Skip to main content
How-to DKIM GoDaddy

Add Mailchimp, HubSpot & Zendesk to GoDaddy Without Breaking DMARC

Added an ESP and your mail is going to spam? On a GoDaddy p=quarantine domain, DMARC needs alignment. Here is how to authenticate Mailchimp, HubSpot, and Zendesk with DKIM.

If a third-party sender like Mailchimp, HubSpot, or Zendesk is landing in spam, it is almost always because your domain has an enforcing DMARC policy and that sender is not aligned. The fix is to authenticate your sending domain inside the platform and publish the DKIM CNAME records it gives you, so it signs your mail with a key under your own domain. SPF usually will not align for an ESP, so DKIM alignment is the part that has to be right.

Why an enforcing policy silently spams your senders

GoDaddy auto-publishes a DMARC record at p=quarantine on many new domains. That is an enforcing policy: a receiving server that gets a message claiming to be from your domain but failing authentication is told to treat it as suspicious, usually by dropping it in the spam folder. (At p=reject it bounces outright.) The catch is that this applies to your own mail too, not just spoofers. Wire up a marketing platform or a help desk without authenticating it, and its mail starts failing, quietly, with no error you ever see. If you want the full picture of GoDaddy's default record, read what GoDaddy's default DMARC record actually does.

The reason it fails is subtle, and it is the single most important concept on this page: passing authentication is not the same as aligning.

The key concept: DMARC needs alignment

DMARC does not just check that SPF or DKIM passed. It checks that one of them passed for your domain, the same domain a human reads in the From: line. That match is called alignment, and a message passes DMARC if either SPF aligns or DKIM aligns.

Here is where most ESP setups come undone. When you send through a third-party platform, that platform almost always uses its own Return-Path (the bounce address SPF actually checks) on its own domain. So the SPF check passes, but it passes for the platform's domain, not yours. SPF authenticated something, but it did not authenticate yourdomain.com, so SPF alignment fails. That is why "but SPF passes" is a trap: a green SPF check does nothing for DMARC if it is green for the wrong domain.

That leaves DKIM alignment as the reliable path. When you complete a platform's domain authentication, it gives you DNS records, usually CNAMEs, that publish a DKIM key under your domain. The platform then signs your outbound mail with that key, so the DKIM signing domain (d=yourdomain.com) matches your From: domain. DKIM aligns, DMARC passes, the mail is delivered. New to the underlying protocols? Start with what DMARC actually does.

Per-sender setup

The shape is identical for every platform: authenticate your sending domain inside the tool, then publish the CNAME records it generates in GoDaddy DNS. The exact hostnames and selectors are unique to your account and your domain, so use the values the platform shows you rather than any example. The general flow per platform:

Mailchimp

In Mailchimp, verify and then authenticate your sending domain (Website → Domains, or the domain settings in your account). Mailchimp generates a set of DKIM CNAME records to add to your DNS. Mailchimp's own SPF will not align with your domain because of its Return-Path, so the CNAME-based DKIM is what makes your campaigns pass DMARC. Add the CNAMEs in GoDaddy, then confirm Mailchimp shows the domain as authenticated.

HubSpot

In HubSpot, connect your email sending domain (Settings → Website → Domains & URLs, or the email configuration). HubSpot walks you through publishing DKIM records, again typically as CNAMEs, under your domain so it can sign mail as you. Add them in GoDaddy and let HubSpot verify. As with any ESP, lean on DKIM alignment rather than HubSpot's SPF for DMARC.

Zendesk

For Zendesk (and similar help desks that send replies as your support address), set up email authentication in the admin email settings. Zendesk asks you to add an SPF include and to publish DKIM records (CNAMEs) for your domain. Publish both in GoDaddy. The DKIM records are what give you alignment; the SPF include helps your direct sending but, like other ESPs, will not by itself make Zendesk mail DMARC-aligned.

As a numbered checklist, the universal sequence is:

  1. Check your DMARC policy at _dmarc.yourdomain.com. If it is p=quarantine or p=reject, authentication is mandatory before you send.
  2. Start the domain authentication (verify-your-domain) flow in the platform and enter the From: domain you will send as.
  3. Publish the exact CNAME (and any TXT) records the platform gives you in GoDaddy DNS management.
  4. Confirm the platform shows the domain as verified or authenticated, then send a test and confirm DKIM signs with your domain and aligns with your From:.
  5. Run your domain through a grader to confirm the new sender is aligned and nothing else regressed.

How to verify with a checker

Once the records are in, do not just trust the platform's green checkmark, confirm alignment end to end. Send yourself a test message from the platform and look at the headers: you want the message to pass DKIM with the signing domain (d=) matching your From: domain. The fastest path is to grade your domain, which reads your live DMARC, SPF, and DKIM in one pass so you can see whether the new sender is set up correctly and whether anything else regressed. You can also browse the free DMARC tools for individual record lookups.

The most durable signal of all is your DMARC aggregate reports, which list every IP and platform sending as your domain and whether each one aligned. That is exactly why redirecting those reports to yourself (rather than leaving them pointed at GoDaddy) is worth doing before you start adding senders.

Third-party sender FAQ

Why does my Mailchimp mail fail DMARC even though SPF passes?

Because DMARC does not care that SPF passes, it cares that SPF aligns. Mailchimp sends with its own Return-Path (bounce) domain, so the SPF check authenticates Mailchimp's domain, not yours. That domain does not match your From: domain, so SPF alignment fails. The fix is DKIM alignment: complete Mailchimp's domain authentication and publish the CNAME records it gives you, so Mailchimp signs your mail with a DKIM key under your domain. Then the DKIM d= matches your From: domain, DMARC passes on alignment, and the mail stays out of spam.

Will adding a third-party sender break my email?

Only if you skip authentication. On a domain with an enforcing DMARC policy (GoDaddy's default p=quarantine, or p=reject), an unauthenticated sender's mail gets spam-foldered or bounced because it is not aligned. If you complete the platform's domain authentication and publish its DKIM CNAME records before you start sending, the sender is aligned from the first message and nothing breaks. The order matters: authenticate first, then send.

How do I check if a sender is aligned?

Send a test message from the platform and inspect the headers, or run your domain through a checker. You want to see the message pass DKIM with the signing domain (d=) matching your From: domain, that is DKIM alignment. SPF alignment is a bonus but usually will not happen for an ESP because of its Return-Path domain, so DKIM alignment is the one that has to be right. Your DMARC aggregate reports also list every sender and whether it aligned, which is why pointing the reports at yourself is worth doing.

Do I still need SPF if I have DKIM alignment?

DMARC passes if either SPF or DKIM aligns, so DKIM alignment alone is enough to pass DMARC for an ESP. You should still keep a correct SPF record for your direct mail (for example Microsoft 365 or Google Workspace), and some platforms ask you to add an SPF include as well. But do not rely on the ESP's SPF include for DMARC, because its Return-Path domain means that include usually does not align. Treat DKIM alignment as the load-bearing part for third-party senders.