Campaign Monitor SPF and DKIM setup
The DKIM, SPF, and DMARC records Campaign Monitor asks for, all TXT, and why a verified domain still is not signing your mail for the first half hour.
What you are setting up
Campaign Monitor sends your campaigns, and authenticating your sending domain lets it sign that mail as you so it passes DMARC. Everything here is a TXT record, there are no CNAMEs: a DKIM key, an optional SPF record, and a DMARC record. DKIM is the leg that carries DMARC; SPF is recommended but Campaign Monitor handles it for you by default.
Set up the sending domain
In Campaign Monitor, click your profile image and go to Account settings > Sending domains, then click Set up a sending domain (or Add domain). It shows you up to three TXT records:
Type: TXT (DKIM) Host: cm._domainkey Value: (copy the exact DKIM key Campaign Monitor shows you) Type: TXT (SPF, recommended) Host: @ Value: v=spf1 include:_spf.createsend.com ~all Type: TXT (DMARC, required) Host: _dmarc Value: v=DMARC1; p=none;
The DKIM selector is cm, and the key is generated for your account, so copy it from the console. SPF and DMARC are the same for everyone. If you already have an SPF record, add include:_spf.createsend.com to it (with a space) rather than publishing a second record, and if you already have a valid DMARC record, leave it, Campaign Monitor does not need you to change it. Publish the records and click Re-check record.
About the DMARC record
Campaign Monitor requires a DMARC record and gives you the minimal v=DMARC1; p=none; to start. Note you only need DMARC on your top-level domain, it covers your subdomains, so you do not add a separate one per subdomain. When you are ready to enforce, build a fuller record with our DMARC builder and progress past p=none once your reports are clean.
The Campaign Monitor gotchas
Verified does not mean signing yet. After your domain verifies, Campaign Monitor can take up to 30 minutes to start DKIM-signing your mail, so a test sent immediately may still look unsigned. Give it time before you conclude something is wrong.
If you do not authenticate, Campaign Monitor sends anyway, as itself. It will not block you, but it sends from its own domain instead of yours, which is the deliverability hit you are trying to avoid. And the universal DNS trap applies: if your host appends your domain automatically, enter only cm._domainkey, _dmarc, or @, or you end up with cm._domainkey.yourdomain.com.yourdomain.com and Campaign Monitor looks in the wrong place.
Confirm it worked
- Check the records. Our DKIM checker confirms
cm._domainkeyresolves, and a free DMARC audit confirms SPF and DMARC parse. - Send a test and read the headers. After the signing delay, send yourself a campaign, open the original, and confirm the DKIM signature shows
d=yourdomain.comanddmarc=pass. Our header analyzer makes it readable. - Watch the reports. Campaign Monitor should appear as an aligned, passing source in your DMARC aggregate reports, labeled as a known sender in trustyourinbox.
Connect your DNS once and we publish the Campaign Monitor records above in a single click, with a five-minute window to undo. Then we keep watching this sender in your DMARC reports and tell you the moment Campaign Monitor mail starts failing, so a typo in a record never quietly costs you the inbox.
Keep reading
Run a free DMARC audit
Paste your domain and see your published SPF, DKIM, and DMARC in plain English.
DMARC alignment, in plain English
Why the cm DKIM record aligns your Campaign Monitor mail to your domain.
DKIM record checker
Confirm the cm._domainkey TXT record resolves and is signing your mail.
GetResponse SPF and DKIM setup
Another marketing ESP that authenticates DKIM with a TXT record.
Last verified 2026-06-22.
Free for one domain. Set up in five minutes. We parse the reports; you read plain-English summaries.