Mailchimp SPF and DKIM setup

What you are setting up

Mailchimp sends your campaigns from its own servers. To make that mail pass DMARC, you authenticate your sending domain: you publish two CNAME records that let Mailchimp sign each campaign with your domain via DKIM. Once that signature aligns with your From: address, DMARC passes on the DKIM leg. That is the whole setup, and notably it does not involve an SPF record anymore (more on that below).

Verify, then authenticate (they are different)

This is the distinction that trips up most Mailchimp users. Verifying a domain just proves you can receive mail at it, by clicking a link in an email or entering a code. It involves no DNS and does nothing for your deliverability. Authenticating is the DNS part that actually matters. You must verify first, but if you stop there, your mail still goes out unaligned.

In Mailchimp, go to Account & billing > Domains, add and verify your domain, then click Start authentication next to it. Mailchimp offers Entri (labeled Recommended), which connects to your DNS provider and publishes the records for you. If you do it by hand, Mailchimp shows you two CNAME records for DKIM:

Type:  CNAME
Host:  k1._domainkey.yourdomain.com
Value: (copy the exact target Mailchimp shows, an mcsv.net host)

Type:  CNAME
Host:  k2._domainkey.yourdomain.com
Value: (copy the exact target Mailchimp shows, an mcsv.net host)

Copy the Valuefor each exactly as your account displays it. These CNAMEs delegate DKIM to Mailchimp under your domain's namespace, so Mailchimp can publish and rotate the signing key and the signature reads as d=yourdomain.com.

Do you need an SPF record? No.

Plenty of older guides tell you to add include:servers.mcsv.net to your SPF record. Mailchimp's current setup does not ask for it, and it would not help DMARC anyway. Mailchimp sends with its own return-path domain, so SPF authenticates Mailchimp, not you, and can never align to your From:address. The aligned DKIM you set up above is what carries DMARC. If you already have that include in your SPF record it does no harm, but do not add it expecting it to fix alignment.

Add DMARC

Authentication includes a DMARC record, a standard _dmarcTXT. Mailchimp's own starting point is monitor-only:

Type:  TXT
Host:  _dmarc
Value: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

Since the 2024 Google and Yahoo rules, Mailchimp requires a DMARC record for bulk senders and tells people to stop sending from a free address (a @gmail.com From line) and use an authenticated domain instead. Build the record with our DMARC builder, then progress past p=none when your reports are clean.

The Mailchimp gotchas

Verified but not authenticated.The single most common Mailchimp mistake is seeing “verified,” assuming you are done, and never publishing the CNAMEs. The result is mail signed by Mailchimp's own domain, which does not align, so if your domain has a p=quarantine or p=rejectpolicy the campaigns get spam-foldered or rejected. Always complete the authentication step.

Mandrill is a separate setup. If you also use Mailchimp Transactional (Mandrill) for receipts and notifications, authenticating your marketing domain does not authenticate Mandrill. Mandrill uses its own records (mte1._domainkey and mte2._domainkey pointing at mandrillapp.com hosts), so set it up on its own.

Confirm it worked

• Check the records. Our DKIM checker confirms the two CNAMEs resolve, and a free DMARC audit confirms the DMARC record parses.
• Send a test campaign and read the headers. Send yourself a test, open the original, and confirm the DKIM signature shows d=yourdomain.com and dmarc=pass. The header analyzer makes it readable.
• Watch the reports. Mailchimp should show up as an aligned, passing source in your DMARC aggregate reports. In trustyourinbox it is a known sender, so a campaign that went out unauthenticated is obvious at a glance.