How to set up DMARC/DKIM/SPF for Klaviyo
Published 2 Jul 2026
Updated 2 Jul 2026
9 min read
Summarize with

Klaviyo SPF, DKIM, and DMARC setup starts with a branded sending domain. I add the domain in Klaviyo, publish the DNS records Klaviyo generates, verify the domain, then keep DMARC reporting live while I move the root domain toward p=reject. For most accounts, do not paste a Klaviyo SPF include into your root SPF record.
Klaviyo's own authentication guide says shared-domain sending is automatically authenticated by Klaviyo, while a branded sending domain uses the CNAME or NS records added during setup. That distinction matters because your visible From domain needs to match the authenticated Klaviyo sending domain at the organizational domain level for DMARC to pass.
The rule I follow
- Use Klaviyo values: Publish only the DNS records generated inside your Klaviyo account.
- Keep root SPF clean: Do not add a guessed Klaviyo include to v=spf1 at the root domain.
- Set DMARC separately: Klaviyo can help surface the need for DMARC, but the DMARC TXT record belongs in your DNS.
Add your domain
I start in Klaviyo because this is where the exact authentication records are generated. Generic examples are useful for understanding the pattern, but the live values must come from your account.
- Open settings: Click your company name in the lower-left corner, then go to Settings > Domains > Add Domain.
- Pick traffic: Choose Marketing for campaigns and flows, Transactional for customer-action mail, or Service for Klaviyo Helpdesk mail.
- Check root: Use the registered domain, such as example.com, as the root domain.
- Choose subdomain: Use an unused sending subdomain, such as send for marketing or updates for transactional mail.
- Choose routing: Use Dynamic when your DNS host supports NS records on a subdomain, or Static when it only supports CNAME records.
- Publish records: Copy every Klaviyo-generated record into your DNS zone. Static service sending domains can include an MX record too.
- Activate carefully: Click Verify in Klaviyo, review the result, then activate only when you are ready for Klaviyo to send on the branded domain.

Klaviyo Domains settings showing the branded sending domain setup flow.
|
|
|
|---|---|---|
Dynamic | NS | DNS supports delegation |
Static | CNAME | NS delegation is blocked |
Klaviyo routing choices for branded sending domains.
Set up SPF
Klaviyo supports Return-Path domain matching through branded sending domains. SPF is handled on the branded sending subdomain after your NS or CNAME records publish, so I leave the root SPF record for mail systems that send directly as the root domain.
- Dynamic route: Publish four NS records for send.example.com; Klaviyo manages SPF below that subdomain.
- Static route: Publish the sending-domain CNAME generated by Klaviyo; Klaviyo points that subdomain to its sending infrastructure.
- Root SPF: Do not add Klaviyo to v=spf1 at example.com for this branded-domain setup.
- Shared domain: If you keep Klaviyo shared-domain sending, SPF passes for Klaviyo's domain, but DMARC will not pass for your From domain under a strict policy.
Dynamic routing SPF patternDNS
send.example.com. NS ns1.klaviyo.com. send.example.com. NS ns2.klaviyo.com. send.example.com. NS ns3.klaviyo.com. send.example.com. NS ns4.klaviyo.com. example.com. TXT "klaviyo-site-verification=PUBLIC_API_KEY"
Static routing SPF patternDNS
send.example.com. CNAME 1.klaviyodns.com. example.com. TXT "klaviyo-site-verification=PUBLIC_API_KEY"
After DNS propagation, check the hostname you actually changed. For Dynamic routing, check the sending subdomain. For root SPF, confirm there is still only one SPF TXT record at the root.
SPF checker
Find SPF syntax issues, lookup limits, and weak records.
?/16tests passed
Set up DKIM
DKIM gives each Klaviyo message a cryptographic signature. I treat DKIM as the critical Klaviyo pass signal because it survives forwarding better than SPF.
Dynamic routing
- Delegate subdomain: Add the four NS records Klaviyo generates.
- Let Klaviyo manage: Klaviyo publishes the DKIM records inside the delegated zone.
- Verify in app: Use Klaviyo's Verify action after the NS records resolve.
Static routing
- Copy selectors: Use the selector pair shown in Klaviyo.
- Add CNAMEs: Publish both DKIM CNAME records in your DNS host.
- Avoid edits: Do not shorten, merge, or rename selector host values.
Static routing DKIM exampleDNS
km1._domainkey.example.com. CNAME km1.domainkey.1.klaviyodns.com. km2._domainkey.example.com. CNAME km2.domainkey.1.klaviyodns.com.
Use Klaviyo's exact selectors
The example above shows a first marketing domain. Klaviyo generates the exact selector names for your account and send type.
- Marketing: Often starts with km1 and km2.
- Transactional: Often starts with kt1 and kt2.
- Service: Often starts with ks1 and ks2.

Klaviyo DNS records screen showing DKIM CNAME records.
Set up DMARC
DMARC is external to Klaviyo and belongs at the root domain used in your visible From address. If no DMARC record exists, I start with monitoring mode. You can also use the DMARC record generator to build the same record with the reporting address you use.
Recommended starter DMARC recordDNS
Type: TXT Host: _dmarc Value: v=DMARC1; p=none; rua=mailto:dmarc@example.com
- Start safely: If no DMARC exists, publish p=none first so failures are reported without blocking mail.
- Keep enforcement: If your domain already uses p=quarantine or p=reject and legitimate mail passes, stick with it.
- Use root host: Publish the policy at _dmarc.example.com, not on the Klaviyo sending subdomain.
- Watch reports: Raw XML is hard to use, so route aggregate reports into a platform that turns sources and failures into decisions.

