Are SPF, DKIM, and DMARC necessary for transactional emails?

Yes, SPF, DKIM, and DMARC are crucial for transactional emails. While traditionally associated with marketing emails, transactional emails often carry critical information (e.g., order confirmations, password resets). Failure to authenticate these can lead to messages being blocked or sent to spam, directly impacting user experience and business operations. It is important to treat all email streams with the same authentication rigor.

If DKIM passes but SPF fails, and DMARC passes with a reject policy, will my emails still be delivered?

For DMARC to pass, at least one of SPF or DKIM must be aligned and pass authentication. So, if DKIM passes and is aligned, and DMARC is set to p=reject , your emails should still be delivered successfully according to DMARC's policy. However, having both SPF and DKIM properly set up and aligned provides a stronger authentication signal and can further improve deliverability, especially with more stringent recipient mail servers.

What specific DNS records are required for Klaviyo and BigCommerce authentication?

For Klaviyo, you'll need to set up a branded sending domain, which involves adding several CNAME records for DKIM, SPF, and tracking, as well as a TXT record for domain ownership verification. BigCommerce also has specific DNS record requirements for authenticating emails sent through their platform, ensuring they pass SPF and DKIM. Always consult their official documentation for the precise records to add.

What DMARC policy should I start with for new sending subdomains?

Starting with a DMARC policy of p=none is the recommended best practice for new sending subdomains. This policy allows you to gather DMARC reports and monitor your email authentication performance without any impact on email delivery. Once you have analyzed the reports and are confident that all legitimate email streams are passing authentication, you can gradually move to p=quarantine , and then to p=reject over time.

What SPF, DKIM, and DMARC settings are needed for Klaviyo and BigCommerce transactional emails? - Technical - Email deliverability - Knowledge base

Ensuring your emails reach the inbox is fundamental for any business, especially when it comes to transactional communications. These emails, like order confirmations, shipping updates, or password resets, are critical for customer experience and business operations. When using platforms such as

Klaviyo and

BigCommerce, proper email authentication is not just a best practice, but a necessity for reliable delivery.

Email authentication protocols like SPF, DKIM, and DMARC are the bedrock of good deliverability. They help mailbox providers verify that an email truly originates from the stated sender, preventing spoofing and phishing, and ultimately ensuring your legitimate emails aren't flagged as spam. Without these in place, even your most crucial transactional messages risk being blocked or sent to the spam folder, leading to lost revenue and customer frustration.

The landscape of email deliverability is constantly evolving, with major mailbox providers like Google and Yahoo implementing stricter sender requirements. This makes understanding and correctly configuring your SPF, DKIM, and DMARC settings more important than ever for platforms handling high volumes of transactional emails.

Suped DMARC monitoring

Free forever, no credit card required

Learn more

Trusted by teams securing millions of inboxes

The pillars of email authentication

Email authentication relies on three core protocols: Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC). SPF allows a domain owner to specify which mail servers are authorized to send email on behalf of their domain. DKIM provides a cryptographic signature that verifies the email's sender and ensures the message hasn't been tampered with in transit. Together, these build trust signals for recipient servers.

DMARC then builds on top of SPF and DKIM, providing a framework for domain owners to instruct recipient mail servers on how to handle emails that fail authentication checks. It also offers reporting, giving insights into email authentication results and potential abuse. A key component of DMARC is alignment, which means the domain in the SPF or DKIM checks must match the From header domain.

It's a common misconception that transactional emails are somehow exempt from these authentication requirements. In reality, they are often more critical because they directly impact user experience and business processes. Failing to authenticate transactional emails can lead to delivery issues, placing them in the spam folder or outright blocking them, which is detrimental for order confirmations, shipping notifications, and password resets.

Major ISPs, including Gmail and Outlook, increasingly tie sender reputation to your entire DNS configuration, including SPF, DKIM, and DMARC. All elements must be properly aligned to demonstrate sender legitimacy. If you're looking for more details on these protocols, consider reviewing how these email authentication standards work.

Configuring for Klaviyo and BigCommerce

When using Klaviyo, setting up a branded sending domain is crucial. Klaviyo provides specific DNS records (CNAME and TXT) that you must add to your domain's DNS settings. This process ensures that emails sent through Klaviyo are authenticated as coming from your domain, rather than Klaviyo’s shared infrastructure. For a comprehensive guide, refer to Klaviyo's documentation on setting up a branded sending domain.

