Constant Contact SPF and DKIM setup

What you are setting up

Constant Contact sends your campaigns from its servers. Its self-authentication flow publishes DKIM under your domain so its mail signs as you and aligns. Two things make this one different from what you might expect: there is no SPF record to add, and if you do not finish the setup, Constant Contact quietly rewrites your from address so your mail never actually sends as your domain. Both below.

Turn on self-authentication

In Constant Contact, go to Settings > Advanced settings and choose Add self-authentication. Pick the CNAME method (the recommended one; TXT is a fallback for the rare case where several Constant Contact accounts send from one domain). Constant Contact generates two DKIM CNAMEs and a DMARC record for you to publish:

Type:  CNAME
Host:  100._domainkey.yourdomain.com
Value: (copy the exact target Constant Contact shows, a dkim1.ccsend.com host)

Type:  CNAME
Host:  200._domainkey.yourdomain.com
Value: (copy the exact target Constant Contact shows, a dkim2.ccsend.com host)

Copy the exact host and value from your account. The selectors and targets are specific to your account, so do not hardcode them. Constant Contact also generates the matching _dmarc record on the same screen; publish that too (the value is case-sensitive). Note that an account can authenticate one domain, so pick the one you send from.

Do you need an SPF record? No.

Constant Contact's setup is DKIM-only, and the company says so plainly: there is no SPF requirement, because its mail uses a Constant Contact return-path that cannot align with your from address anyway. DMARC passes on aligned DKIM. Do not go hunting for a Constant Contact SPF include; there is not one to add.

About the DMARC record

Constant Contact hands you a DMARC record as part of self-authentication, so you may not need to write one. If you want to set or strengthen your own policy, it is a standard _dmarc TXT record. Start in monitor-only mode and ramp up:

Type:  TXT
Host:  _dmarc
Value: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

Build or check the record with our DMARC builder and move past p=none once your reports are clean.

The Constant Contact gotcha

The big one: if you do not finish self-authentication, Constant Contact rewrites your from address. Instead of sending as you@yourdomain.com, it sends as something like you-yourdomain.com@shared1.ccsend.comso the mail still passes under Constant Contact's own domain. It works, but recipients see the ccsend.com address, not yours. So “I added a record but my mail still comes from ccsend.com” means the setup is not complete, not that DNS is broken. The other usual suspect is the DNS host appending your domain to the CNAME, doubling it; enter the host exactly as shown.

Confirm it worked

• Check the status in Constant Contact. Self-authentication should read as active, and your from address should be your own domain again.
• Send a test and read the headers. Send yourself a campaign, open the original, and confirm the DKIM signature shows d=yourdomain.com and dmarc=pass. Our header analyzer makes it readable.
• Watch the reports. Constant Contact should appear as an aligned, passing source in your DMARC aggregate reports, labeled as a known sender in trustyourinbox.