Skip to main content
Scheduled Maintenance · We will be performing scheduled maintenance to improve system performance and reliability. During this window, scanning and alerting may be temporarily paused. No action is needed on your end. Jun 27, 2026 01:15 UTC → Jun 28, 2026 01:15 UTC
How-to DMARC Klaviyo

SPF, DKIM, and DMARC for Klaviyo: complete setup guide

A complete walkthrough for authenticating Klaviyo. Klaviyo uses a dedicated sending domain with CNAME-based DKIM and a CNAME-aligned return path, so both DKIM and SPF align with your brand. DMARC ties them together.

TL;DR

  • 1 SPF: Klaviyo aligns SPF through the return-path CNAME on your dedicated sending subdomain, not an apex include. Publish the CNAMEs Klaviyo shows.
  • 2 DKIM: publish Klaviyo's two CNAMEs (klaviyo1._domainkey -> dkim.klaviyomail.com, klaviyo2._domainkey -> dkim2.klaviyomail.com), or mail signs with klaviyomail.com and never aligns.
  • 3 DMARC: start at p=none with rua, watch reports, then ramp to p=quarantine and p=reject.

What it does

This guide authenticates Klaviyo against your domain. Klaviyo's branded (dedicated) sending domain feature uses CNAME-based DKIM with two static selectors plus a CNAME for the return path. Once published and verified, outbound campaigns sign with d=yourdomain (DKIM aligns) and the bounce domain is under your domain too (SPF aligns through the subdomain).

Klaviyo's DKIM CNAME targets are static (the same for every customer), so you can publish them as soon as you start the branded-domain setup. The return-path CNAME is what gives you SPF alignment without touching your apex SPF.

Step 1: Set up SPF for Klaviyo

Klaviyo aligns SPF through a return-path CNAME on your dedicated sending subdomain, not an apex SPF include. The branded-domain setup gives you that CNAME so the envelope-from resolves to Klaviyo's SPF and aligns.

  1. 1

    Set up a branded (dedicated) sending domain in Klaviyo, which is what enables d=yourdomain signing and the aligned return path.

  2. 2

    Publish the return-path / bounce CNAME Klaviyo provides on your sending subdomain.

  3. 3

    Do not add a Klaviyo include to your apex SPF. Klaviyo's sending IPs would not align with the apex, and the return-path CNAME handles SPF alignment.

<sending-subdomain> CNAME Click to select
(return-path CNAME on your Klaviyo sending subdomain -- value shown by Klaviyo's branded-domain setup)

SPF alignment runs through the dedicated sending subdomain's return-path CNAME, so DKIM is the primary path. DMARC passes as long as DKIM aligns even if SPF does not.

Step 2: Set up DKIM for Klaviyo

Klaviyo uses two static CNAME targets for DKIM. You publish both, then verify the branded sending domain in Klaviyo. Klaviyo hosts the keys, so you publish CNAMEs, not key text.

Selector: klaviyo1._domainkey and klaviyo2._domainkey

  1. 1

    In Klaviyo, go to Settings -> Account -> Domains and Hosting (or the current Domains panel) and start adding a branded sending domain. (Confirm the path in your Klaviyo account.)

  2. 2

    Publish the two DKIM CNAMEs: klaviyo1._domainkey.yourdomain -> dkim.klaviyomail.com and klaviyo2._domainkey.yourdomain -> dkim2.klaviyomail.com.

  3. 3

    Publish any return-path / bounce CNAME Klaviyo lists at the same time (see the SPF section).

  4. 4

    Return to Klaviyo and verify the domain. The status flips to verified once the CNAMEs resolve.

  5. 5

    Send a test campaign and confirm dkim=pass with d=yourdomain, or verify with the DKIM checker against the klaviyo1 selector.

klaviyo1/2._domainkey.yourdomain CNAME Click to select
klaviyo1._domainkey.yourdomain CNAME dkim.klaviyomail.com klaviyo2._domainkey.yourdomain CNAME dkim2.klaviyomail.com

These CNAME targets are static across all Klaviyo accounts, so they are safe to pre-publish. Verifying the branded domain is what makes Klaviyo start signing with d=yourdomain.

Step 3: Publish DMARC

  1. 1

    With the DKIM CNAMEs (and return-path CNAME) verified, publish your DMARC record at _dmarc.yourdomain. Start at p=none so receivers report but take no action.

  2. 2

    Add a rua address to collect daily aggregate reports.

  3. 3

    Watch the reports for a couple of weeks. Confirm Klaviyo campaigns pass with d=yourdomain.

  4. 4

    Move to p=quarantine, then p=reject once the only remaining failures are unknown or spoofed sources. See the DMARC rollout playbook for the full ramp.

Example record

_dmarc.yourdomain.com TXT Click to select
v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; fo=1

Common pitfalls

  • Sending from the shared Klaviyo domain instead of setting up a branded (dedicated) sending domain. Without the branded domain, Klaviyo signs with klaviyomail.com and DKIM never aligns with your From.

  • Publishing the DKIM CNAMEs but skipping the return-path CNAME, then wondering why SPF fails. DMARC still passes via DKIM, but the return-path CNAME is what aligns SPF.

  • Adding a Klaviyo include to your apex SPF. Klaviyo's sending IPs will not align with the apex; the alignment comes from the subdomain return path.

  • Verifying the domain but continuing to send from an unbranded sender profile. Make sure the campaign's sending domain is the branded one.

FAQ

What CNAMEs does Klaviyo DKIM use?

Two static CNAMEs: klaviyo1._domainkey.yourdomain pointing to dkim.klaviyomail.com and klaviyo2._domainkey.yourdomain pointing to dkim2.klaviyomail.com. They are the same for every account, so you can publish them before Klaviyo shows them.

Do I need SPF for Klaviyo?

Not as an apex include. Klaviyo aligns SPF through the return-path CNAME on your dedicated sending subdomain. DKIM alignment is the primary path for DMARC; publish the return-path CNAME for SPF alignment as a backup.

Why does Klaviyo mail fail DMARC?

Usually because you are sending from the shared Klaviyo domain instead of a branded (dedicated) sending domain, so mail signs with klaviyomail.com and DKIM does not align. Set up the branded sending domain and publish its CNAMEs.

How do I set up a dedicated sending domain in Klaviyo?

In Klaviyo's Domains and Hosting settings, add a branded sending domain, publish the two DKIM CNAMEs and the return-path CNAME it provides, then verify. Confirm the exact menu path in your current Klaviyo account.