For Klaviyo, this typically involves adding a CNAME record for DKIM and another CNAME record for SPF, often on a sending subdomain like send.yourdomain.com. The records provided by Klaviyo will ensure proper authentication. Here's an example of what a Klaviyo CNAME record might look like:

Klaviyo DKIM CNAME Example

Host: krs._domainkey.yourdomain.com
Type: CNAME
Value: krs.dkim.klaviyo.com

BigCommerce also requires proper email authentication for its transactional emails. While BigCommerce may handle some authentication automatically if you're using their default sending, for optimal deliverability and DMARC compliance, it's best to configure your own domain. Refer to BigCommerce's guidance on DMARC, SPF, and DKIM for detailed steps. Both platforms emphasize the use of dedicated sending subdomains, which is a key recommendation for maintaining a strong sender reputation and avoiding issues with email blocklists or blacklists.

Using subdomains

It is highly recommended to use distinct subdomains for different types of email sending, for example, marketing.yourdomain.com for Klaviyo and transact.yourdomain.com for BigCommerce. This isolation helps protect your primary domain's reputation. If one subdomain faces deliverability issues or gets placed on a blocklist (or blacklist), it's less likely to affect the other sending streams. More information on this can be found in our guide on setting up a subdomain for Klaviyo.

DMARC policies and safe implementation

DMARC policies dictate how recipient servers should handle emails that fail SPF or DKIM authentication and alignment. The three main policy options are:

p=none: No action is taken, but DMARC reports are sent to the domain owner. This is ideal for initial monitoring and setup, allowing you to see which emails are failing authentication without impacting delivery. Refer to simple DMARC examples with a p=none policy.
p=quarantine: Emails failing DMARC checks are sent to the recipient's spam or junk folder.
p=reject: Emails failing DMARC checks are rejected outright and not delivered.

Your IT department's claim that if DKIM passes and SPF fails, and DMARC passes (with p=reject) you won't have delivery issues holds true for DMARC. DMARC requires at least one of SPF or DKIM to be aligned and pass authentication. If only one passes, that's sufficient for DMARC to pass. However, having both SPF and DKIM pass and align provides the strongest signal of authenticity and improves your chances against aggressive spam filters and blocklists (or blacklists).

For new sending subdomains, it is highly recommended to start with a DMARC policy of p=none. This allows you to monitor authentication results via DMARC reports without risking legitimate emails being rejected or sent to spam. Once you're confident that all your legitimate email streams are passing authentication and alignment, you can gradually move to p=quarantine, and then to p=reject. This phased approach helps to safely transition your DMARC policy without unexpected delivery disruptions. Additionally, ensuring Gmail and Yahoo's latest requirements are met is critical.

HTTPS/SSL on sending subdomains

It is essential that all your sending subdomains, even those not hosting direct content, use HTTPS/SSL and ideally redirect to your main website. While ISPs may not directly check for a live website on sending subdomains, having a valid, secure website at that URL adds to your overall domain reputation and trustworthiness. It demonstrates that you are taking ownership of your sending infrastructure and provides a consistent brand experience if a recipient accidentally navigates to that subdomain.

Ensuring transactional email success

Proper SPF, DKIM, and DMARC settings are indispensable for successful email deliverability, especially for transactional emails sent via platforms like Klaviyo and BigCommerce. Implementing a comprehensive authentication strategy, including the use of dedicated subdomains and a phased DMARC rollout, will significantly enhance your inbox placement rates and protect your brand's reputation.

By adhering to these best practices and consistently monitoring your authentication results, you can ensure your critical transactional emails reach your customers reliably, fostering trust and supporting seamless business operations. For more on best practices, see our article on setting up SPF, DKIM, and DMARC.

Views from the trenches

Best practices

Implement full SPF, DKIM, and DMARC authentication and alignment for all sending domains, including transactional ones.

Utilize dedicated sending subdomains for different email types (e.g., marketing, transactional) to isolate reputation risks.

Ensure all sending subdomains use HTTPS/SSL and redirect to a live, legitimate website for improved trust and branding.

Common pitfalls

Skipping DMARC, or deploying it with an enforced policy (quarantine/reject) without thorough SPF/DKIM alignment checks.

Believing transactional emails do not require the same rigorous authentication as marketing emails.

Not having at least one of SPF or DKIM align and pass authentication, especially with a DMARC p=reject policy.

Expert tips

Start DMARC with a p=none policy to gather reports and assess authentication failures without impacting delivery.

Prioritize DKIM alignment if you must choose only one authentication method due to platform limitations.

Gradually move to stricter DMARC policies (p=quarantine, then p=reject) after confident monitoring of authentication results.

Expert view

Expert from Email Geeks says that while DMARC deployment is often planned, it can create significant challenges if SPF and DKIM are not correctly aligned first, potentially leading to more work.

2020-07-17 - Email Geeks

Marketer view

Marketer from Email Geeks indicates that some ISPs will reject mail without DKIM, or send it to spam, and Gmail may show a 'Sent via unsigned.domain.com' warning, impacting user experience. SPF checks are also being performed by older Microsoft Exchange servers on the mail.from domain, so having it is valuable.

2020-07-17 - Email Geeks