .yourbrand.com to the value when you entered a relative reference.
• Trailing dot present in one but not the other.
• Whitespace at the start or end of the value (from copy-paste).
• Wrong host — Klaviyo expected s1._domainkey.send.yourbrand.com but the record is at s1._domainkey.yourbrand.com.

How to fix it. Re-enter the record. Match Klaviyo's expected value exactly. If your DNS provider is auto-appending the domain, use a relative reference (just the value, no FQDN) or check the provider's documentation for how to enter an FQDN value correctly.

A specific gotcha for some providers. Cloudflare's "DNS Only" / "Proxied" toggle. If a CNAME is proxied through Cloudflare's network, the original CNAME value isn't returned to Klaviyo — Cloudflare's IP is. For Klaviyo CNAMEs, set them to "DNS Only" (gray cloud, not orange).

2. DKIM key too long for the DNS provider

Klaviyo uses 2048-bit DKIM keys, which produce a TXT record value longer than the 255-character limit some DNS providers impose on single TXT record strings. The DNS standard allows splitting long values across multiple strings within a single record, but some providers don't handle this correctly.

How to verify. Look up your DKIM TXT record. The full value should be present, possibly split into multiple quoted strings within the record. If the value is truncated, your provider didn't split correctly.

How to fix it. Two options:

1. Split the value yourself. Most DNS providers accept TXT values entered with explicit quoted-string separators. Klaviyo's documentation shows the canonical split.
2. Move DNS to a provider that handles long TXT records natively. Cloudflare, AWS Route 53, and Google Cloud DNS all handle this correctly.

Why this matters. Without DKIM, your Klaviyo sends fail authentication. With Gmail and Yahoo's 2024 enforcement, that means significantly degraded deliverability, particularly for bulk senders.

3. SPF record exceeds the 10-lookup limit

SPF allows up to 10 DNS lookups per evaluation. Each include: directive uses one or more lookups (the included domain itself may chain further includes). If your existing SPF already includes Google Workspace, Microsoft 365, an ESP from a prior tool, and a few other services, you may be close to or already over the limit before adding Klaviyo.

How to verify. Look up your current SPF record. Count the include: directives. Use an SPF lookup tool (mxtoolbox SuperTool, dmarcian) — these tools count total DNS lookups including chained includes. If you're at 9 or 10 already, you have a problem.

How to fix it. Several options:

1. Remove unused includes. If you switched away from Microsoft 365 or another ESP, remove their include from your SPF. Old includes accumulate.
2. Flatten the SPF record. Replace include: directives with the actual IP ranges the include resolves to. This eliminates the lookup count but requires updating manually if the ESP changes infrastructure.
3. Use a SPF macro service. Some third-party tools (like EasyDMARC's SPF flattener) maintain a flattened SPF record automatically.

The trap. When you go over the 10-lookup limit, SPF doesn't partially fail — it returns "PermError" and ISPs treat that as no SPF at all. So adding Klaviyo's include when you're already over the limit doesn't break "just Klaviyo" — it breaks all your authenticated sending.

4. Sending from a subdomain but DNS records are at the root

Klaviyo recommends sending from a subdomain (send.yourbrand.com) rather than the root domain. Operators sometimes set up the branded domain correctly but then place the verification DNS records at the wrong level — either at the root when they should be at the subdomain, or vice versa.

How to verify. Klaviyo's verification page shows the exact host for each record (e.g., s1._domainkey.send.yourbrand.com). Open your DNS provider. Confirm each record is at that exact host, not at a level above or below.

How to fix it. Move the records to the correct host. Most DNS providers allow editing the host field of an existing record without recreating it.

A nuance. Some DNS providers display hosts differently. A record for s1._domainkey.send.yourbrand.com may show as s1._domainkey.send in a provider that auto-appends the root domain to the displayed host. Read the provider's display convention before assuming the record is at the wrong host.

5. DMARC alignment is broken

For DMARC to pass, either DKIM or SPF must align — meaning the authenticated domain must match (or be a subdomain of) the From: address domain. If your From: is hello@yourbrand.com but DKIM signs as send.yourbrand.com, alignment requires DMARC's relaxed mode (which Klaviyo supports by default) and a correctly-published DMARC policy on the root domain.

How to verify. Send a test email. View the headers. Look for dmarc=pass. If you see dmarc=fail, alignment is broken.

How to fix it. Confirm your DMARC record at the root domain (_dmarc.yourbrand.com) has at least p=none policy. If you're sending from a subdomain and the From: uses the root domain, relaxed alignment (DMARC's default) should pass — verify the DMARC record exists.

Note. Strict alignment (adkim=s; aspf=s in the DMARC record) would require the From: domain to exactly match the authenticated domain. Most operators should use relaxed alignment (the default).

6. The verification status is stale

Sometimes Klaviyo's verification page caches the previous status and doesn't re-check immediately after you correct the records. The fix is technically in place but the UI still shows "Failed."

How to fix it. Click the "Verify" button on the page to force a re-check. If the records are correct and propagated, the status should update within a minute. If it doesn't, try refreshing the page or logging out and back in.

When to wait. If the records were added very recently (within the last hour), give DNS propagation time. TTL settings on your DNS records affect how quickly changes are visible globally; check the TTL on your records and wait at least that long.

How to verify the fix

After verification succeeds:

1. Send a test email through Klaviyo. Send it to a Gmail address you control.
2. Open the email. Click the three-dot menu → "Show original."
3. Verify the authentication results. You should see dkim=pass, spf=pass, and dmarc=pass. The Signed-by field should be your branded domain, not Klaviyo's.
4. Send a few campaigns over the next week. Watch your delivery rate. It should be stable or improving as ISPs trust your branded sender more.
5. Set a reminder to check verification status monthly. DNS records can be modified by other team members or by DNS provider changes; verification can lapse silently.

Why this keeps happening

Branded sending domain configuration touches three systems that aren't designed to coordinate: your DNS provider, Klaviyo, and the receiving ISPs. Each system has its own conventions, edge cases, and silent failure modes. When one of them changes — a DNS record gets edited, a TTL expires, your DNS provider updates how it handles long TXT records — the configuration that worked yesterday may not work today.

That's the failure mode external monitoring catches. We watch your branded domain's verification status continuously and surface a finding the day it stops verifying — not when you notice your deliverability dropped weeks later. The setup is one-time work; staying verified is ongoing vigilance, and that's where the audit-then-forget pattern leaves you exposed.