How do I fix DMARC issues with Mailchimp and Woodpecker while using O365?
Michael Ko
Co-founder & CEO, Suped
Published 25 Jun 2025
Updated 18 Aug 2025
9 min read
Navigating email deliverability can be complex, especially when you're using multiple sending platforms like Mailchimp for consumer promotions, Woodpecker for B2B outreach, and Brevo for transactional emails, all while using Office 365 as your primary mail system. The layers of configuration can quickly lead to DMARC issues, where your legitimate emails might fail authentication checks, impacting your sender reputation and inbox placement.
These DMARC failures often stem from misconfigurations in underlying email authentication protocols: SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail). When your domain's DNS records, managed by a service like Cloudflare, aren't perfectly aligned with how each sending service operates, you'll encounter problems. This guide will help you understand and resolve these common challenges.
My goal is to walk you through the precise steps to ensure every email you send, whether from Mailchimp, Woodpecker, or Brevo, passes DMARC checks, thereby boosting your email deliverability and ensuring your messages reach the intended inboxes.
The SPF record you've outlined, v=spf1 include:secureserver.net include:spf.protection.outlook.com include:servers.mcsv.net -all, needs careful review. The include:spf.protection.outlook.com is indeed necessary if you are sending emails directly from your Office 365 accounts. Similarly, include:servers.mcsv.net is correct for Mailchimp. However, you must also include the SPF mechanisms for Woodpecker and Brevo to ensure they are authorized to send on your behalf. Incorrect SPF records are a primary cause of SPF and DMARC failures.
Regarding include:secureserver.net, if your primary email system is Office 365 and you're not using GoDaddy's email hosting (which secureserver.net is associated with), this inclusion might be redundant or even incorrect. Each DNS lookup in your SPF record counts towards a 10-lookup limit. Exceeding this limit causes an SPF PermError, rendering your SPF record invalid. You should only include necessary sources.
To ensure correct SPF configuration, list all services that send email on behalf of your domain. If your emails are sent directly through Woodpecker and Brevo's infrastructure, you'll need their specific include mechanisms. A common approach is to log into each ESP's settings and find their recommended SPF records. You can then consolidate them into a single record. Refer to a simple guide to DMARC, SPF, and DKIM for foundational understanding.
Ensuring DKIM alignment across platforms
The issue with your Office 365 DKIM not populating could be due to a few factors. Generating the DKIM records in the Defender Portal and adding them as CNAME records in Cloudflare is the correct procedure. However, DNS changes can take time to propagate globally. This might be why MXToolbox and Woodpecker aren't verifying them yet. Double-check for typos in the CNAME record's host and value fields, as even a small error can prevent verification.
For Mailchimp, setting up custom DKIM signing is absolutely critical for DMARC alignment. By default, Mailchimp signs emails with their own domain. For your emails to pass DMARC, the domain in the DKIM signature (d=domain) must align with your From domain. This is achieved by publishing the custom DKIM CNAME records provided by Mailchimp in Cloudflare. If these weren't set up previously, this is a major reason for your DMARC failures. You can find Mailchimp DKIM setup instructions in their documentation.
For Woodpecker, if it connects to your Office 365 account and sends emails through O365's infrastructure, then your Office 365 DKIM records should be sufficient for signing these emails and achieving DMARC alignment. However, if Woodpecker is sending directly using its own mail servers, it will require its own separate DKIM configuration. It is crucial to determine the sending path for Woodpecker emails to resolve DKIM alignment errors.
Before and after DKIM setup
Before custom DKIM: Emails from Mailchimp or other ESPs often fail DMARC because the DKIM signature's signing domain (d=) does not match your From domain. This causes recipients to see an unauthenticated flag or send to spam.
After custom DKIM: Emails are properly signed with your domain, ensuring DKIM alignment and DMARC pass. This significantly improves deliverability and builds trust with receiving mail servers.
After custom DKIM: Emails are properly signed with your domain, ensuring DKIM alignment and DMARC pass. This significantly improves deliverability and builds trust with receiving mail servers.
Understanding and managing DMARC policy
Changing your DMARC policy from p=quarantine to p=none is perfectly acceptable, especially during initial setup and troubleshooting. The p=none policy instructs receiving mail servers not to take any action on emails that fail DMARC, but still to send you DMARC reports. This allows you to gather data and identify all legitimate sending sources without risking your emails being quarantined or rejected. Learn more about DMARC implementation in Microsoft 365.
Your DMARC record, v=DMARC1; p=none; rua=mailto:rua@dmarc.brevo.com; ruf=mailto:rua@dmarc.brevo.com; adkim=r; aspf=r, includes adkim=r and aspf=r, indicating relaxed alignment for both DKIM and SPF. Relaxed alignment is generally recommended, as it provides more flexibility for ESPs by allowing subdomains to pass alignment. For example, an email signed by sends.yourdomain.com would pass DMARC alignment if your From domain is yourdomain.com. This is often beneficial when using third-party services that send on your behalf. More on implementing DMARC policies safely.
