How do SPF records and DKIM keys work with multiple email services like Klaviyo and Shopify?

Key findings

• Single SPF record: For each domain or subdomain you use as a bounce/Return-Path domain, you should only have one SPF record. This record must include all authorized sending services (ESPs) using include: statements to list them.
• Multiple DKIM keys: Each email service provider (ESP) will typically generate its own unique DKIM key pair. You will need to publish separate DKIM CNAME records for each service that signs your email, even if they send from the same domain.
• Subdomain authentication: If you use a subdomain for a specific service (like Klaviyo), that subdomain will require its own distinct SPF record and DKIM keys, separate from your main domain's records.
• Return-path domain: The SPF record's authentication applies to the Return-Path (or bounce) domain, not necessarily the visible 'From' header domain. Ensure that the Return-Path domain used by each ESP is properly authenticated via SPF.

Key considerations

• Avoid multiple SPF TXT records: Having multiple SPF TXT records for a single domain will invalidate SPF authentication and negatively impact deliverability. Always consolidate all authorized senders into one SPF record for that domain. Learn more about setting up SPF with multiple sending services.
• DKIM alignment: While SPF verifies the sending server, DKIM adds a digital signature. For optimal DMARC alignment, the DKIM signing domain should align with your 'From' domain. You can review how Klaviyo handles email authentication for your domain.
• Bounce handling: Do not use the same bounce string (Return-Path hostname) for different ESPs if those ESPs are not configured to forward bounces to the correct handler. This will lead to misdirected bounces and impact your deliverability metrics.
• DMARC implementation: Implementing a DMARC policy is crucial for comprehensive email authentication, leveraging both SPF and DKIM. DMARC tells receiving mail servers what to do with emails that fail authentication. Understand how SPF, DKIM, and DMARC standards work.

Key opinions

• SPF consolidation: Marketers frequently discuss the rule of one SPF record per domain, with all includes combined, to avoid validation issues. This is a common point of confusion for those new to email authentication.
• DKIM per service: It's widely acknowledged that each ESP (like Klaviyo or Shopify) typically requires its own DKIM setup, leading to multiple DKIM keys published in DNS. Some marketers note that certain ESPs might allow signing with the organizational domain.
• Subdomain strategy: When using subdomains for specific sending purposes (e.g., emails.yourdomain.com for Klaviyo), marketers confirm that these subdomains need their own dedicated SPF and DKIM records.
• Header vs. return-path: Marketers understand that SPF validates the Return-Path domain, which can differ from the visible 'From' address. DKIM, however, ideally aligns with the 'From' header for DMARC success.

Key considerations

• DNS records complexity: Marketers must carefully manage DNS records to avoid conflicts or errors, especially when adding new ESPs. Incorrect configurations can lead to emails landing in spam folders or being blocked outright. For more detail, check out this guide on setting up SPF, DMARC, and DKIM records.
• Testing authentication: After setting up or modifying SPF and DKIM records, marketers stress the importance of thorough testing to verify proper authentication. This helps in troubleshooting DMARC, SPF, and DKIM setup issues for services like Klaviyo.
• Impact on deliverability: Proper SPF and DKIM setup is fundamental for good inbox placement. Marketers often link authentication failures to increased spam placement and reduced email campaign effectiveness. This is especially relevant given new sender requirements from major ISPs.
• DMARC reporting: Marketers should monitor DMARC reports to identify authentication failures and gain insights into how their emails are being handled by various receiving servers, which is crucial for maintaining good domain reputation.

Key opinions

• SPF record per domain: Experts confirm that you need one SPF record for each domain used as a bounce/Return-Path domain. This record should list all services authorized to send from that domain, typically using include: statements.
• DKIM key variations: Each service that signs your mail will typically generate a unique DKIM key. The total number of DKIM keys to publish depends on how each ESP handles signing for your main domain and any subdomains.
• Bounce domain uniqueness: It is critical not to use the same hostname as the bounce string (Return-Path domain) for different ESPs. Doing so will lead to bounces being sent to the incorrect location, causing deliverability problems.
• Klaviyo DKIM priority: For Klaviyo specifically, experts suggest that DKIM authentication carries significant weight for deliverability. This highlights the importance of correctly configuring DKIM for that platform.

Key considerations

• DNS visibility: SPF records and DKIM public keys are publicly visible in DNS. Experts encourage sharing these for sanity checks and troubleshooting, as they contain no sensitive information.
• SPF for Return-Path: SPF validates the domain in the SMTP 'Mail From' (Return-Path) address, not the 'From' address seen by the recipient. This distinction is crucial for understanding SPF alignment in DMARC. Learn more about how SPF affects deliverability with third-party ESPs.
• DKIM alignment: While DKIM can sign with any domain, it ideally aligns with the 'From' header domain for DMARC pass. This alignment is key for maximizing inbox placement rates.
• Practical advice only: Experts advise against theoretical configurations that might technically work but are not practically supported or advised due to potential issues like misdirected bounces. Focus on standard, proven setups.

Key findings

• RFC compliance: Official RFCs (Request for Comments) for SPF (RFC 7208) and DKIM (RFC 6376) specify the technical requirements for these protocols, including the rule that a domain should have only one SPF TXT record.
• ESP-specific instructions: Documentation from platforms like Klaviyo and Shopify provides precise CNAME records and other DNS entries required for their specific DKIM signing domains, ensuring proper authentication for emails sent via their services.
• Subdomain delegation: Documentation often guides users on how to set up SPF and DKIM for subdomains, which is necessary when an ESP utilizes a distinct subdomain for email sending or bounce handling.
• Shared vs. dedicated sending domains: Documentation may differentiate between authentication for shared sending domains (where SPF is often handled automatically) and custom or branded sending domains (where manual DNS record setup is required).

Key considerations

• SPF DNS lookup limit: The SPF specification (RFC 7208) imposes a limit of 10 DNS lookups. Exceeding this limit with too many 'include' or 'a' mechanisms will cause SPF validation failures. This is a common issue when combining multiple ESPs. Consider the hidden SPF DNS timeout.
• DKIM selector best practices: Documentation often recommends using unique DKIM selectors for different services or campaigns to allow for rotation or troubleshooting without impacting all email streams. For a deeper dive, check out practical DKIM selector name examples.
• DMARC record placement: Official DMARC (RFC 7489) documentation dictates that the DMARC record must be published at the root of the organizational domain (e.g., _dmarc.yourdomain.com) to cover all subdomains by default.
• Compliance with new sender requirements: Major email providers like Gmail and Yahoo have updated their sender requirements, making robust SPF, DKIM, and DMARC authentication essential for bulk senders. Documentation from these providers details these new mandates.