How do SPF records and DKIM keys work with multiple email services like Klaviyo and Shopify?
Matthew Whittaker
Co-founder & CTO, Suped
Published 5 Jul 2025
Updated 17 Aug 2025
8 min read
Managing email authentication records like SPF and DKIM can seem daunting, especially when you're using multiple services for different aspects of your communication. Many businesses, for example, rely on Klaviyo for marketing campaigns, Shopify for transactional emails like order confirmations, and a separate service like Outlook for direct customer support. The good news is that these protocols are designed to accommodate such setups, though careful configuration is key.
The primary goal of SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) is to prove that emails originating from your domain are legitimate and have not been tampered with. This is crucial for maintaining a good sender reputation and ensuring your messages land in the inbox, rather than the spam folder.
It can feel like a complex puzzle trying to ensure every email service is correctly authenticated, especially with the evolving requirements from major inbox providers like Google and Yahoo. Fortunately, by understanding how these records function individually and together, you can confidently manage your email ecosystem.
SPF (Sender Policy Framework) is a DNS TXT record that specifies which mail servers are authorized to send emails on behalf of your domain. The fundamental rule here is that you should only have one SPF record per domain. If you attempt to publish multiple SPF records for the same domain, receiving mail servers will often ignore one or all of them, leading to authentication failures and potentially impacting your email deliverability.
When you use multiple email services like Klaviyo, Shopify, and Outlook (or Microsoft 365, Gmail, etc.), you need to combine all their authorized sending mechanisms into that single SPF record. This is typically done using `include:` statements, which point to the SPF records of each third-party sender. For example, your SPF record might include Klaviyo, Shopify, and Outlook's respective SPF mechanisms.
A common pitfall is exceeding the 10-DNS lookup limit for SPF records. Each `include:` statement counts as a lookup. If you exceed this, parts of your SPF record may not be evaluated, leading to authentication failures for some of your email streams. You may need to optimize your record or consider using subdomains for specific services to manage this. For more on handling multiple SPF records, see our guide on setting up an SPF record when using multiple email sending services.
Unlike SPF, which is a single record for your domain, DKIM (DomainKeys Identified Mail) is designed to allow for multiple keys. Each email service provider (ESP) will typically provide you with one or more unique DKIM keys (also known as selectors) that you need to publish as CNAME or TXT records in your DNS. These keys are used to digitally sign your outgoing emails, allowing receiving servers to verify the message's authenticity and integrity.
For instance, Klaviyo will provide specific DKIM records that need to be added to your DNS for your sending domain, often looking like kl1._domainkey.yourdomain.com. Similarly, Shopify will offer its own set of DKIM keys for their transactional emails. Each distinct email sending service or platform that sends emails on your behalf will usually require its own set of DKIM records. This is perfectly normal and expected, as each service signs emails differently.
You can have multiple DKIM records (each with a unique selector) for the same domain, or even multiple DKIM records pointing to the same key value if different services happen to use the same signing infrastructure. The key is to ensure that every service that sends email using your domain has its corresponding DKIM record properly published and validated. For further details on this, you can review our guide on needing multiple DKIM records with various ESPs.
Authentication Protocol
Function
Multiple ESPs
SPF
Authorizes sending IP addresses based on the Return-Path domain.
One consolidated record per domain, including all authorized ESPs using `include:`.
DKIM
Digitally signs email messages, verifying sender and message integrity.
Multiple unique records (selectors) per domain, one for each signing ESP.
The subdomain factor and bounce handling
The use of subdomains adds another layer to SPF and DKIM configuration. If you choose to send emails from a subdomain, for example, marketing.yourdomain.com for Klaviyo, that subdomain will need its own SPF record. This SPF record should only list the mail servers authorized to send emails from that specific subdomain. You would not typically merge this SPF record with your main domain's SPF, as they relate to different Return-Path domains.
Similarly, if you use a subdomain for sending with Klaviyo or any other ESP, that subdomain will usually require its own DKIM keys, specific to the ESP. This ensures proper authentication for emails originating from that subdomain. This approach helps isolate your sending reputation, so issues on one subdomain are less likely to impact your main domain's email deliverability.
A critical aspect often overlooked is the bounce domain (also known as the Return-Path). Each ESP typically uses a unique bounce domain (often a subdomain of yours, or one of theirs) to handle bounces and feedback loop reports. It is crucial that you do not attempt to use the same bounce string or Return-Path hostname for different ESPs. Doing so can cause significant issues, as bounces intended for one service might be sent to another, leading to lost data and deliverability problems. Instead, allow each ESP to configure its own unique bounce domain, ensuring proper bounce processing and compliance. For more information, read about setting up a subdomain for email sending with Klaviyo.
Primary domain sending
SPF: One SPF record for the main domain, combining all ESPs.
DKIM: Multiple DKIM records on the main domain, one for each ESP.
Reputation: Shared reputation across all sending streams from the primary domain.
