SPF, DKIM, and DMARC for Brevo: complete setup guide
A complete walkthrough for authenticating Brevo (formerly Sendinblue). Brevo's current domain authentication uses two DKIM CNAME records (brevo1._domainkey and brevo2._domainkey) plus a brevo-code verification TXT. SPF is only needed if you send on a Brevo dedicated IP. DMARC ties it together.
TL;DR
- 1 DKIM: publish Brevo's two CNAME records (brevo1._domainkey and brevo2._domainkey) pointing at the targets Brevo shows. This signs your mail and lets DMARC pass on DKIM.
- 2 Verification: publish the brevo-code TXT at your apex so Brevo can confirm you own the domain.
- 3 SPF: only required for a Brevo dedicated IP. If so, add include:spf.brevo.com to your apex SPF. Standard shared-IP sending passes DMARC on DKIM alignment alone.
- 4 DMARC: start at p=none with rua, watch reports, then ramp to p=quarantine and p=reject.
What it does
This guide authenticates Brevo against your domain. Brevo's domain authentication walks you through two DKIM CNAME records (brevo1._domainkey.yourdomain and brevo2._domainkey.yourdomain) and a brevo-code verification TXT at your apex. Once they resolve and Brevo verifies them, outbound mail signs with d=yourdomain and DKIM aligns.
Brevo's current DKIM is a pair of CNAME records: you copy the two targets from Brevo's panel rather than pasting a key. Older accounts may still show a single legacy TXT at mail._domainkey; if your panel shows that, follow it. SPF is optional for standard sending and only needed on a dedicated IP.
Step 1: Set up SPF for Brevo
SPF is optional for Brevo's standard shared-IP sending: DMARC passes on DKIM alignment alone, so you can skip it. You only need Brevo's SPF include if you send on a Brevo dedicated IP. If you do, keep a single apex SPF TXT and add Brevo's include alongside any other senders.
-
1
For standard shared-IP sending, skip SPF entirely. DKIM alignment carries DMARC.
-
2
For a dedicated IP, edit your single apex SPF TXT record (do not create a second one).
-
3
Add the Brevo include exactly as Brevo's panel shows it (currently include:spf.brevo.com; the old include:spf.sendinblue.com is deprecated).
-
4
Mind the 10-lookup limit: each include counts, so count with the SPF lookup tool if you already have several senders.
Brevo's SPF include moved from spf.sendinblue.com to spf.brevo.com after the rebrand. Use whatever value Brevo's current panel shows. For standard shared-IP sending you can skip SPF entirely; DKIM alignment carries DMARC.
Step 2: Set up DKIM for Brevo
Brevo's current domain authentication uses two DKIM CNAME records, brevo1._domainkey and brevo2._domainkey, pointing at targets Brevo generates (2048-bit keys). You copy the two CNAME targets from Brevo's panel rather than pasting a key. Brevo also gives you a brevo-code TXT to prove you own the domain.
Selector: brevo1._domainkey and brevo2._domainkey
-
1
In Brevo, go to Senders, Domains & Dedicated IPs -> Domains, and click Authenticate next to your domain. (Confirm the current menu path in your Brevo account.)
-
2
Brevo shows two CNAME records, brevo1._domainkey.yourdomain and brevo2._domainkey.yourdomain, each with a target host to copy.
-
3
Publish both as CNAME records pointing at the exact targets Brevo shows.
-
4
Publish the brevo-code TXT at your apex (value brevo-code:<token>) so Brevo can verify domain ownership.
-
5
Return to Brevo and click Verify / Authenticate. The status flips to authenticated once the records resolve. Verify with the DKIM checker against the brevo1 and brevo2 selectors.
Older Brevo or Sendinblue accounts may instead show a single legacy DKIM TXT at mail._domainkey (k=rsa; p=...). If your panel shows that, publish it as a TXT instead. Always follow the exact records your current Brevo panel displays.
Step 3: Publish DMARC
-
1
With the two DKIM CNAMEs and the brevo-code TXT published (plus the SPF include if you use a dedicated IP), publish your DMARC record at _dmarc.yourdomain. Start at p=none so receivers report but take no action.
-
2
Add a rua address to collect daily aggregate reports.
-
3
Watch the reports for a couple of weeks. Confirm Brevo mail passes and aligns with d=yourdomain.
-
4
Move to p=quarantine, then p=reject once the only remaining failures are unknown or spoofed sources. See the DMARC rollout playbook for the full ramp.
Example record
Common pitfalls
-
Publishing only one of the two DKIM CNAMEs. Brevo needs both brevo1._domainkey and brevo2._domainkey to resolve before it will authenticate.
-
Skipping the brevo-code verification TXT. Brevo will not mark the domain authenticated, and signing stays off.
-
Adding include:spf.sendinblue.com. That value is deprecated; the current include is spf.brevo.com, and SPF is only needed for a dedicated IP.
-
Forcing a CNAME where your panel shows a legacy TXT (or vice versa). Brevo serves different record shapes to different accounts; match exactly what your current panel displays.
FAQ
What DKIM record does Brevo use?▾
Currently two CNAME records, brevo1._domainkey and brevo2._domainkey, pointing at targets Brevo generates (2048-bit). Older accounts may still show a single legacy TXT at mail._domainkey instead. Follow whichever your Brevo panel displays.
Do I need an SPF include for Brevo?▾
Only for a Brevo dedicated IP. For standard shared-IP sending, DMARC passes on DKIM alignment, so SPF is optional. If you do add it, the current include is spf.brevo.com (the old spf.sendinblue.com is deprecated).
Why won't Brevo authenticate my domain?▾
The usual cause is a missing brevo-code TXT, or only one of the two DKIM CNAMEs resolving. Publish both CNAMEs and the brevo-code TXT, then re-verify.
Is Brevo the same as Sendinblue?▾
Yes. Sendinblue rebranded to Brevo, so older guides still reference sendinblue.com. The current SPF include is spf.brevo.com; follow the records shown in your current Brevo domain-authentication panel.