What is DMARC alignment, and why is it important for Klaviyo emails?

DMARC alignment is when the domain in your email's From: address matches (or is a subdomain of) the domains validated by SPF and DKIM. Even if SPF and DKIM pass individually, DMARC will fail if this alignment is missing. Ensure your Klaviyo branded sending domain is used as your From: address.

Does Klaviyo require CNAME or TXT records for SPF and DKIM?

Klaviyo typically uses CNAME records for SPF (return-path) and DKIM. You add these CNAMEs to your DNS, and they point to Klaviyo's servers, which host the actual SPF TXT record and DKIM public key. Your DMARC record, however, is a TXT record that you add directly to your root domain's DNS.

Why do third-party tools sometimes show DMARC/SPF/DKIM failures when Klaviyo says everything is fine?

If third-party tools show failures but Klaviyo says it's correct, you should primarily trust the authentication results found in the raw email headers of a message sent from Klaviyo. Tools that only scan your domain might not know your specific DKIM selector or may not follow CNAME chains correctly.

How long does it take for DNS changes for SPF, DKIM, or DMARC to propagate?

DNS propagation can take up to 48 hours for changes to update globally, though it's often much faster. If you've just made changes to your DNS records for SPF, DKIM, or DMARC, wait a few hours and then re-check using a reliable DNS lookup tool or by sending a test email and inspecting its headers.

How can I continuously monitor my Klaviyo email authentication status?

Regularly monitor DMARC aggregate reports, which provide data on your email authentication performance. Also, periodically send test emails to various inbox providers and check their raw headers for Authentication-Results headers.

How do I troubleshoot DMARC, SPF, and DKIM setup issues in Klaviyo? - Troubleshooting - Email deliverability - Knowledge base

It's a common and frustrating scenario: you've diligently followed Klaviyo's setup instructions for SPF, DKIM, and DMARC, and their interface confirms everything is active. Yet, when you check with third-party tools, you see authentication failures, or worse, your emails are landing in spam folders. This discrepancy can be incredibly confusing and challenging to resolve.

I understand the urgency of getting these foundational email authentication protocols right. Without proper configuration of Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC), your email deliverability can suffer significantly, impacting your marketing efforts and sender reputation. Let's explore how to troubleshoot these issues effectively when using Klaviyo.

Suped DMARC monitoring

Free forever, no credit card required

Learn more

Trusted by teams securing millions of inboxes

Understanding Klaviyo's email authentication

Klaviyo streamlines much of the SPF and DKIM setup process once you connect a branded sending domain. When you add your domain, Klaviyo typically provides CNAME records for SPF (related to the return-path or bounce domain) and DKIM authentication. These CNAMEs point to Klaviyo's infrastructure, meaning they manage the actual SPF TXT record and DKIM public key for you. This simplifies things but also means you're relying on their internal validation.

DMARC, however, is something you configure directly on your root domain's DNS. It requires both SPF and DKIM to pass and, crucially, to align with your From: address. A common issue is that while SPF and DKIM may technically pass through Klaviyo, the alignment aspect for DMARC might be misconfigured, leading to DMARC failures even when the individual authentication methods seem okay.

Understanding what each protocol does is the first step in effective troubleshooting. SPF verifies the sender's IP address, DKIM ensures the message hasn't been tampered with, and DMARC dictates how receiving mail servers should handle emails that fail these checks and provides reporting. For a more in-depth understanding, I often refer to our simple guide to DMARC, SPF, and DKIM.

Klaviyo authentication setup

When setting up your branded sending domain in Klaviyo, you'll receive specific CNAME records to add to your DNS. These records are crucial for Klaviyo to authenticate your emails. Ensure you're adding them to the correct DNS zone for your domain.

DNS provider: Access your domain's DNS settings through your domain registrar or hosting provider.
Klaviyo instructions: Follow the exact CNAME records provided by Klaviyo for SPF and DKIM. Do not create TXT records directly for SPF or DKIM if Klaviyo asks for CNAMEs.

One of the most frequent culprits behind setup woes is incorrect DNS configuration or DNS propagation delays. Even a small typo in a CNAME record can prevent authentication from passing. For Klaviyo, you'll typically be adding a CNAME record for your sending subdomain (e.g., send.yourdomain.com) and another for DKIM. If you're encountering issues, the first place to look is your DNS records.

DKIM selectors are often a source of confusion. When you generate a DKIM key, it's associated with a specific selector, which is a unique string that helps receiving servers find the correct public key in your DNS. Some third-party tools might not know which selector your Klaviyo emails are using, leading them to report a DKIM failure even if it's correctly set up. This is because they can't guess the selector you're actually using. I've seen this happen quite a bit, and it requires checking the raw email headers to find the correct selector for verification. You can learn more about common DKIM selectors.

DNS propagation can also cause temporary issues. After adding or modifying DNS records, it can take anywhere from a few minutes to 48 hours for these changes to update across the internet. If you've just made changes, patience is key before you start intensive troubleshooting. Confirming propagation with a reliable DNS lookup tool can save a lot of headaches.

Example Klaviyo DKIM CNAME recordDNS

Host: krs._domainkey.yourdomain.com
Type: CNAME
Value: dkim.klaviyo.com

Diagnosing authentication failures

When Klaviyo says your setup is correct but external tools disagree, you need a reliable way to diagnose the real status. The most accurate way to confirm SPF, DKIM, and DMARC is to inspect the raw email headers of a message sent from Klaviyo that you've received. This shows exactly how the email was authenticated by the receiving mail server. Look for authentication results like spf=pass, dkim=pass, and dmarc=pass.

