Brevo SPF and DKIM setup

What you are setting up

Brevo (formerly Sendinblue) sends your marketing and transactional mail. Authenticating your domain publishes a verification record plus DKIM, so Brevo signs each message with your domain and the signature aligns. On a standard shared IP, that is the whole job, there is no SPF record to add. Because of the 2023 rename, the records changed (the hostnames moved from sendinblue.com to brevo.com), so make sure any guide you follow uses the current Brevo records, not stale Sendinblue ones.

Authenticate the domain

In Brevo, go to Senders, Domains & Dedicated IPs > Domains, add your domain, and click Authenticate this domain. Brevo shows you three records. The verification record and the two DKIM CNAMEs:

Type:  TXT     (ownership / verification)
Host:  @          (the root of your domain)
Value: brevo-code:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Type:  CNAME   (DKIM)
Host:  brevo1._domainkey.yourdomain.com
Value: (copy the exact target Brevo shows, a dkim.brevo.com host)

Type:  CNAME   (DKIM)
Host:  brevo2._domainkey.yourdomain.com
Value: (copy the exact target Brevo shows, a dkim.brevo.com host)

Copy the DKIM targets exactly; they encode your domain and are specific to your account. The current selectors are brevo1 and brevo2 (older guides showing mail._domainkey or mail2._domainkey are out of date). These CNAMEs let Brevo publish a 2048-bit key under your domain and rotate it for you.

Do you need an SPF record? Not on a shared IP.

On Brevo's standard shared IPs, SPF is not part of the setup, and Brevo provides an SPF (and MX) record only when you move to a dedicated IP. Adding include:spf.brevo.comon a shared IP does not help DMARC, because it authorizes Brevo's return-path domain rather than your from address, and it spends one of your ten SPF lookups. DKIM alignment is what carries DMARC here, so leave SPF alone unless you are on a dedicated IP.

Add DMARC

Brevo includes a DMARC record in the flow, a standard _dmarc TXT. Start in monitor-only mode:

Type:  TXT
Host:  _dmarc
Value: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

Build it with our DMARC builder and progress past p=none to quarantine and reject once your reports are clean.

The Brevo gotchas

Send from the domain you authenticated. If your from address is not on an authenticated domain, Brevo falls back to sending from its own brevosend.com domain, the DKIM signature does not align with your domain, and DMARC will not pass for you. Use a from address at the domain you set up.

Do not delete the records once it goes green. All three records, including the brevo-code verification TXT, must stay in place for as long as you send through Brevo. The brevo-coderecord is not a one-time throwaway; remove it and your domain silently flips back to “Not authenticated” days later. And if your DNS provider proxies records (Cloudflare's orange cloud), set the DKIM CNAMEs to DNS-only so the proxy does not break them.

Confirm it worked

• Verify in Brevo. The Domains page shows the domain as authenticated once the records resolve.
• Send a test and read the headers. Send yourself a message, open the original, and confirm the DKIM signature shows d=yourdomain.com and dmarc=pass. Our header analyzer reads it in plain English.
• Watch the reports. Brevo should appear as an aligned, passing source in your DMARC aggregate reports. trustyourinbox labels it as a known sender, so mail that fell back to brevosend.com is easy to spot.