Set Up DMARC, SPF, and DKIM for Mailchimp
To authenticate your domain for Mailchimp, you need three DNS records: two DKIM CNAMEs pointing to dkim.mcsv.net and one SPF TXT record with include:servers.mcsv.net, plus a DMARC TXT record at _dmarc.yourdomain.com. The whole process takes about 10 minutes and Mailchimp walks you through generating the DKIM and SPF values. If this is your first time wiring up email for a domain, our email setup guide for new SaaS walks through the full sequence.
Why Mailchimp requires domain authentication
Mailchimp blocked sending from free email domains (gmail.com, yahoo.com, hotmail.com) back in 2024. If you're still using a free email domain in Mailchimp, campaigns won't send; you need a custom domain.
To deliver campaigns reliably, that domain has to authenticate with SPF, DKIM, and DMARC. Without them, ISPs treat your mail as untrustworthy. With them, you pass authentication checks and land in inboxes instead of spam.
Start in Mailchimp: authenticate your domain
Log into Mailchimp and go to Account → Domains → Authenticate Domain.
Enter your sending domain (e.g., campaigns.example.com). Mailchimp generates DNS records you'll add to your registrar.
You'll see two types of records:
-
Two DKIM CNAME records: these look like:
- Name:
k1._domainkey.yourdomain.com| Value:dkim.mcsv.net - Name:
k2._domainkey.yourdomain.com| Value:dkim.mcsv.net
- Name:
-
One SPF record: add this to your domain's TXT records:
v=spf1 include:servers.mcsv.net ~all
Do not add these yet; read the next section so you know where they go.
Add the records to your DNS
The location of these records depends on your registrar. The examples below use common registrars; your interface might look slightly different.
Add the DKIM CNAMEs
Go to your DNS provider (Route53, Cloudflare, Namecheap, GoDaddy, etc.) and add two new CNAME records:
| Name | Type | Value |
|---|---|---|
k1._domainkey.yourdomain.com |
CNAME | dkim.mcsv.net |
k2._domainkey.yourdomain.com |
CNAME | dkim.mcsv.net |
Replace yourdomain.com with your actual sending domain.
Add the SPF record
Find your domain's existing TXT records and add or update the SPF record. If you don't have one yet, create a new TXT record:
| Name | Type | Value |
|---|---|---|
yourdomain.com (or leave blank, depending on your provider) |
TXT | v=spf1 include:servers.mcsv.net ~all |
If you already have an SPF record, add include:servers.mcsv.net to it. For example, if your current SPF is v=spf1 include:sendgrid.net ~all, update it to:
v=spf1 include:servers.mcsv.net include:sendgrid.net ~all
The order of includes doesn't matter, but you can only have one SPF record per domain.
Why DMARC comes next
After Mailchimp verifies DKIM and SPF, you need DMARC. DMARC tells ISPs what to do with mail that fails your authentication checks.
Add a DMARC record at _dmarc.yourdomain.com:
v=DMARC1; p=none; rua=mailto:d-{domain_id}@in.dmarcdrift.com
Replace {domain_id} with your DMARCdrift domain ID (visible in your dashboard). If you don't have DMARCdrift yet, use a regular email address for now:
v=DMARC1; p=none; rua=mailto:postmaster@yourdomain.com
The p=none policy means "monitor only": mail still delivers even if it fails DMARC. You'll get aggregate reports at your rua= address showing how much mail aligns and how much doesn't. This is the right place to start.
Verify everything in Mailchimp
Go back to Mailchimp's domain authentication page and click Authenticate Domain (or Verify if it shows that).
Mailchimp checks:
- Both DKIM CNAMEs resolve and point to the right place
- SPF includes
servers.mcsv.net
This can take a few minutes to propagate through DNS. If it fails, double-check:
- CNAME names are exactly
k1._domainkey.yourdomain.comandk2._domainkey.yourdomain.com - CNAME values are exactly
dkim.mcsv.net - SPF record includes
include:servers.mcsv.net - You didn't accidentally add an underscore in the wrong place
Once verified, you'll see a green checkmark in Mailchimp.
Check your setup with a tool
Use the Email Authentication Checker to verify your SPF, DKIM, and DMARC are live:
- Enter your domain (
yourdomain.com) - Check that SPF shows
include:servers.mcsv.net - Check that DKIM shows both keys as valid
- Check that DMARC shows your policy as
p=none
What about DKIM alignment?
Mailchimp uses its own envelope sender (Return-Path) on mcsv.net, so SPF alignment with your domain won't happen. But DKIM alignment does: Mailchimp signs mail with your domain's DKIM key, so SPF alignment relaxation doesn't matter; DKIM gives you the protection you need. (If the difference between DKIM and DMARC is fuzzy, that explainer clears it up.)
This is why the DKIM CNAMEs are critical. That's your domain's authentication signature. If you ever need to inspect or tidy a raw DKIM key, our DKIM record formatter makes it readable.
Moving to stricter policies later
Once you've confirmed a few Mailchimp campaigns show dkim=pass in your DMARC aggregate reports, you can tighten your policy from p=none to p=quarantine or p=reject.
Before you do, make sure no other senders are using your domain. If you have WordPress, contact forms, or transactional mail from a different service also sending from yourdomain.com, those need authentication first. Otherwise they'll fail DMARC and stop delivering.
Once your aggregate reports show only authenticated mail, move to:
v=DMARC1; p=quarantine; rua=mailto:d-{domain_id}@in.dmarcdrift.com
p=quarantine tells ISPs to move failing mail to spam, not reject it outright. After a month at quarantine with no issues, you can move to p=reject.
Next steps
Once your DMARC record is live, aggregate reports will start arriving within 24–48 hours. DMARCdrift turns the XML into a readable digest, free for one domain.
