dkim

How to Set Up SPF, DKIM, and DMARC for Mailchimp (2026 Step-by-Step)

Mailchimp authentication in 2026 is simpler than most guides claim: two CNAME records for DKIM and one TXT record for DMARC, with no SPF include to edit. This guide shows the exact records to paste, how to verify them with a free checker, and how to read your first DMARC report so campaigns align and stop landing in spam.

Jul 3, 20267 min read

Mailchimp email authentication in 2026 comes down to three DNS records, and the setup is smaller than most guides make it look. You add two CNAME records for DKIM, one TXT record for DMARC, and you do not touch your SPF record at all. That last point trips up almost everyone, so this guide walks the exact records to paste, how to confirm they work, and how to read your DMARC report to prove your campaigns are aligned before you tighten policy.

Reads public DNS only. Nothing is stored unless you save the domain to an account.

Get these three records right and Mailchimp campaigns authenticate cleanly at Gmail, Yahoo, and Microsoft, which is now a hard requirement for bulk senders rather than a nice-to-have.

Why Mailchimp authentication is different from other senders

Most sender guides tell you to add an SPF include for the provider. Mailchimp is the exception, and understanding why saves you an hour of confusion.

When Mailchimp sends your campaign, the envelope sender (the Return-Path, also called MAIL FROM) is on Mailchimp's own domain, something like mailchimpapp.net. SPF only ever checks the Return-Path domain, never the From address your subscribers see. So even if you added include:servers.mcsv.net to your own SPF record, that record would never be evaluated for Mailchimp mail. The SPF check runs against Mailchimp's domain, which Mailchimp already publishes correctly.

That means SPF alignment is impossible for standard Mailchimp sends, because your From domain and the Return-Path domain do not match. DMARC passes on either SPF alignment or DKIM alignment, so Mailchimp leans entirely on DKIM. The two CNAME records you add delegate DKIM signing to Mailchimp under your own domain, which produces a signature with d=yourdomain.com. That is what makes DMARC pass. If you want the deeper mechanics, see SPF vs DKIM: what is the difference.

The practical takeaway: do not waste time editing SPF for Mailchimp. Get DKIM right instead.

The exact records to add

You will collect these values inside Mailchimp, then paste them at your DNS host (Cloudflare, GoDaddy, Namecheap, Route 53, or wherever your domain lives). In Mailchimp, go to your profile, then Website and Domains, or Audience settings, and start the domain verification and authentication flow for your sending domain.

Step 1: Verify the domain

Mailchimp first sends a verification code to an address at your domain, for example you@yourdomain.com. Enter the code to prove you own the domain. This unlocks the authentication step where the CNAME records appear. This is what people mean by Mailchimp domain verification, and it is a separate step from DNS authentication.

Step 2: DKIM with two CNAME records

Mailchimp shows two CNAME records to add. They look like this:

k2._domainkey.yourdomain.com CNAME dkim2.mcsv.net

k3._domainkey.yourdomain.com CNAME dkim3.mcsv.net

A few things matter here. The host on the left uses the _domainkey selector prefix, which is standard DKIM. The target on the right is a Mailchimp hostname, and because it is a CNAME, Mailchimp controls the actual public key behind it. That is the point of the Mailchimp DKIM CNAME approach: Mailchimp can rotate keys without you touching DNS again.

Copy the exact host and target strings from your Mailchimp console rather than trusting any hardcoded example, including this one, because selector names can differ between accounts. If your DNS host auto-appends your domain, enter only k2._domainkey and k3._domainkey as the host to avoid a doubled domain like k2._domainkey.yourdomain.com.yourdomain.com. Set proxy or CDN status to DNS only if your host has one; a proxied CNAME will break the lookup.

Step 3: DMARC with one TXT record

If you do not already have a DMARC record, add one now. Start in monitoring mode so you can watch reports without affecting delivery:

_dmarc.yourdomain.com TXT "v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; fo=1"

The p=none policy tells receivers to enforce nothing yet and just report. The rua tag is the mailbox that receives daily aggregate reports, which is how you will confirm alignment. The fo=1 tag asks for failure detail when any authentication method fails. If you already have a DMARC record, do not add a second one. A domain must have exactly one DMARC record. New to the policy tags, read DMARC policy: none vs quarantine vs reject.

