Skip to main content
How-to DMARC Mailchimp

SPF, DKIM, and DMARC for Mailchimp: complete setup guide

A complete walkthrough for authenticating Mailchimp. Mailchimp's model is CNAME-only DKIM: you publish two CNAMEs and Mailchimp signs with d=yourdomain. SPF is intentionally not required, because DKIM alignment alone satisfies DMARC.

TL;DR

  • 1 SPF: do not add Mailchimp to your SPF record. Mailchimp sends from mcsv.net IPs that will not align with your apex SPF, and DKIM alignment is enough for DMARC.
  • 2 DKIM: publish two CNAMEs (k1._domainkey -> dkim.mcsv.net, k2._domainkey -> dkim2.mcsv.net) and authenticate the domain in Mailchimp, or mail signs with mcsv.net and never aligns.
  • 3 DMARC: start at p=none with rua, watch reports, then ramp to p=quarantine and p=reject.

What it does

This guide authenticates Mailchimp against your domain. Mailchimp's authentication model relies entirely on DKIM CNAME delegation. You publish two CNAMEs at k1._domainkey.yourdomain and k2._domainkey.yourdomain pointing to Mailchimp's static selector records. Mailchimp's signing service does the cryptographic work on every send and the signature carries d=yourdomain, so DKIM aligns with your From.

Because DMARC passes when either SPF or DKIM aligns, you do not need both. Mailchimp deliberately relies on DKIM alignment so you do not have to add an include and burn an SPF lookup. That is why this guide treats SPF as a deliberate skip rather than an omission.

Step 1: Set up SPF for Mailchimp

Mailchimp intentionally does not need an SPF include. Its sending IPs (mcsv.net) would not align with your apex domain anyway, and DKIM alignment alone satisfies DMARC. The correct action here is to NOT add Mailchimp to SPF.

  1. 1

    Do not add include:servers.mcsv.net (or any Mailchimp include) to your SPF record. It cannot align and wastes a DNS lookup.

  2. 2

    Leave your existing apex SPF for your real mailbox provider untouched.

  3. 3

    Rely on DKIM alignment (next section) for Mailchimp's DMARC pass.

yourdomain.com TXT Click to select
(no Mailchimp SPF include needed -- DKIM alignment is sufficient)

Adding a Mailchimp include is a common belt-and-suspenders mistake. It cannot align with your From because Mailchimp's envelope-from is under mcsv.net, so it adds a lookup for zero benefit.

Step 2: Set up DKIM for Mailchimp

Mailchimp uses two static CNAME targets (the same for every customer, no per-account customization). You publish both, then click Authenticate in Mailchimp. Mailchimp hosts the keys, so you publish CNAMEs, not key text.

Selector: k1._domainkey and k2._domainkey

  1. 1

    In Mailchimp, go to your account settings and find Domains (under Settings -> Domains, or Account & billing -> Settings -> Domains). Add and verify your sending domain. (Confirm the current path in your Mailchimp account.)

  2. 2

    Click Authenticate next to your verified domain. Mailchimp shows two CNAME records.

  3. 3

    Publish both: k1._domainkey.yourdomain -> dkim.mcsv.net and k2._domainkey.yourdomain -> dkim2.mcsv.net.

  4. 4

    Return to Mailchimp and click Verify / Authenticate. The status flips to authenticated once the CNAMEs resolve.

  5. 5

    Send a test campaign and confirm dkim=pass with d=yourdomain, or verify with the DKIM checker against the k1 selector.

k1/k2._domainkey.yourdomain CNAME Click to select
k1._domainkey.yourdomain CNAME dkim.mcsv.net k2._domainkey.yourdomain CNAME dkim2.mcsv.net

If you send from a custom subdomain (email.yourdomain), the selectors must include it: k1._domainkey.email.yourdomain. Mandrill (Mailchimp's transactional product) has a separate DKIM setup.

Step 3: Publish DMARC

  1. 1

    With both CNAMEs published and DKIM aligning, publish your DMARC record at _dmarc.yourdomain. Start at p=none so receivers report but take no action.

  2. 2

    Add a rua address to collect daily aggregate reports.

  3. 3

    Watch the reports for a couple of weeks. Confirm Mailchimp campaigns pass with d=yourdomain.

  4. 4

    Move to p=quarantine, then p=reject once the only remaining failures are unknown or spoofed sources. See the DMARC rollout playbook for the full ramp.

Example record

_dmarc.yourdomain.com TXT Click to select
v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; fo=1

Common pitfalls

  • Adding include:servers.mcsv.net to your SPF anyway, thinking 'belt and suspenders'. Wastes 1-2 of your 10 SPF lookups for zero added security.

  • Verifying the domain but not enabling Authentication. The domain is verified for sender-name display purposes but Mailchimp still signs with mcsv.net.

  • Routing through Mandrill (Mailchimp's transactional sister) and not setting up DKIM for that separately. Mailchimp and Mandrill have different signing setups.

  • Using a custom subdomain (email.yourdomain) but publishing the CNAMEs at the apex. The selector names must include your sending subdomain: k1._domainkey.email.yourdomain.

FAQ

Do I need SPF for Mailchimp?

No. Mailchimp sends from mcsv.net IPs that will not align with your apex domain, so an SPF include cannot help DMARC. Mailchimp relies on DKIM alignment instead, which is why you should not add a Mailchimp SPF include.

What CNAMEs does Mailchimp DKIM use?

Two static CNAMEs: k1._domainkey.yourdomain pointing to dkim.mcsv.net and k2._domainkey.yourdomain pointing to dkim2.mcsv.net. They are the same for every customer, so you can publish them before Mailchimp shows them.

Why does my Mailchimp mail still fail DMARC after verifying the domain?

Verifying the domain only enables sender-name display. You also have to click Authenticate so Mailchimp signs with d=yourdomain. Until then it keeps signing with mcsv.net and DKIM does not align.

Does Mailchimp work with a custom sending subdomain?

Yes, but the DKIM selectors must include the subdomain. If you send from email.yourdomain, publish the CNAMEs at k1._domainkey.email.yourdomain and k2._domainkey.email.yourdomain, not at the apex.