How do I verify multiple domains in Mailchimp to fix DMARC and DKIM issues?
Michael Ko
Co-founder & CEO, Suped
Published 7 May 2025
Updated 19 Aug 2025
9 min read
Email deliverability is crucial for any business, and when you're managing multiple brands or locations, ensuring your emails reach the inbox consistently becomes even more complex. A common challenge arises when different entities under the same umbrella use their own domains but send emails through a single email service provider (ESP) like Mailchimp.
One of the most frequent issues I encounter is related to DMARC and DKIM authentication for these secondary domains. If a domain isn't properly authenticated, emails sent from it are likely to fail DMARC checks, leading to them being flagged as spam or rejected outright by recipient mail servers. This often manifests as emails appearing to be sent 'via mailchimp.com' or simply not arriving at all.
I recently helped a client with two distinct business locations, each with its own domain and subscriber list, despite operating from a single Mailchimp account. While one location's emails were flowing smoothly, the other's were facing deliverability hurdles because its domain hadn't been fully verified and authenticated. This situation highlights the critical need to ensure every sending domain is correctly configured within Mailchimp to avoid DMARC and DKIM failures.
Mailchimp requires you to authenticate any domain you use as your 'From' address. This authentication process is essential for building and maintaining a good sender reputation, which directly impacts your email deliverability. Mailchimp's own documentation emphasizes this, stating that email domain authentication requires adding specific DNS records to your domain.
The process generally involves two main steps: verifying your email address and then authenticating your domain. While verification confirms you have access to the email address, authentication (specifically DKIM and sometimes SPF) proves that Mailchimp is authorized to send emails on behalf of your domain. For those seeking to fix SPF and DMARC settings, this foundational step is crucial.
To verify an email domain in Mailchimp, you typically go to your account settings, navigate to the domains section, and add the domain you wish to verify. Mailchimp will send a verification email to an address at that domain. Once clicked, this email verifies your control over the domain. After verification, Mailchimp will provide the necessary DNS records (usually CNAMEs) for DKIM authentication, which you then add to your domain's DNS host. It’s important to remember that this process must be completed for each unique sending domain, even if they belong to the same parent company or Mailchimp account.
If you don't correctly verify and authenticate each domain, Mailchimp may automatically rewrite your 'From' email address to an alternative domain (like `mcsv.net`), or your emails might get caught by spam filters or blacklists. This is why if you're sending from `domain-A.com` and `domain-B.com` via the same Mailchimp account, both `domain-A.com` and `domain-B.com` must be individually authenticated.
Understanding and configuring DKIM for Mailchimp
DKIM, or DomainKeys Identified Mail, is a critical email authentication method that uses cryptographic signatures to verify the sender's identity and ensure that the email content hasn't been tampered with in transit. When you authenticate your domain in Mailchimp, they provide you with two CNAME records. These records allow recipient mail servers to look up a public key in your DNS, which can then be used to verify the digital signature attached to your outgoing emails.
Adding these Mailchimp-specific DKIM records to your DNS is a straightforward process. You'll typically log into your domain registrar or DNS host (like GoDaddy, Namecheap, Cloudflare, etc.) and add two CNAME entries. Each entry will have a unique name and value provided by Mailchimp. The specific names often resemble k1._domainkey.yourdomain.com and k2._domainkey.yourdomain.com, pointing to Mailchimp's servers.
It's crucial to understand how Mailchimp handles SPF and DKIM for email marketing. Mailchimp uses a shared SPF record (`spf.mandrillapp.com`), which means you don't need to add their IPs directly to your SPF record. For DKIM, the CNAME records ensure that Mailchimp can sign your emails with your domain's unique key. This direct signing (often called 'aligned' DKIM) is what DMARC requires for a passing authentication. A common issue is DKIM from domain mismatch, where the domain in the DKIM signature doesn't align with the 'From' header, causing DMARC failures.
Implementing DMARC for multiple domains
DMARC, or Domain-based Message Authentication, Reporting & Conformance, is an email authentication protocol that builds on SPF and DKIM. Its primary purpose is to tell recipient email servers what to do with emails that fail SPF or DKIM checks, and to provide reporting back to the domain owner about email authentication results. For multiple domains, you'll need a DMARC record for each domain that you are sending from.
A DMARC record is a TXT record published in your DNS. It specifies a policy (`p=`) and can include reporting addresses (`rua` and `ruf`) to receive aggregate and forensic reports, respectively. When implementing DMARC, it's generally recommended to start with a `p=none` policy, which instructs recipient servers to simply monitor failures without blocking emails. This allows you to gather data and identify legitimate sending sources before moving to a stricter policy like `p=quarantine` (move to spam) or `p=reject` (block entirely).
When managing DMARC with multiple email senders (like Mailchimp and other services) for the same domain, each service must pass either SPF or DKIM alignment for DMARC to pass. Mailchimp's authenticated DKIM generally handles this. The `rua` tag in your DMARC record is vital for receiving DMARC reports, which provide insights into your email authentication status. These reports can show if your emails are passing or failing DMARC, and from which sources they are being sent.
It's important to differentiate between domain verification in Mailchimp and setting up DMARC records in your DNS. Mailchimp's domain authentication primarily handles DKIM (and implicitly SPF alignment). Your DMARC record, however, is managed directly at your DNS provider and applies to all email sent from that domain, regardless of the ESP. For example, if you have `domain-A.com` and `domain-B.com`, both need their own DMARC TXT records in their respective DNS zones.
