Kit (ConvertKit) SPF and DKIM setup
The two CNAMEs Kit's Verified Sending Domain asks for, why they align both SPF and DKIM, and why the records still carry the old ConvertKit ck prefix.
What you are setting up
Kit (the email platform formerly called ConvertKit) sends your newsletters. Setting up a Verified Sending Domainpublishes two CNAME records so Kit signs your mail as you and routes the return-path through your domain. That aligns both DKIM and SPF, so your mail passes DMARC. By default, before you verify, Kit's return-path is a kit.com address, which is why unverified mail fails DMARC alignment.
Set up the Verified Sending Domain
In Kit, click your account name, go to Settings > Email, and under Verified Sending Domains start the setup for your domain. Kit shows you two CNAME records:
Type: CNAME Host: ckespa (SPF / return-path delegation) Value: (copy the exact target Kit shows you) Type: CNAME Host: cka._domainkey (DKIM) Value: (copy the exact target Kit shows you)
The ckespa record delegates SPF and the return-path to Kit, and cka._domainkey is the DKIM signing record. The ck prefix is a ConvertKit-era holdover Kit kept through the rebrand, so it is correct, not stale. Copy the targets exactly from the console, they are specific to your account. Kit can also set the records up for you automatically through Entri on supported DNS hosts. When the records resolve, click Validate.
Add DMARC
Kit provides a DMARC record to publish as a separate _dmarc TXT, defaulting to monitor-only:
Type: TXT Host: _dmarc Value: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com
Once it is in place, do not remove it. Build or strengthen it with our DMARC builder and progress past p=none as your reports come back clean.
The Kit gotcha
The most common break is the DNS host appending your domainto the record. Kit's own guidance: many providers want the truncated host (just ckespa and cka._domainkey, not the full ckespa.yourdomain.com), or you end up with ckespa.yourdomain.com.yourdomain.com and Kit looks in the wrong place. A Kit-documented specific: Bluehost does not accept the trailing period in CNAME values, so omit it there. Give DNS up to 24 to 48 hours, then click Validate.
Confirm it worked
- Click Validate in Kit. The domain should move to verified once the records resolve.
- Send a test and read the headers. Send yourself a broadcast, open the original, and confirm the DKIM signature shows
d=yourdomain.com, the return-path is on your domain (notkit.com), anddmarc=pass. Our header analyzer reads it back plainly. - Watch the reports. Kit should appear as an aligned, passing source in your DMARC aggregate reports, labeled as a known sender in trustyourinbox.
Connect your DNS once and we publish the Kit records above in a single click, with a five-minute window to undo. Then we keep watching this sender in your DMARC reports and tell you the moment Kit mail starts failing, so a typo in a record never quietly costs you the inbox.
Keep reading
Run a free DMARC audit
Paste your domain and see your published SPF, DKIM, and DMARC in plain English.
DMARC alignment, in plain English
Why a Verified Sending Domain moves your from-address into the return-path so DMARC passes.
DKIM record checker
Confirm the cka._domainkey CNAME resolves and signs as your domain.
AWeber SPF and DKIM setup
Another creator-focused ESP with CNAME-delegated DKIM.
Last verified 2026-06-23 against the official Kit documentation.
Free for one domain. Set up in five minutes. We parse the reports; you read plain-English summaries.