DMARC reports are another invaluable tool. Once your DMARC record is published with a rua tag, you'll start receiving aggregate reports from major mail providers. These XML reports provide an overview of your email traffic, showing how many emails are passing or failing SPF, DKIM, and DMARC, and why. This is the most comprehensive way to troubleshoot DMARC failures at scale.

When you encounter discrepancies, it often boils down to how different tools interpret or access DNS records. Some online checkers might not be sophisticated enough to follow CNAME chains or infer the correct DKIM selector without receiving an actual email. Always prioritize verification through actual email headers and DMARC reports over simple domain scanners that don't analyze live email streams. Our guide on verifying your setup can provide further assistance.

Klaviyo dashboard validation

Klaviyo's interface shows your branded sending domain as active or verified, suggesting SPF and DKIM CNAMEs are resolving correctly.

This validation is often based on the DNS records being present and correctly pointing to Klaviyo's servers.

Third-party tool results

Tools report SPF/DKIM failures or warnings, particularly if they can't determine the correct DKIM selector or if DMARC alignment is not met.

These tools perform a direct lookup without necessarily analyzing an actual email's authentication chain.

It's important to remember that some domain-only tools might not accurately reflect the DMARC status of your emails. The most reliable way to troubleshoot is by examining the authentication results in the header of an email actually sent through Klaviyo. This provides real-world validation of the entire authentication process. For common causes of Klaviyo email authentication failures, explore our detailed guide.

Advanced troubleshooting and alignment

Even if SPF and DKIM pass, your DMARC check can still fail if alignment isn't achieved. DMARC requires that the domain in your From: header aligns with the domain used for SPF (the return-path domain) and DKIM (the d= domain). In Klaviyo, this usually means ensuring your branded sending domain is correctly configured and used for your From: address. If you're sending from a shared Klaviyo domain or an unauthenticated root domain, DMARC will likely fail.

To fix DMARC failures, ensure your From: domain is the same as, or a subdomain of, your SPF and DKIM authenticated domains. This alignment is critical, especially with new sender requirements from Gmail and Yahoo. If you're seeing DMARC failures even with passing SPF and DKIM, the problem is likely DMARC alignment. Maintaining a positive sender reputation also means avoiding blocklists (or blacklists), which can be impacted by authentication failures. Our guide on blocklists highlights the consequences of such issues.

Best practices for Klaviyo authentication

Always use a branded sending domain: Sending from a shared Klaviyo domain limits your control and impacts DMARC. Use your own domain.
Match your from address: Ensure your email's From: domain is aligned with your authenticated domain for DMARC pass.
Monitor DMARC reports: Regularly review aggregate DMARC reports to identify authentication issues early. Understanding DMARC reports is key.

Views from the trenches

Best practices

Ensure your Klaviyo branded sending domain is fully set up and active for all email types.

Verify that your DMARC policy is set to at least p=none initially to gather reports without impacting delivery.

Always check the raw email headers from a test email sent via Klaviyo for true authentication results.

Implement one-click unsubscribe (RFC 8058) headers, as major providers now require them for better deliverability.

Regularly review your DMARC aggregate reports to pinpoint authentication failures and identify the sources of problems.

Common pitfalls

Relying solely on Klaviyo's internal verification, which may not catch DMARC alignment issues.

Misinterpreting third-party domain checker results, especially regarding DKIM selectors.

Not having a DMARC record or setting a too-strict policy (e.g., p=reject) without proper monitoring.

Overlooking DNS propagation times after adding or modifying records, leading to false negatives.

Failing to align the 'From' domain with your SPF and DKIM authenticated domains, causing DMARC to fail.

Expert tips

Use a tool that analyzes a received email's full headers, as it's the most accurate way to confirm authentication.

Be aware that some DKIM selectors are randomized (e.g., by AWS), making them hard for public tools to guess.

While List-ID isn't a hard requirement, consider its value for user experience in subscription centers and spam reporting.

Understand that platform-specific features like one-click unsubscribe are crucial for future compliance and inbox placement.

Set up DMARC monitoring to gain visibility into your email authentication performance over time.

Expert view

Expert from Email Geeks says that test websites often guess DKIM selectors, which can lead to inaccurate results if a non-standard selector is in use. The most accurate way to confirm DKIM is to review a received message.

2024-01-11 - Email Geeks

Marketer view

Marketer from Email Geeks says they've encountered issues with certain domain scanners not detecting all DKIM selectors, falsely reporting missing records. They emphasize the need to manually inspect DNS records for confirmation.

2024-01-11 - Email Geeks

Final thoughts on Klaviyo authentication

Troubleshooting SPF, DKIM, and DMARC setup issues in Klaviyo requires a systematic approach. While Klaviyo's internal confirmations are a good start, don't stop there. Always cross-reference with actual email headers and DMARC reports, as these provide the most accurate picture of how your emails are being authenticated by receiving mail servers.

By understanding the nuances of DNS propagation, DKIM selectors, and DMARC alignment, you can confidently diagnose and resolve authentication issues, ensuring your Klaviyo emails consistently reach the inbox. Remember, strong email authentication is the backbone of good deliverability and protects your brand from spoofing and phishing attacks.