DMARC for Mailchimp: CNAME-based DKIM, no SPF include needed

TL;DR

• 1 Two CNAMEs (k1._domainkey, k2._domainkey) — that's it.
• 2 Don't add Mailchimp to your SPF. DKIM alignment is enough for DMARC.
• 3 Mailchimp sends from mcsv.net IPs that won't align with your SPF anyway.

What it does

Mailchimp's authentication model relies entirely on DKIM CNAME delegation. You publish two CNAMEs at k1._domainkey.yourdomain and k2._domainkey.yourdomain pointing to dkim.mcsv.net selector records. Mailchimp's signing service does the cryptographic work on every send and the signature carries d=yourdomain.

Because DKIM-DMARC alignment is sufficient (you don't need both SPF and DKIM to pass), you don't need to add Mailchimp to your SPF record. This is a deliberate choice on Mailchimp's part to keep customers from blowing their SPF 10-lookup budget.

How it works

1. 1

   In Mailchimp: Account → Settings → Domains → Add and Verify Domain.

2. 2

   Click 'Authenticate Domain' next to your verified domain. Mailchimp displays two CNAME records.

3. 3

   Publish both: k1._domainkey.yourdomain → dkim.mcsv.net, k2._domainkey.yourdomain → dkim.mcsv.net.

4. 4

   Return to Mailchimp and click Verify. Status flips to Authenticated.

5. 5

   Send a test campaign. Auth-Results should show dkim=pass with d=yourdomain.

Common pitfalls

• Adding include:servers.mcsv.net to your SPF anyway, thinking 'belt and suspenders'. Wastes 1-2 of your 10 SPF lookups for zero added security.

• Verifying the domain but not enabling Authentication. The domain is verified for sender-name display purposes but Mailchimp still signs with mcsv.net.

• Routing through Mandrill (Mailchimp's transactional sister) and not setting up DKIM for that separately. Mailchimp and Mandrill have different signing setups.

• Using a custom subdomain (email.yourdomain) but publishing the CNAMEs at the apex. The selector names must include your sending subdomain: k1._domainkey.email.yourdomain.

Related tools & guides