Klaviyo setup screen showing a DMARC record option.
DMARC policy stages
Use reports to move from visibility to enforcement without blocking legitimate Klaviyo mail.
Monitoring
p=none
Reports only
Spam placement
p=quarantine
Failing mail can go to spam
Blocking
p=reject
Failing mail is rejected
After the TXT record is live, check the root domain and confirm the policy parses cleanly.
DMARC checker
Look up a domain's DMARC record and catch policy issues.
?/7tests passed
Verify and troubleshoot
After DNS publish, I verify in Klaviyo first, then I verify with live mail. DNS propagation can take up to 48 hours, but most mistakes show up as wrong hostnames, proxied records, or copied values that do not match Klaviyo exactly.
- Wait briefly: Give DNS time to propagate, especially after NS delegation changes.
- Click Verify: Return to Klaviyo's domain setup screen and run Verify Records.
- Read errors: If Klaviyo flags a record, compare the returned DNS value against the value shown in Klaviyo.
- Activate domain: Click Activate only after records verify and your team is ready for branded-domain sending.
- Send test: Send a real Klaviyo email and inspect SPF, DKIM, DMARC, Return-Path, and From domains.

Klaviyo Domains page showing a verified branded sending domain.
Common DNS fixes
- Duplicate root: If your DNS host appends the root domain automatically, use only the short host value.
- Trailing period: If the DNS host appends your domain to record values, add a final period where the host requires it.
- Proxy disabled: Do not proxy Klaviyo CNAME or NS records; they must resolve publicly as DNS records.
- Underscore support: DKIM hosts need underscores. If the DNS host rejects them, ask the DNS host to add the records manually.
- From address: Use hello@example.com, not hello@send.example.com, so replies go to the right mailbox setup.
Once Klaviyo shows the domain as active, send a real message to an email tester address. This catches header-level issues that DNS checks alone will not show.
Email tester
Send a real email to this address. Suped opens the report when the test is ready.
?/43tests passed
Preparing test address...
The result I want is simple: DKIM passes with your domain, SPF passes on the Klaviyo sending path, and DMARC passes for the visible From domain.
Get alerted when it breaks
Klaviyo can warn users in its notification inbox when a branded sending domain disconnects. I still monitor outside Klaviyo because DNS edits, new senders, expired records, and reputation issues usually affect more than one platform.
- Monitor reports: Suped's product parses aggregate DMARC reports and shows which sources pass, fail, or need a fix.
- Alert fast: Real-time alerts tell you when Klaviyo, another sender, SPF, DKIM, or DMARC changes unexpectedly.
- Track reputation: Blocklist (blacklist) monitoring connects domain and IP reputation problems to authentication changes.
- Fix directly: Automated issue detection gives steps to fix rather than leaving raw XML and headers for manual review.
- Scale teams: The MSP and multi-tenant dashboard keeps client domains separated while still surfacing the same health signals.
Where Suped fits
Suped's product is the best overall DMARC platform for this job when Klaviyo is one sender among several. It combines DMARC monitoring, SPF, DKIM, Hosted SPF, Hosted MTA-STS, blocklist monitoring, and actionable issue workflows. The feature-rich free plan also works well when you are starting with one domain.
Alert coverage
A practical monitoring setup should cover Klaviyo and the rest of your sending estate.
Covered
Blind spot
Secure your domain with p=reject
The right end state is p=reject on the root domain, but I do not jump there before the reports prove Klaviyo and every other legitimate sender is passing.
- Collect data: Run p=none until every real source is visible in DMARC reports.
- Fix Klaviyo: Confirm the branded sending domain is active and DKIM passes on live Klaviyo messages.
- Fix others: Bring billing, support, CRM, and transactional senders into compliance before enforcement.
- Stage policy: Move to quarantine with percentage staging, then reject with percentage staging, then full reject.
- Use Suped: Suped's product finds unknown sources, tracks policy readiness, and sends alerts before a reject rollout blocks legitimate mail.
DMARC enforcement rampDNS
v=DMARC1; p=none; rua=mailto:dmarc@example.com v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc@example.com v=DMARC1; p=quarantine; pct=100; rua=mailto:dmarc@example.com v=DMARC1; p=reject; pct=25; rua=mailto:dmarc@example.com v=DMARC1; p=reject; rua=mailto:dmarc@example.com
If you want policy changes managed without repeatedly editing DNS, Suped's hosted DMARC workflow lets you stage enforcement from the platform while keeping DNS stable.
Reject readiness
Move only when each risk area has evidence, not guesses.
Not ready
Investigate
Unknown legitimate sources remain
Testing
p=none
Known sources pass in reports
Partial enforcement
quarantine
Small failure rate and staged policy
Protected
p=reject
All legitimate sources pass
If you are already enforcing
If your domain is already at p=quarantine or p=reject, keep that policy unless reports prove legitimate mail is failing. Fix Klaviyo first, then decide whether a temporary staged rollback is needed.

