← Blog
Set Up DMARC, SPF, and DKIM for Mailchimp

By DMARCdrift Team

Set Up DMARC, SPF, and DKIM for Mailchimp

5 min readsetup-guidedmarcspfdkimemail-authentication

To authenticate your domain for Mailchimp, you need three DNS records: two DKIM CNAMEs pointing to dkim.mcsv.net and one SPF TXT record with include:servers.mcsv.net, plus a DMARC TXT record at _dmarc.yourdomain.com. The whole process takes about 10 minutes and Mailchimp walks you through generating the DKIM and SPF values. If this is your first time wiring up email for a domain, our email setup guide for new SaaS walks through the full sequence.

Why Mailchimp requires domain authentication

Mailchimp blocked sending from free email domains (gmail.com, yahoo.com, hotmail.com) back in 2024. If you're still using a free email domain in Mailchimp, campaigns won't send; you need a custom domain.

To deliver campaigns reliably, that domain has to authenticate with SPF, DKIM, and DMARC. Without them, ISPs treat your mail as untrustworthy. With them, you pass authentication checks and land in inboxes instead of spam.

Start in Mailchimp: authenticate your domain

Log into Mailchimp and go to Account → Domains → Authenticate Domain.

Enter your sending domain (e.g., campaigns.example.com). Mailchimp generates DNS records you'll add to your registrar.

You'll see two types of records:

  1. Two DKIM CNAME records: these look like:

    • Name: k1._domainkey.yourdomain.com | Value: dkim.mcsv.net
    • Name: k2._domainkey.yourdomain.com | Value: dkim.mcsv.net
  2. One SPF record: add this to your domain's TXT records:

    v=spf1 include:servers.mcsv.net ~all
    

Do not add these yet; read the next section so you know where they go.

Add the records to your DNS

The location of these records depends on your registrar. The examples below use common registrars; your interface might look slightly different.

Add the DKIM CNAMEs

Go to your DNS provider (Route53, Cloudflare, Namecheap, GoDaddy, etc.) and add two new CNAME records:

Name Type Value
k1._domainkey.yourdomain.com CNAME dkim.mcsv.net
k2._domainkey.yourdomain.com CNAME dkim.mcsv.net

Replace yourdomain.com with your actual sending domain.

Add the SPF record

Find your domain's existing TXT records and add or update the SPF record. If you don't have one yet, create a new TXT record:

Name Type Value
yourdomain.com (or leave blank, depending on your provider) TXT v=spf1 include:servers.mcsv.net ~all

If you already have an SPF record, add include:servers.mcsv.net to it. For example, if your current SPF is v=spf1 include:sendgrid.net ~all, update it to:

v=spf1 include:servers.mcsv.net include:sendgrid.net ~all

The order of includes doesn't matter, but you can only have one SPF record per domain.

Why DMARC comes next

After Mailchimp verifies DKIM and SPF, you need DMARC. DMARC tells ISPs what to do with mail that fails your authentication checks.

Add a DMARC record at _dmarc.yourdomain.com:

v=DMARC1; p=none; rua=mailto:d-{domain_id}@in.dmarcdrift.com

Replace {domain_id} with your DMARCdrift domain ID (visible in your dashboard). If you don't have DMARCdrift yet, use a regular email address for now:

v=DMARC1; p=none; rua=mailto:postmaster@yourdomain.com

The p=none policy means "monitor only": mail still delivers even if it fails DMARC. You'll get aggregate reports at your rua= address showing how much mail aligns and how much doesn't. This is the right place to start.

Verify everything in Mailchimp

Go back to Mailchimp's domain authentication page and click Authenticate Domain (or Verify if it shows that).

Mailchimp checks:

  • Both DKIM CNAMEs resolve and point to the right place
  • SPF includes servers.mcsv.net

This can take a few minutes to propagate through DNS. If it fails, double-check:

  • CNAME names are exactly k1._domainkey.yourdomain.com and k2._domainkey.yourdomain.com
  • CNAME values are exactly dkim.mcsv.net
  • SPF record includes include:servers.mcsv.net
  • You didn't accidentally add an underscore in the wrong place

Once verified, you'll see a green checkmark in Mailchimp.

Check your setup with a tool

Use the Email Authentication Checker to verify your SPF, DKIM, and DMARC are live:

  1. Enter your domain (yourdomain.com)
  2. Check that SPF shows include:servers.mcsv.net
  3. Check that DKIM shows both keys as valid
  4. Check that DMARC shows your policy as p=none

What about DKIM alignment?

Mailchimp uses its own envelope sender (Return-Path) on mcsv.net, so SPF alignment with your domain won't happen. But DKIM alignment does: Mailchimp signs mail with your domain's DKIM key, so SPF alignment relaxation doesn't matter; DKIM gives you the protection you need. (If the difference between DKIM and DMARC is fuzzy, that explainer clears it up.)

This is why the DKIM CNAMEs are critical. That's your domain's authentication signature. If you ever need to inspect or tidy a raw DKIM key, our DKIM record formatter makes it readable.

Moving to stricter policies later

Once you've confirmed a few Mailchimp campaigns show dkim=pass in your DMARC aggregate reports, you can tighten your policy from p=none to p=quarantine or p=reject.

Before you do, make sure no other senders are using your domain. If you have WordPress, contact forms, or transactional mail from a different service also sending from yourdomain.com, those need authentication first. Otherwise they'll fail DMARC and stop delivering.

Once your aggregate reports show only authenticated mail, move to:

v=DMARC1; p=quarantine; rua=mailto:d-{domain_id}@in.dmarcdrift.com

p=quarantine tells ISPs to move failing mail to spam, not reject it outright. After a month at quarantine with no issues, you can move to p=reject.

Next steps

Once your DMARC record is live, aggregate reports will start arriving within 24–48 hours. DMARCdrift turns the XML into a readable digest, free for one domain.

Get started free →