Klaviyo DMARC failure — fix in production

---

title: "Klaviyo DMARC failure — fix in production" description: "How to fix DMARC failures on Klaviyo sends after Gmail and Yahoo's bulk-sender enforcement. DKIM alignment, SPF includes, policy choices, and verification steps." slug: "klaviyo-dmarc-failure-fix" publishedAt: "2026-05-19" updatedAt: "2026-05-19" painCluster: 3 intent: 9 tier: 1 faq:

• q: "What is a DMARC failure in Klaviyo?" a: "A DMARC failure means the email you sent through Klaviyo didn't satisfy your domain's DMARC policy when it reached the recipient's mail server. Either DKIM didn't sign correctly, SPF didn't include Klaviyo's sending infrastructure, or the alignment between your From domain and your DKIM/SPF authentication failed. Depending on your DMARC policy (none, quarantine, or reject), the email either lands normally with a header note, lands in spam, or is rejected outright."
• q: "How do I fix a DMARC fail on Klaviyo emails?" a: "Three steps. First, set up a branded sending domain in Klaviyo's settings — this is the foundation for alignment. Second, verify the DKIM and SPF records Klaviyo provides are correctly published in your DNS. Third, ensure your DMARC policy aligns with how you're actually sending — if you use 'p=reject' with strict alignment, the From domain must match the DKIM signing domain. Re-send a test campaign after each step and verify the headers."
• q: "Should my Klaviyo DMARC policy be none, quarantine, or reject?" a: "Start with 'p=none' to gather DMARC reports without affecting deliverability. Once you've confirmed all legitimate senders are passing for at least 30 days, move to 'p=quarantine' (failing mail goes to spam). After 60 more days of clean reports, move to 'p=reject' (failing mail is rejected). Gmail and Yahoo's enforcement requires at least 'p=none' for bulk senders; 'p=quarantine' or stricter is recommended for serious senders."
• q: "Why did Gmail and Yahoo start enforcing DMARC in 2024?" a: "In February 2024, Gmail and Yahoo announced bulk-sender requirements that included DMARC enforcement, one-click unsubscribe, and complaint-rate thresholds. The goal was to reduce spam and phishing at the inbox level. Senders that don't comply see deliverability degradation — emails landing in spam, throttled delivery, or outright rejection at the ISP."
• q: "Will Klaviyo automatically handle DMARC for my domain?" a: "Klaviyo provides the DKIM and SPF records you need to publish and walks you through setting up a branded sending domain. Klaviyo doesn't publish DMARC policy for you — that's a record on your own domain that you control. You're responsible for the DMARC policy choice and the DNS record itself."
• q: "What's the difference between DKIM, SPF, and DMARC?" a: "SPF lists which servers are allowed to send mail for your domain. DKIM cryptographically signs each email so the recipient can verify it came from your domain and wasn't tampered with. DMARC is a policy that tells recipients what to do when SPF or DKIM fail. All three work together — DMARC fails for a send if neither DKIM nor SPF alignment passes."
• q: "Will Playbook alert me when my Klaviyo DMARC starts failing?" a: "Yes. We monitor authentication-failure rate per ISP and flag any sustained climb. If a DNS change breaks DKIM and your Gmail authentication-fail rate jumps overnight, we surface it the same day with a link to your domain settings." related:
• klaviyo-bounce-rate-suddenly-high
• klaviyo-branded-sending-domain-not-working
• klaviyo-gmail-yahoo-sender-requirements
• klaviyo-open-rate-dropped

---

DMARC failures became a deliverability emergency in February 2024, when Gmail and Yahoo's bulk-sender enforcement made authentication a hard requirement rather than a best practice. Senders that hadn't fixed alignment issues saw deliverability collapse — sometimes within days of the enforcement deadline. Two years later, DMARC misconfigurations remain one of the most common causes of "my open rate dropped" and "my bounce rate spiked" threads in the Klaviyo Community.

This page is the production fix. It assumes you have an active Klaviyo account, you're sending real volume, and your DMARC is currently failing or partially failing. The steps below are the ones we walk customers through. Each takes 5-20 minutes depending on your DNS provider.

If you're not sure whether DMARC is actually failing, jump to the Quick diagnosis checklist first.