The rua and ruf tags are crucial for receiving aggregate and forensic DMARC reports. These reports provide invaluable insight into your email ecosystem, showing which emails are passing or failing DMARC, from where, and why. Analyzing these reports is key to identifying all your legitimate sending sources and troubleshooting any remaining DMARC authentication failures. Understanding and troubleshooting DMARC reports from major providers like Google and Yahoo is a continuous process.
Moving towards full DMARC compliance
Resolving DMARC issues with multiple sending platforms and Office 365 is an ongoing process that requires diligent monitoring and adjustments. It’s not a one-time fix but a commitment to maintaining your email sending health. Begin by ensuring all your DNS records are correct and fully propagated, then move to analyzing the reports.
Once you have confidence in your authentication setup and consistently see DMARC passes in your reports, consider slowly transitioning your DMARC policy from p=none to p=quarantine and then p=reject. This provides increasing levels of protection against email spoofing and enhances your domain's trustworthiness. Implementing DMARC p=reject safely is a significant step towards full email security.
Remember that a strong DMARC implementation not only protects your brand from phishing and spoofing attacks but also directly impacts your email deliverability. Mailbox providers are more likely to trust and deliver emails from domains with correctly configured DMARC. Regularly checking your DMARC reports is key to staying ahead of any new issues. For more details, consider troubleshooting DMARC fail errors with a comprehensive approach.
Additionally, be aware that even with perfect DMARC, your email deliverability can be impacted if your domain or IP address lands on an email blocklist (or blacklist). These lists are maintained by various organizations to track and block known sources of spam. Regular blocklist monitoring is crucial to ensure your sending reputation remains clean and your emails consistently reach the inbox.
Views from the trenches
Best practices
Ensure all sending services are included in your SPF record, avoiding the 10-lookup limit for optimum performance.
Always configure custom DKIM for ESPs like Mailchimp to ensure DMARC alignment and improved deliverability.
Start with a DMARC p=none policy and use aggregate reports to identify all legitimate sending sources.
Common pitfalls
Forgetting to add SPF includes for all third-party email service providers leads to DMARC failures.
Not setting up custom DKIM for marketing platforms results in DMARC alignment issues and emails landing in spam.
Misconfigurations or typos in DNS CNAME records for DKIM prevent successful verification and impact deliverability.
Expert tips
Use a DMARC monitoring tool to analyze reports, identifying authentication issues and unauthenticated senders.
Verify DNS propagation for new records using online tools to confirm they are visible globally.
Gradually transition DMARC policy from p=none to p=quarantine, then to p=reject, monitoring at each stage.
Marketer view
Marketer from Email Geeks says that setting up custom DKIM for Mailchimp should resolve most DMARC authentication issues.
2024-08-06 - Email Geeks
Expert view
Expert from Email Geeks says that the SPF record can be incorrect if Mailchimp uses its own domain in SPF, but custom DKIM is essential for DMARC alignment.
2024-08-07 - Email Geeks
Achieving seamless email authentication
Successfully fixing DMARC issues when using Mailchimp and Woodpecker with Office 365 hinges on precise configuration of your SPF, DKIM, and DMARC records. This layered approach ensures that every email sent from your domain is properly authenticated, gaining trust from recipient mail servers and enhancing your overall email deliverability. Proper DNS management, especially with a service like Cloudflare, is paramount in this process.
Always ensure your SPF record explicitly includes all legitimate sending services and avoids the 10-lookup limit. Crucially, set up custom DKIM for Mailchimp to achieve DMARC alignment. For Woodpecker, confirm whether it sends directly or via O365's infrastructure to apply the correct DKIM setup.
Starting with a p=none DMARC policy is a prudent first step, allowing you to collect and analyze DMARC reports. These reports are your roadmap to identifying any overlooked sending sources or lingering authentication issues. Once you are confident in your configuration, you can then safely move to stricter policies like p=quarantine or p=reject.
By diligently applying these steps and consistently monitoring your email authentication, you'll significantly improve your email deliverability, protect your brand, and ensure your messages consistently land in the inbox.
Mailchimp for consumer promotions, 
Woodpecker for B2B outreach, and 
Brevo for transactional emails, all while using Office 365 as your primary mail system. The layers of configuration can quickly lead to DMARC issues, where your legitimate emails might fail authentication checks, impacting your sender reputation and inbox placement.
Cloudflare, aren't perfectly aligned with how each sending service operates, you'll encounter problems. This guide will help you understand and resolve these common challenges.
Office 365 accounts. Similarly, include:servers.mcsv.net is correct for 
Google and 
Yahoo is a continuous process.
