AWeber SPF and DKIM setup

What you are setting up

AWeber sends your newsletters and automations. Authenticating your domain publishes DKIM under your domain so AWeber signs as you and your mail aligns. AWeber is firmly in the DKIM-carries-DMARC camp: it uses three CNAME records for DKIM and tells you outright that you do not need an SPF record. The thing to avoid is sending from a free webmail address, which AWeber silently rewrites.

Publish the DKIM records

In AWeber, open your account menu and go to Domains and Addresses. You can let AWeber connect to your DNS provider and add the records automatically, or open the record list and publish them yourself. AWeber uses three DKIM CNAMEs:

Type:  CNAME
Host:  aweber_key_a._domainkey
Value: aweber_key_a.send.aweber.com

Type:  CNAME
Host:  aweber_key_b._domainkey
Value: aweber_key_b.send.aweber.com

Type:  CNAME
Host:  aweber_key_c._domainkey
Value: aweber_key_c.send.aweber.com

Three CNAMEs is deliberate: it lets AWeber rotate the underlying DKIM keys for you without you ever touching DNS again. Copy the values from AWeber's setup screen to be safe, though these selectors are consistent across accounts.

Do you need an SPF record? No.

AWeber states it plainly: an SPF record is not required when sending from AWeber. Its mail uses an AWeber-owned return-path, so SPF authenticates AWeber's domain rather than yours and cannot align with your from address anyway. DKIM alignment is what makes AWeber mail pass DMARC. Adding an AWeber SPF include would be ignored by most receivers, so skip it.

Add DMARC

Publish one standard _dmarc TXT record. Start in monitor-only mode:

Type:  TXT
Host:  _dmarc
Value: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

Keep just one DMARC record (a duplicate fails), and do not wrap the value in extra quotes. Build it with our DMARC builder and move past p=none once your reports are clean.

The AWeber gotcha

The most damaging mistake is using a free webmail from address like you@gmail.com. You cannot authenticate a domain you do not control, so when your account sends as a Gmail or Yahoo address under those providers' DMARC policies, AWeber automatically rewrites your from address, you lose your own identity on the message, and you never actually fix the underlying authentication. Send from an address on your own domain and publish the three CNAMEs. The other usual snag is the DNS host appending your domain to the CNAME; enter only the host portion.

Confirm it worked

• Check the records. Our DKIM checker confirms the three CNAMEs resolve and a key is published under your domain.
• Send a test and read the headers. Send yourself a campaign, open the original, and confirm the DKIM signature shows d=yourdomain.com and dmarc=pass. Our header analyzer makes it readable.
• Watch the reports. AWeber should appear as an aligned, passing source in your DMARC aggregate reports, labeled as a known sender in trustyourinbox.