Quick diagnosis checklist

• Send yourself a campaign. Forward the email to a Gmail address. In Gmail, click the three dots → Show original. Scroll to the Authentication-Results line.
• Read the three results. You're looking for spf=pass, dkim=pass, and dmarc=pass. Any fail, softfail, or temperror is a problem.
• Check your domain's DMARC record. Use a tool like dmarcian.com/dmarc-inspector or run dig TXT _dmarc.yourdomain.com from a terminal. Note the policy (p=) and the alignment mode (adkim=, aspf=).
• Open Klaviyo → Settings → Domains. Click into your branded sending domain. Note which records show "Verified" vs "Not verified."
• Check whether you have a branded sending domain at all. If you're sending from a generic Klaviyo-shared sending domain, you have no DKIM alignment by design — DMARC will fail unless your policy is p=none.
• Check your SPF record. Run dig TXT yourdomain.com and look for the v=spf1 line. It should include include:_spf.klaviyo.com (or whatever Klaviyo's current SPF include is — check their docs for the latest value).
• Look at your DMARC report data. If you've enabled DMARC reporting (rua=mailto:... in your DMARC record), you get daily/weekly reports showing which senders are passing and failing. If you don't have these, set them up before going further.

If those seven didn't fully diagnose it, work through the sections below.

1. Confirm you have a branded sending domain

DMARC alignment requires DKIM to sign against your sending domain — not a generic Klaviyo domain. If you're sending from noreply@send.klaviyo.com or similar, DKIM may sign correctly but the alignment between your From domain (hello@yourbrand.com) and the DKIM signing domain (klaviyo.com) fails. Strict DMARC alignment rejects the send.

How to check. Open a recent campaign in Klaviyo. Look at the From email. Is the domain yourbrand.com or klaviyo.com? If it's anything klaviyo.com, you don't have a branded sending domain configured.

How to fix it. Settings → Domains → Set up a branded sending domain. Enter yourbrand.com (or whatever your primary domain is). Klaviyo will give you a set of CNAME records to publish in your DNS provider.

After publishing, return to Klaviyo and click "Verify." Klaviyo will check the records and mark them as Verified. Once all the records verify (usually within an hour, sometimes up to 48 hours for full DNS propagation), Klaviyo's sends will be DKIM-signed against yourbrand.com — which is what DMARC alignment requires.

Why this matters most. Branded sending domain is the single biggest change that fixes most DMARC failures. If your account isn't on a branded sending domain, doing this one thing solves 70% of authentication issues. Everything else on this page is downstream of having a branded sending domain configured correctly.

2. Verify DKIM is signing correctly

Once your branded sending domain is set up, every send should be DKIM-signed against your domain. Verify it by checking headers.

How to check. Send yourself a test campaign. View the original headers. Find the DKIM-Signature block. The d= value tells you the signing domain. It should be yourdomain.com (or a subdomain of it like email.yourdomain.com), not klaviyo.com.

Also check the Authentication-Results line: dkim=pass header.i=@yourdomain.com.

If DKIM is failing.

• dkim=temperror or dkim=fail usually means the DKIM DNS record (the CNAME) isn't published correctly or hasn't propagated. Re-verify the records in Klaviyo's domain settings.
• dkim=pass but d= is wrong means the signature is valid but the wrong key signed it. This is rare and usually indicates a misconfigured branded sending domain.
• No DKIM-Signature header at all means Klaviyo didn't sign the send. Check that your branded sending domain status in Klaviyo is fully verified.

3. Verify SPF includes Klaviyo

SPF is a TXT record on your domain that lists which servers are allowed to send mail for you. For Klaviyo, the include is typically include:_spf.klaviyo.com (always check Klaviyo's current docs for the canonical value).

How to check. Run dig TXT yourdomain.com from a terminal, or use any online SPF checker (mxtoolbox.com, dmarcian.com). Look for the v=spf1 record. It should include Klaviyo's include statement.

A typical correctly-configured record looks like:

v=spf1 include:_spf.google.com include:_spf.klaviyo.com ~all

If SPF is failing.

• No SPF record at all. Add one. Start with v=spf1 include:_spf.klaviyo.com ~all if Klaviyo is your only sender. If you also send transactional mail through Google Workspace, your SaaS tools, etc., you need to include those too.
• SPF record exists but doesn't include Klaviyo. Add the Klaviyo include statement. Be careful — SPF has a 10 DNS-lookup limit; if you're already close to that limit, adding another include can break the record.
• SPF record has multiple v=spf1 lines. That breaks SPF entirely. Consolidate into one record.

4. Set or update your DMARC record

Once DKIM and SPF are passing, the final layer is your DMARC policy.

