How to set up DMARC/DKIM/SPF for Blackbaud
Blackbaud DMARC setup should use DKIM as the main passing mechanism. Blackbaud does not support return-path matching for this sending source, so SPF can pass for Blackbaud's own envelope domain without satisfying DMARC for your visible From domain.
I set it up by adding the sending domain in Blackbaud, publishing the DKIM records Blackbaud provides, keeping SPF clean, publishing DMARC at p=none if the domain is new to DMARC, then moving to enforcement only after Blackbaud DKIM passes consistently.
Blackbaud authentication priority
- DKIM first: Blackbaud mail needs a DKIM pass that matches the From domain for DMARC to pass reliably.
- SPF second: Do not add random Blackbaud includes to your SPF record unless Blackbaud gives that exact value in your tenant.
- DMARC last: Start with monitoring, confirm the Blackbaud source, then tighten policy.
Add your domain
Add the same domain or subdomain that appears in Blackbaud's visible From address. If donors receive mail from gifts.example.org, authenticate gifts.example.org, not only example.org.
Blackbaud sender authentication screen with a pending sending domain.
- Open authentication: In Blackbaud, open the Email Resource Center or the email settings area for the product that sends your donor, event, admissions, or stewardship mail.
- Add domain: Enter the exact From domain Blackbaud will use, then save the sender authentication request.
- Copy values: Copy the DNS hostnames, record types, and target values from Blackbaud. Do not rewrite selectors or CNAME targets.
- Publish DNS: Add the records at your DNS host, wait for the TTL to pass, then return to Blackbaud and click Verify.
- Send test: Send a real Blackbaud test email from that domain before moving any DMARC policy tighter.
|
|
|
|---|---|---|
From domain | Your domain | Email settings |
DKIM | Verified | Blackbaud |
DMARC | Present | DNS |
Blackbaud domain setup checklist
Use Blackbaud tenant values
Blackbaud record names and targets can vary by product and tenant. The only safe DNS values are the ones shown in your Blackbaud account or provided by Blackbaud support.
Set up SPF
For Blackbaud, SPF is not the mechanism I rely on for DMARC. Because this Blackbaud source does not support return-path matching, SPF can fail DMARC checks even when Blackbaud is authorized to send the message.
- Check first: Look at your current SPF record before adding anything. SPF allows only one TXT record at the root or sending subdomain.
- Avoid guesses: Do not publish a Blackbaud SPF include unless Blackbaud gives you the exact include for your sending configuration.
- Expect noise: Expect SPF alignment errors for Blackbaud. This is acceptable when DKIM passes and matches the From domain.
- Stay under limits: Keep the SPF record under 10 DNS lookups, and remove stale senders before adding new ones.
What SPF can prove
- Envelope pass: SPF can pass for the return-path domain used by Blackbaud.
- IP approval: SPF can show that a sending IP is allowed by the envelope domain.
What SPF cannot prove
- DMARC pass: SPF does not pass DMARC unless the return-path domain matches the visible From domain.
- Blackbaud match: This source does not provide that return-path match, so DKIM must carry DMARC.
SPF checker
Find SPF syntax issues, lookup limits, and weak records.
?/16tests passed
SPF action for Blackbaud
If Blackbaud does not show an SPF value in your account, leave SPF alone for Blackbaud and focus on DKIM. SPF is still important for your other sending sources.
Set up DKIM
DKIM is the critical Blackbaud step. Blackbaud's DKIM article covers adding a DKIM signature to outgoing mail, and the practical job is to publish the DNS records exactly as Blackbaud shows them.
Blackbaud DKIM setup screen showing CNAME records to publish.
- Enable signing: Turn on DKIM or sender authentication for the Blackbaud email product that sends the messages.
- Copy selector: Copy the selector host exactly. It should sit under _domainkey for the sending domain.
- Publish CNAME: Add the CNAME or TXT records at your DNS host using the record type Blackbaud gives you.
- Verify status: Return to Blackbaud and verify the domain after DNS has propagated.
- Inspect header: Send a test email and confirm the DKIM d= value matches the From domain or a valid parent/child domain.
DKIM DNS shapedns
type: CNAME host: selector._domainkey.example.org value: copy the target shown in Blackbaud
Good DKIM result
- Signature pass: The received message has a passing DKIM signature.
- Domain match: The DKIM signing domain matches the visible From domain well enough for DMARC.
- No mutation: Footers, link wrapping, and downstream routing do not break the signature.
Set up DMARC
If your domain has no DMARC record, publish a monitoring record first. Blackbaud's DMARC guide explains DMARC compliant mail, and the DMARC generator can create a clean starting record.
- Check existing: Look for a TXT record at _dmarc on the Blackbaud From domain.
