Mailjet SPF and DKIM setup
The SPF and DKIM records to publish for Mailjet, the 2048-bit key default, and why validating an address is not the same as validating the whole domain.
What you are setting up
Mailjet (now part of Sinch) sends your transactional and marketing email. You authenticate your sending domain by publishing two TXT records, an SPF record and a DKIM key, so Mailjet signs as you and your mail aligns. The one thing Mailjet users get wrong is validating a single sender address instead of the whole domain; only the domain-level validation gives you full SPF and DKIM.
Publish SPF and DKIM
In Mailjet, go to Account Settings > Domains and Senders and open Setup SPF/DKIM authentication for your domain. Mailjet shows you two TXT records:
Type: TXT (SPF) Host: @ Value: v=spf1 include:spf.mailjet.com ~all Type: TXT (DKIM) Host: mailjet._domainkey Value: v=DKIM1; k=rsa; p=MIGfMA0GCSq... (the key Mailjet shows you)
The DKIM selector is mailjet, and the key is unique to your account, so copy the exact value from the console. New DKIM keys are 2048-bit (the default since 2024). If you already have an SPF record, merge include:spf.mailjet.com into it rather than adding a second SPF record. Then click the cog next to your domain and Validate.
Add DMARC
Standard _dmarc TXT record, nothing Mailjet-specific. Start in monitor-only mode and ramp up:
Type: TXT Host: _dmarc Value: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com
Build it with our DMARC builder and progress past p=none once your reports are clean.
The Mailjet gotcha
Validate the domain, not just an address.Mailjet lets you validate a single sender email address, but that does not set up full SPF and DKIM, and you will notice the “Regenerate Key” option stays greyed out. Authenticate the whole domain so every address on it is covered and your DKIM key is yours to manage. The other usual issue is the DNS host appending your domain to the record name (giving mailjet._domainkey.yourdomain.com.yourdomain.com or _dmarc.yourdomain.com.yourdomain.com); enter only the host portion, and keep a single SPF record.
Confirm it worked
- Validate in Mailjet. The domain should show SPF and DKIM validated once the records resolve.
- Send a test and read the headers. Send through Mailjet, open the message, and confirm the DKIM signature shows
d=yourdomain.comanddmarc=pass. Our header analyzer reads it back plainly. - Watch the reports. Mailjet should appear as an aligned, passing source in your DMARC aggregate reports, labeled as a known sender in trustyourinbox.
Connect your DNS once and we publish the Mailjet records above in a single click, with a five-minute window to undo. Then we keep watching this sender in your DMARC reports and tell you the moment Mailjet mail starts failing, so a typo in a record never quietly costs you the inbox.
Keep reading
Run a free DMARC audit
Paste your domain and see your published SPF, DKIM, and DMARC in plain English.
DMARC alignment, in plain English
Why the mailjet._domainkey signature aligns your Mailjet mail to your domain.
DKIM record checker
Confirm the mailjet._domainkey TXT record resolves and is signing your mail.
Mailgun SPF and DKIM setup
Mailjet's Sinch sibling, another developer ESP with SPF + DKIM on a domain.
Last verified 2026-06-23 against the official Mailjet documentation.
Free for one domain. Set up in five minutes. We parse the reports; you read plain-English summaries.