Why doesn't Brevo offer full SPF alignment on shared IPs?

Brevo, like many ESPs operating on shared IP addresses, uses its own domain in the RFC 5321.MailFrom (envelope sender) for efficient bounce handling and feedback loops. This means while SPF passes because their IP is authorized, it doesn't align with your RFC 5322.From domain. Retrofitting full alignment for existing platforms also presents significant technical and support challenges.

How much does SPF misalignment impact email deliverability with Brevo?

The impact on deliverability is generally minimal if your DKIM is properly configured and aligned. DMARC requires only one of SPF or DKIM to align with your From domain. If DKIM aligns, your emails will pass DMARC, which is the primary authentication signal for most inbox providers. However, full alignment is still considered a best practice for maximum trust.

Do I need a dedicated IP with Brevo to achieve full SPF alignment?

While Brevo offers dedicated IPs that support full SPF alignment, it's typically not necessary for low-volume senders (e.g., under 100,000 emails per month). Dedicated IPs require careful warming and consistent sending to build a positive reputation. For lower volumes, focus on optimizing your DKIM and DMARC setup on shared IPs.

How can I check if my emails are passing authentication and alignment?

You can monitor your email authentication and deliverability by implementing DMARC. DMARC reports provide detailed insights into which authentication methods (SPF or DKIM) passed or failed and whether they aligned with your From domain. This helps you identify any issues that might be affecting your inbox placement.

Why doesn't Brevo offer full SPF alignment and how much does it impact deliverability? - Technical - Email deliverability - Knowledge base

Email service providers (ESPs) handle vast amounts of email, and ensuring proper authentication is crucial for deliverability. SPF (Sender Policy Framework) is a foundational email authentication standard, designed to detect forged sender addresses and prevent spam. When using an ESP like

Brevo, you might notice that while your emails pass SPF, they may not achieve full SPF alignment. This often leads to questions about its impact on inbox placement and overall email success.

The concern is valid, as DMARC relies on SPF and DKIM alignment to authenticate messages. If SPF isn't fully aligned, it raises questions about how much it affects your sender reputation and whether your emails will reach the inbox or land in the spam folder. I often see email geeks asking about this specific challenge with Brevo.

Let's explore why some ESPs operate this way and what it means for your email deliverability strategy. Understanding these nuances is key to maintaining good sender reputation and ensuring your messages arrive where they are intended.

Suped DMARC monitoring

Free forever, no credit card required

Learn more

Trusted by teams securing millions of inboxes

Understanding SPF alignment

SPF alignment is a critical component of email authentication, especially when DMARC is involved. For an email to achieve SPF alignment, the domain in the RFC 5321.MailFrom domain (also known as the envelope sender or Return-Path) must align with the domain in the RFC 5322.From header (what your recipients actually see as the sender). This alignment can be either strict or relaxed.

Many ESPs, particularly those operating on shared IP addresses, use their own domain in the RFC 5321.MailFrom field. This allows them to handle bounce management and feedback loops more efficiently, as the Return-Path directs bounces back to their infrastructure, not directly to your domain. For instance,

Mailchimp also operates this way. While your domain will still pass SPF (because Brevo's IP address is authorized in its own SPF record), it won't align with your RFC 5322.From domain.

The primary reason for this approach is operational. Managing SPF records and ensuring their validity across thousands of customer domains, especially on shared infrastructure, introduces significant complexity. Ensuring full SPF alignment means each customer’s domain needs to be used in the RFC 5321.MailFrom, which can complicate bounce handling for the ESP. Additionally, if customers misconfigure their DNS, it can break the entire email flow.

I often see users concerned about broken SPF records and their impact on email deliverability, and ESPs face these challenges at scale. Retrofitting full SPF alignment into existing systems, particularly older ones, is a significant undertaking that requires considerable development effort and potential customer support overhead.

Impact on deliverability and the role of DKIM and DMARC

While SPF alignment is ideal, its absence is not always a deal-breaker for deliverability, especially if DKIM is properly configured and aligned. DMARC requires at least one of SPF or DKIM to align with the RFC 5322.From domain. If your DKIM signature is valid and its domain aligns with your From domain, your emails will still pass DMARC. This is often sufficient for good inbox placement.

The impact of unaligned SPF (when DKIM is aligned) is generally minimal for most major inbox providers like

Google and

Yahoo. Their systems prioritize DMARC pass status, which can be achieved through either SPF or DKIM alignment. While full SPF alignment is a nice-to-have, it's not always a requirement for strong deliverability, especially if your sending volume is low. For a deeper dive into this, I recommend reading this article on SPF alignment relevance.

For senders with higher volumes, or those requiring the highest possible level of authentication and control, Brevo (and other ESPs) suggest using a dedicated IP address. A dedicated IP often comes with the ability to configure full SPF alignment, as the mail stream from that IP is exclusively tied to your sending domain. However, this is typically only beneficial for senders with substantial email volume (e.g., hundreds of thousands per month), as a dedicated IP requires careful warming and consistent sending to build and maintain its own reputation.