Policy types
p=none: Monitor mode, no action taken on failures, but reports are sent. Ideal for initial deployment. You can find simple DMARC examples with p=none here.
p=quarantine: Emails failing DMARC are sent to spam/junk folders. Good for testing before full enforcement.
p=reject: Emails failing DMARC are rejected outright. Provides the strongest protection against spoofing. Safely transition your policy.
Troubleshooting common issues
If you're experiencing DMARC or DKIM failures, the first step is to carefully review your DNS records for each domain in question. Common errors include typos, missing records, or incorrect values. Also, ensure that the 'From' email address you're using in your Mailchimp campaigns matches a domain that you have fully verified and authenticated within Mailchimp.
One persistent issue I've observed is where Mailchimp might insert an alternate 'From' email if your chosen one isn't fully authenticated. This often results in emails showing 'via mailchimp.com' in the sender field, which can significantly damage your brand's credibility and reduce deliverability. To fix this, you must complete the full verification and authentication process (both email address and domain) for the specific 'From' address you intend to use.
Another point of confusion for many is whether the reputation of one domain can affect the deliverability of another, even if they're used within the same Mailchimp account. Generally, no. Each domain's sending reputation is largely independent, provided they are correctly authenticated. The deliverability issues with one domain usually stem from its own specific authentication (or lack thereof) rather than being directly influenced by a different, unrelated sending domain, even if they're managed under the same ESP. However, if multiple domains within the same account are consistently failing, it could signal broader list hygiene or content issues that affect all sends.
Common problems
Emails failing DMARC: Often due to missing or incorrect DKIM records, or DMARC policy not aligned with sending practices.
Emails showing 'via mailchimp.com': Indicates that the 'From' domain is not properly authenticated with Mailchimp.
Low inbox placement: Caused by a poor sender reputation, often a result of authentication failures and high bounce rates.
Add correct DNS records: Ensure the Mailchimp-provided CNAMEs for DKIM are correctly added to your DNS for each domain.
Implement DMARC gradually: Start with a `p=none` DMARC policy for each domain and gradually increase strictness.
Views from the trenches
Best practices
Always complete Mailchimp's domain verification and authentication steps for every domain you plan to use as a 'From' address, even if they belong to the same parent company or Mailchimp account.
Utilize DMARC aggregate reports to monitor your email authentication performance across all domains. This helps identify legitimate sending sources and any potential spoofing attempts.
For DMARC, start with a 'p=none' policy to gather data, and only escalate to 'p=quarantine' or 'p=reject' once you're confident all legitimate email streams are authenticating correctly.
Ensure that the DKIM CNAME records provided by Mailchimp are precisely copied into your DNS settings. Small errors can prevent authentication.
Common pitfalls
Assuming that authenticating one domain in Mailchimp automatically authenticates all others linked to the same account. Each domain needs individual attention.
Neglecting to set up DMARC records for all your sending domains, which leaves them vulnerable to spoofing and can impact overall deliverability.
Immediately implementing a strict DMARC policy (e.g., p=reject) without first monitoring reports. This can cause legitimate emails to be blocked.
Using a 'From' email address that is not fully verified or authenticated in Mailchimp, leading to emails being sent 'via mailchimp.com' and reduced trust.
Expert tips
Review 'Show Original' headers for failed emails to pinpoint the exact authentication issue, whether it's SPF, DKIM, or DMARC alignment. This provides detailed diagnostic information.
Regularly check your DMARC reports for all sending domains. They offer invaluable insights into who is sending email on your behalf and how well it's authenticating.
If using multiple ESPs alongside Mailchimp, ensure each service has proper SPF and DKIM setup for your domain, as DMARC requires at least one of these to align.
Don't change your 'From' address email unless absolutely necessary, and if you do, ensure the new domain is fully verified and authenticated in Mailchimp first to prevent deliverability disruptions.
Expert view
Expert from Email Geeks says: You should check if both domains are added and verified on Mailchimp. The one passing DKIM surely is. It's wise to double-check the other one as well.
2024-03-10 - Email Geeks
Marketer view
Marketer from Email Geeks says: My DMARC record was set to 'p=none', which was not protecting against spoofing. I needed to enhance my policy to 'p=reject' after regularly monitoring legitimate email senders through DMARC aggregate reports.
2024-04-15 - Email Geeks
Strengthening your email sending reputation
Verifying multiple domains in Mailchimp and correctly configuring their DMARC and DKIM records is not just a technicality; it's a fundamental aspect of ensuring your email marketing efforts are successful. Each domain you send from acts as a unique identity, and proper authentication is how internet service providers (ISPs) like Google and Yahoo confirm your legitimacy.
By diligently setting up DKIM CNAMEs for each domain within Mailchimp's authentication wizard and then publishing DMARC TXT records with appropriate policies for each domain at your DNS host, you solidify your sending reputation. This comprehensive approach minimizes the chances of your emails being flagged as spam or outright rejected, paving the way for better engagement and campaign performance.
Remember that email authentication is an ongoing process. Regularly reviewing your DMARC reports and ensuring your domains remain properly configured will help you maintain strong deliverability. Taking these steps for every domain ensures that each of your business locations or brands can communicate effectively and securely with its audience.