The DMARC record format. A TXT record at _dmarc.yourdomain.com with content like:

v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; adkim=r; aspf=r

Breaking that down:

• p=none — receivers report on failures but don't take action. Safe starting policy.
• p=quarantine — receivers send failing mail to spam.
• p=reject — receivers reject failing mail at the SMTP layer.
• rua=mailto:... — where aggregate reports are sent. Critical for diagnostics.
• adkim=r — relaxed DKIM alignment. adkim=s is strict (subdomain doesn't match).
• aspf=r — relaxed SPF alignment. aspf=s is strict.

Recommended progression.

1. Start with p=none. No deliverability impact, just gathers reports.
2. Watch reports for at least 30 days. Identify any legitimate senders that are failing — these need to be fixed before tightening the policy.
3. Move to p=quarantine. Failing mail goes to spam. Continue watching reports for 30-60 days.
4. Move to p=reject. Strictest policy. Mail that doesn't authenticate is rejected.

Why not start at p=reject. Because every domain has some forgotten sender — a contractor's email tool, a SaaS that sends notifications from your domain, a CRM that hasn't been authenticated. p=reject rejects those silently. By the time you notice, you've lost a week of legitimate mail. The progression exists to surface those before they bite.

5. Set up DMARC reporting

DMARC reports are how you know whether your authentication is working in production. Without them, you're flying blind.

How to set them up. Add rua=mailto:dmarc@yourdomain.com to your DMARC record. ISPs that support DMARC reporting (Gmail, Yahoo, Microsoft, and others) will send daily aggregate XML reports to that address.

The reports are unfriendly to read in raw form. Use a free or low-cost DMARC reporting service:

• dmarcian (free tier + paid plans)
• Postmark DMARC Digests (free)
• EasyDMARC (free tier + paid)
• Valimail (free tier for small senders)

Connect one of these and let it parse the reports. Within a week or two, you'll have a clear picture of which senders are passing, which are failing, and where the alignment issues are.

6. Common alignment traps

The trickiest part of DMARC is alignment. DKIM and SPF can both pass, and DMARC can still fail if alignment isn't right.

Strict vs. relaxed alignment. Strict alignment (adkim=s, aspf=s) requires the From domain to exactly match the DKIM signing domain (or the SPF return-path domain). Relaxed alignment allows subdomain matches — hello@yourdomain.com with DKIM signing from email.yourdomain.com passes.

For most Klaviyo senders, relaxed alignment (adkim=r, aspf=r) is correct and recommended. Strict alignment is only useful if you're tightly controlling all sending paths and don't use any subdomains.

The MAIL FROM vs. From distinction. SPF authenticates against the MAIL FROM (return-path) domain, not the visible From. If those don't align, SPF can pass while DMARC alignment fails. This is one of the most common subtle DMARC failures. Klaviyo's branded sending domain handles this for you when set up correctly.

Subdomain DKIM signing. If Klaviyo signs from klmail.yourdomain.com and your From is yourdomain.com, relaxed alignment passes. Strict alignment fails. Verify your alignment mode before tightening your DMARC policy.

How to verify the fix

After every change above, here's the verification.

1. Send yourself a test campaign from Klaviyo. Use the same template as your real sends so the From address matches production.
2. Open the email in Gmail (preferred for DMARC checking — their headers are detailed).
3. Three dots → Show original.
4. Read the Authentication-Results line. Confirm:
   • spf=pass smtp.mailfrom=yourdomain.com (or a subdomain)
   • dkim=pass header.i=@yourdomain.com
   • dmarc=pass header.from=yourdomain.com
5. If any line fails, go back to the relevant section above.
6. Send to a few other domains. Yahoo, Outlook, ProtonMail. Confirm they all show pass.
7. After 24 hours, check your DMARC reports. The reporting service should show 100% pass for Klaviyo sends.

Why this keeps happening

DMARC failures are usually one-time fixes that stay fixed — until something changes. A DNS provider migration drops a record. A team member adds a new sender and forgets the SPF include. A subdomain restructure breaks alignment. A theme change updates the From address.

Each individual change rarely seems risky. The cumulative effect is that domains drift out of compliance over time, and the failure mode is silent — sends start landing in spam, opens drop slightly, complaints climb slightly, and nothing in Klaviyo's UI flags any of it as DMARC-related.

We monitor authentication-failure rate per ISP. When pass rate at Gmail drops from 99% to 85% overnight — which is what a DNS-related DKIM break looks like — we alert the same day with a link to your domain settings. The DNS change still has to be fixed manually, but the time between the change and the detection collapses from "you noticed weeks later" to "we told you Tuesday morning."