Best practices for email authentication with Brevo

Given that Brevo's SPF implementation is common among many ESPs on shared IPs, your focus should be on ensuring your email authentication is otherwise robust. Here’s what I recommend:

DKIM alignment: Always ensure your DKIM records are correctly set up and that the domain in your DKIM signature aligns with your RFC 5322.From domain. This is often the primary factor for DMARC pass when SPF isn't aligned. You can find useful information on DKIM's role in deliverability.
DMARC policy: Implement a DMARC policy (even p=none to start) and monitor your DMARC reports. These reports provide invaluable insight into your email authentication status, showing whether your emails are passing DMARC and how various receivers are treating your mail. For more information, check out a list of DMARC tags.
Sender reputation: Focus on maintaining a strong sender reputation. This includes sending relevant content, avoiding spam complaints, managing your lists, and promptly removing invalid email addresses. Even with SPF misalignment, good sending practices can significantly improve your deliverability.

Remember, the overarching goal is to ensure your emails are authenticated and trusted. While full SPF alignment is a best practice, if your ESP doesn't offer it on shared IPs, a robust DKIM setup and a well-monitored DMARC policy can effectively mitigate most deliverability risks.

Sample DMARC Record for shared IP scenarios

This DMARC record enforces a policy of monitoring, allowing you to gather reports without affecting email delivery. The fo=1 tag requests forensic reports for any failures, providing detailed insights into authentication issues.

Example DMARC RecordDNS

v=DMARC1; p=none; rua=mailto:dmarc_agg@yourdomain.com; ruf=mailto:dmarc_forensic@yourdomain.com; fo=1;

Ultimately, the decision to use a dedicated IP for full SPF alignment, especially with Brevo, should be based on your specific sending volume and deliverability requirements. For most low-volume senders, prioritizing a solid DKIM and DMARC setup provides ample protection against spam filters and helps maintain a healthy domain reputation.

Views from the trenches

Best practices

Always ensure DKIM is properly configured and aligned with your sending domain.

Implement DMARC with at least a 'p=none' policy to monitor authentication results.

Maintain a healthy sender reputation by sending relevant content and managing your lists.

Regularly check your DMARC reports for insights into email authentication issues.

Consider a dedicated IP only if your email volume justifies the investment and management.

Common pitfalls

Over-relying on SPF alignment as the only authentication factor for deliverability.

Neglecting DKIM setup or misconfiguring it, leading to DMARC failures.

Not implementing DMARC at all, missing out on crucial authentication insights.

Jumping to a dedicated IP without sufficient sending volume to warm it properly.

Ignoring feedback loops and bounce rates, which negatively impact sender reputation.

Expert tips

SPF alignment is a nice-to-have, but DKIM alignment is more critical for DMARC pass.

Brevo's product team plans to enable SMTP FROM domain customization for shared IPs in 2025.

Retrofitting full SPF alignment is a significant undertaking for older ESP platforms.

ESPs face challenges with customer DNS configurations when offering full alignment.

A video explanation on SPF alignment issues with ESPs offers helpful insights.

Expert view

Expert from Email Geeks says there is no good reason why Brevo doesn't offer full SPF alignment on shared IPs, but it is an item on their product roadmap for 2025 to allow SMTP FROM domain customization for clients on shared IPs. This aims to provide complete domain alignment in email content, including headers and body.

February 24, 2025 - Email Geeks

Expert view

Expert from Email Geeks says many smaller ESPs do not offer aligned SPF, so it is not an unusual practice. As long as DKIM is aligned, there is no real concern, and SPF alignment is more of a nice-to-have feature.

February 24, 2025 - Email Geeks

Key takeaways

While Brevo (and many other ESPs) may not offer full SPF alignment for all senders on shared IPs, this doesn't necessarily spell disaster for your email deliverability. The critical factor for modern email authentication, particularly with DMARC, is that at least one of SPF or DKIM aligns with your visible From address. As long as your DKIM is robustly set up and aligned, your emails are still considered authenticated and trusted by most major inbox providers.

The operational complexities for ESPs in retrofitting full SPF alignment are substantial, which explains why it's not universally offered. For most small to medium-volume senders, the focus should remain on overall sender reputation, clean list management, and ensuring correct DKIM and DMARC configurations. Dedicated IPs, while offering full alignment, are typically overkill for lower volumes and require active management to be effective.

Monitoring your DMARC reports is your best tool for understanding how your emails are performing from an authentication standpoint. This allows you to identify any issues and adapt your strategy as needed. Keep an eye on Brevo's roadmap, as they are working towards offering full alignment on shared IPs, which will further enhance your email security and deliverability.