- Keep enforcement: If the domain already uses quarantine or reject, keep that policy and fix Blackbaud DKIM inside the current policy.
- Start monitoring: If no DMARC record exists, start with the p=none record below and replace the rua mailbox with your reporting address.
- Confirm Blackbaud: Use reports to confirm Blackbaud volume, DKIM pass rate, source IPs, and any failed messages.
Starting DMARC TXT valuedns
v=DMARC1; p=none; rua=mailto:dmarc@example.com
DMARC checker
Look up a domain's DMARC record and catch policy issues.
?/7tests passed
Do not weaken an enforced domain
If the domain already uses p=quarantine or p=reject, do not change it back to p=none just to add Blackbaud. Fix DKIM first, then watch the reports.
Verify and troubleshoot
Verification needs one real Blackbaud email. A DNS lookup alone can prove the records exist, but it cannot prove Blackbaud is signing the exact message stream you care about.
Blackbaud test email screen with authentication status.
- Send live: Send a Blackbaud test email from the final From address, not a draft sent by another platform.
- Read auth: Check Authentication-Results for DKIM pass, DMARC pass, and the signing domain.
- Ignore SPF-only fail: If SPF does not match the From domain but DKIM passes for that domain, Blackbaud can still pass DMARC.
- Fix DNS typos: If DKIM fails, check for copied quotes, doubled domains, missing trailing targets, and wrong record type.
- Retest after TTL: Wait for DNS propagation before retesting. Old cached DNS answers can hide a correct fix.
Email tester
Send a real email to this address. Suped opens the report when the test is ready.
?/43tests passed
Preparing test address...
Common Blackbaud failures
- Wrong domain: The domain added in Blackbaud does not match the visible From domain.
- Wrong selector: The DKIM host was edited during copy and no longer matches the Blackbaud selector.
- SPF assumption: The team expects SPF to pass DMARC even though the return path is not under the From domain.
- Policy jump: The domain moves to reject before Blackbaud DKIM is confirmed across normal mail volume.
Get alerted when it breaks
Blackbaud authentication can break when a sender changes the From domain, a DNS record is removed, a selector rotates, or a product setting changes. Suped's product turns DMARC monitoring into source-level alerts, so the failure is visible before it becomes a deliverability incident.
- Watch DKIM: Alert when Blackbaud DKIM pass rates drop or a new unsigned stream appears.
- Watch sources: Separate verified Blackbaud traffic from unknown senders using IPs, hostnames, and report patterns.
- Watch reputation: Track domain and IP blocklist (blacklist) status beside DMARC, SPF, and DKIM signals.
- Give steps: Use automated issue detection and clear fix steps instead of reading raw XML reports.
Manual report review
- Slow triage: XML reports must be parsed before anyone sees the failing Blackbaud source.
- Weak routing: DNS, fundraising, and IT teams lack a shared queue for fixes.
Suped alerts
- Fast signal: Real-time alerts flag new failures and source changes.
- Clear ownership: Multi-tenant dashboards help MSPs and internal teams manage many domains.
Blackbaud alert bands
Use these thresholds to decide when a Blackbaud source needs review.
Healthy
98-100%
DKIM passes and DMARC passes for normal Blackbaud traffic.
Review
95-98%
Small failure changes need source checks before policy enforcement.
Fix now
Under 95%
DKIM failures can break DMARC for Blackbaud.
Secure your domain with p=reject
Move to p=reject only after Blackbaud DKIM passes, every other legitimate sender is known, and DMARC reports show no unexplained production traffic. Suped's Hosted DMARC helps teams stage policy changes without repeated manual DNS edits.
- Baseline volume: Collect enough DMARC reports to see normal Blackbaud, finance, receipt, event, and education mail volume.
- Fix Blackbaud: Do not move policy until Blackbaud DKIM passes for the final From domain.
- Stage quarantine: Use a limited quarantine percentage first if your risk tolerance requires a gradual rollout.
- Review failures: Investigate any source that sends real mail and fails both DKIM and SPF for DMARC.
- Reject cleanly: Move to reject after reports show only unauthorized traffic would be blocked.
Policy staging examplesdns
v=DMARC1; p=none; rua=mailto:dmarc@example.com v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc@example.com v=DMARC1; p=reject; rua=mailto:dmarc@example.com
Policy rollout path
A simple path for moving a Blackbaud sending domain toward enforcement.
DMARC pass rate
Why Suped fits this rollout
- Policy staging: Hosted DMARC lets teams adjust policy without waiting on every DNS change.
- Source clarity: DMARC, SPF, DKIM, blocklist monitoring, and deliverability signals sit in one place.
- Fix guidance: Automated issue detection gives practical steps for each source that fails.
- Scale: The MSP and multi-tenancy dashboard works for agencies and teams with many domains.