Verify your setup with the free checker

DNS changes can take anywhere from a few minutes to a few hours to propagate depending on your host and TTL. Once Mailchimp shows the domain as authenticated, confirm it independently rather than trusting a single dashboard.

Run your domain through the

Reads public DNS only. Nothing is stored unless you save the domain to an account.

above. A clean Mailchimp setup should show:

  • DKIM present and valid, with the k2 and k3 selectors resolving to Mailchimp keys
  • DMARC present with a policy and a valid rua address
  • SPF present for your own domain (for any mail you send directly), with no Mailchimp include cluttering it

If DKIM does not resolve, the usual cause is a doubled hostname or a proxied CNAME. If DMARC shows two records or a syntax error, fix that before moving on, because receivers ignore a domain with multiple DMARC records entirely. For a walkthrough of alignment specifically, see how to fix DKIM alignment.

Read the DMARC report to confirm alignment

This is the step that separates a setup that looks done from one that actually works. A DKIM record existing in DNS does not prove your live campaigns are signing and aligning. The DMARC aggregate report does.

Within a day or two of adding the DMARC record, you will start receiving XML aggregate reports at your rua address from Gmail, Yahoo, Microsoft, and others. Send yourself a test campaign from Mailchimp first so there is real traffic to report on. In the report, find the rows where the sending source is Mailchimp and check three things:

  • The header From domain is your domain
  • dkim shows pass and the DKIM domain (d=) matches your domain, which is alignment
  • disposition is none, meaning nothing was blocked

If DKIM passes and aligns on the Mailchimp rows, your campaigns are authenticated and you can plan to tighten the policy. Expect SPF on those same rows to show a Mailchimp domain, not yours; that is normal and not a problem, because DKIM alignment is carrying DMARC. Raw XML is hard to read by eye, so parse it or use a reader, and see how to read a DMARC aggregate report for the field-by-field breakdown.

Once Mailchimp and every other legitimate source align for a week or two, move from p=none to p=quarantine and eventually p=reject. That progression is what actually stops spoofing and lifts you out of spam folders, not the none policy on its own.

Common Mailchimp authentication mistakes

  • Adding an SPF include for Mailchimp. It does nothing for standard sends and can push you toward the SPF ten-lookup limit. If your record is already crowded, read fix SPF too many DNS lookups.
  • Only adding one of the two CNAME records. Both k2 and k3 are required for DKIM to validate reliably.
  • Enabling CDN proxying on the CNAME so the lookup returns a proxy address instead of the Mailchimp key.
  • Setting p=reject on day one before confirming alignment in reports, which can silently drop legitimate mail from other tools you forgot about.
  • Treating Mailchimp's green checkmark as final proof. Verify independently and read at least one real DMARC report.

Meeting these requirements is not optional at scale. Bulk senders now have to authenticate to reach the inbox, as covered in the Google and Yahoo sender requirements.

Frequently asked questions

Do I need to add an SPF record for Mailchimp?

No. Mailchimp uses its own domain as the Return-Path, so your SPF record is never checked for those messages and an include:servers.mcsv.net entry has no effect on DMARC. Keep SPF for mail you send directly from your own servers, and let DKIM alignment handle Mailchimp.

Why does my Mailchimp mail still fail DMARC after adding the CNAMEs?

Check the DMARC report for the Mailchimp rows. The most common causes are that only one of the two CNAME records was added, a hostname was doubled by the DNS host, or the CNAME is proxied through a CDN. Fix the DKIM record and alignment follows.

How long until the records take effect?

DNS propagation ranges from a few minutes to a few hours based on your host and the record TTL. Mailchimp usually detects authentication within an hour. Confirm independently with the checker rather than waiting on the dashboard alone.

Can I set p=reject right away?

You can, but do not until reports confirm every legitimate source aligns, including Mailchimp and any other sending tools. Start at p=none, watch aggregate reports for a week or two, then step up through quarantine to reject. See how to move DMARC from none to reject.

Check your own domain

Run a free scan and get your grade with the exact records to fix.

Scan a domain

Related guides

Mailchimp SPF, DKIM & DMARC Setup (2026 Guide)