Subdomain sending
SPF: Separate SPF record for each subdomain, only including its specific ESP.
DKIM: Multiple DKIM records on the subdomain, one for each ESP sending from there.
Reputation: Isolated reputation, protecting the main domain from subdomain-specific issues.
DMARC compliance and alignment
To fully leverage SPF and DKIM for optimal email deliverability, especially with multiple services, you must also consider DMARC (Domain-based Message Authentication, Reporting, and Conformance). DMARC builds upon SPF and DKIM by allowing domain owners to specify how receiving mail servers should handle emails that fail authentication checks, and it provides reporting mechanisms.
For DMARC to pass, either SPF or DKIM (or both) must 'align' with the From: domain that your recipients see. This means the domain used in your SPF record's Return-Path or the domain signed by DKIM must match your primary sending domain or a policy-defined organizational domain. When using multiple ESPs, it's essential to ensure that each service is configured to authenticate with your domain (or a subdomain) in a way that allows DMARC alignment to pass. You can learn more about how SPF, DKIM, and DMARC email authentication standards work in our dedicated guide.
Proper DMARC implementation with SPF and DKIM is critical for enhancing your domain's reputation and protecting against spoofing and phishing attacks. It signals to inbox providers like Google and Yahoo that your emails are authentic, which is increasingly important given their new sender requirements for 2024. These standards help prevent your emails from being marked as spam or rejected outright.
DMARC: the email security orchestrator
DMARC leverages both SPF and DKIM to verify email authenticity. It acts as a policy layer, telling receiving mail servers what to do if an email fails SPF or DKIM checks. Implementing DMARC (even with a p=none policy initially) provides valuable insights through aggregate reports, helping you identify and fix authentication issues across all your sending services.
Views from the trenches
Best practices
Ensure that you consolidate all SPF mechanisms from all your email services into a single TXT record for your main domain. This prevents conflicts and ensures all legitimate senders are authorized.
Always set up unique DKIM records for each email service provider you use, even if they send from the same domain. Each ESP provides distinct keys for signing.
If using subdomains, configure separate SPF and DKIM records for each. This helps isolate sender reputation and prevent issues on one subdomain from affecting others.
Prioritize DMARC implementation. It builds on SPF and DKIM, providing crucial feedback and protecting your domain from unauthorized use.
Regularly check your DMARC reports to monitor authentication pass/fail rates for all your sending sources. This is essential for troubleshooting and maintaining deliverability.
Common pitfalls
Creating multiple SPF TXT records for the same domain, which violates SPF standards and often leads to authentication failures and reduced deliverability.
Not adding all legitimate sending services to your SPF record, causing emails from unlisted sources to fail SPF checks and likely land in spam.
Attempting to share the same bounce (Return-Path) domain across different email service providers, which can lead to lost bounce data and deliverability issues.
Ignoring DMARC. Without it, even with SPF and DKIM, you lack visibility into spoofing attempts and control over how unauthenticated emails are handled.
Neglecting to monitor DNS changes. DNS records for SPF and DKIM can sometimes be accidentally removed or altered during domain management.
Expert tips
Use a subdomain for each major email service (e.g., marketing.yourdomain.com for Klaviyo, transactional.yourdomain.com for Shopify). This offers granular control and helps isolate sender reputation.
Always verify your SPF and DKIM records using an online tool after making any changes. This confirms they are correctly published and syntactically valid.
Consider a DMARC policy of p=quarantine or p=reject for robust protection, but move to it gradually from p=none after careful monitoring of your DMARC reports.
Understand the difference between the 'From' header, the Return-Path (bounce domain), and the DKIM signing domain for proper DMARC alignment.
If you hit the 10-DNS lookup limit for SPF, flatten your SPF record or delegate SPF to subdomains to stay compliant.
Expert view
Expert from Email Geeks says that you will need one SPF record for each domain you use as your bounce or Return-Path domain. Those SPF records should list the services sending using that domain, typically through include statements.
2024-01-26 - Email Geeks
Expert view
Expert from Email Geeks notes that each service that signs your mail will produce a key, and the number of DKIM keys you publish depends on how Klaviyo handles signing for your domain and subdomain. It's possible to sign both streams with the same key, but that depends on your specific setup.
2024-01-26 - Email Geeks
Ensuring smooth email delivery
Navigating SPF and DKIM records across multiple email services like Klaviyo and Shopify requires a clear understanding of each protocol's nuances. Remember to consolidate SPF records for a single domain, ensuring all authorized senders are included without exceeding lookup limits. For DKIM, be prepared to publish multiple unique keys, as each service will typically provide its own.
By diligently configuring these authentication mechanisms and paying close attention to subdomain and bounce domain practices, you can establish a robust email sending infrastructure. This not only improves your email deliverability but also safeguards your brand reputation against malicious activities, ensuring your messages consistently reach their intended recipients.
