Klaviyo SPF, DKIM & DMARC Setup Guide

Overview

Klaviyo is the dominant email marketing platform for e-commerce, particularly Shopify stores. Its SPF record uses include:klaviyomail.com, costing 1 DNS lookup. Klaviyo's domain authentication requires publishing 3 CNAME records (for DKIM and custom return-path) plus 1 TXT record for domain ownership verification.

DKIM via CNAME Delegation

DKIM is fully managed through CNAME delegation — Klaviyo handles key generation, signing, and rotation behind the CNAME. You do not choose a selector name or manage keys directly. This delegation model means Klaviyo controls the DKIM infrastructure while you retain ownership of your DNS records. Once the CNAME records are published, DKIM key management is entirely hands-off.

DMARC Alignment Requirements

Without completing domain verification, Klaviyo sends using shared infrastructure with Klaviyo-owned domains in the DKIM signature and return-path. This causes DMARC alignment failures on both SPF and DKIM. For any domain with a DMARC policy at quarantine or reject, unauthenticated Klaviyo messages will be filtered or blocked by receiving mail servers.

Additional Setup Notes

E-Commerce SPF Lookup Budget

E-commerce stacks typically combine Klaviyo (marketing) with a transactional sender (SendGrid, Postmark) and primary email (Google Workspace). That's 3 SPF includes before adding payment processors, helpdesks, or review platforms that also send email. Shopify stores in particular often accumulate SPF includes from Shopify itself, Klaviyo, a transactional provider, and their business email — 4+ lookups from the core stack alone. These stacks hit the 10-lookup limit fast.

Bulk Sender Requirements

Gmail, Yahoo, and Microsoft bulk sender requirements make DMARC mandatory for Klaviyo's high-volume sending patterns. Completing domain authentication is no longer optional for reliable delivery. Google's bulk sender threshold (5,000+ messages per day to Gmail) applies to many Klaviyo users — a single promotional campaign to a modest list can exceed this threshold. Without DMARC compliance, messages may be rate-limited, deferred, or rejected outright.

Underscore Compatibility in CNAME Records

Some DNS providers reject CNAME records containing underscores (_domainkey) — if verification stalls, check whether your provider strips or blocks the underscore prefix. This is a known issue with certain legacy DNS control panels. Managed SPF can flatten nested includes into direct IP references, freeing up lookup budget for additional providers.

Troubleshooting

Domain Verification Stuck in Pending

If Klaviyo reports domain verification as "Pending" after publishing the DNS records:

1. Check all four records — Klaviyo requires 3 CNAME records and 1 TXT record. Missing any one of the four will prevent verification from completing. Double-check the dashboard to see exactly which records Klaviyo expects.
2. Check CNAME hostnames — The CNAME records include _domainkey in the hostname, which uses an underscore. Some DNS providers auto-append the domain suffix, creating records at the wrong location. Query each record externally to confirm it resolves to the target Klaviyo provides.
3. Check for underscore rejection — If your DNS provider silently drops the underscore, the CNAME record will appear to be created but will not resolve. Try querying the record from outside your network. If it returns nothing, contact your DNS provider about underscore support in CNAME hostnames.
4. Wait for propagation — CNAME records can take up to 48 hours to propagate. Klaviyo checks on demand, not continuously — click "Verify" again after confirming the records are visible externally.

DMARC Alignment Failures on Klaviyo Messages

If DMARC aggregate reports show alignment failures from Klaviyo's sending IPs, domain authentication is not complete. Both SPF alignment (via the custom return-path CNAME) and DKIM alignment (via the DKIM CNAME) require all records to be published and verified in Klaviyo's dashboard. Check Settings > Domains and confirm your domain shows a verified status. If any record shows an error, re-publish it and re-verify.

Emails Going to Spam Before Domain Verification

If you start sending Klaviyo campaigns before domain authentication is complete, messages will use Klaviyo's shared infrastructure domains. These messages fail DMARC alignment and are more likely to be filtered as spam — especially at Gmail, Yahoo, and Microsoft, which enforce bulk sender requirements. Complete domain verification before sending any production campaigns. There is no shortcut here.

SPF PermError in E-Commerce Stacks

E-commerce DNS records are particularly prone to exceeding the 10-lookup SPF limit. A typical Shopify store might have: Google Workspace (_spf.google.com — 3 nested lookups), Klaviyo (klaviyomail.com), SendGrid (sendgrid.net), Shopify (shops.shopify.com), and a helpdesk. Run an SPF check against your domain — if the total exceeds 10, the entire SPF evaluation fails with PermError. Managed SPF can flatten these into direct IP references.

Edge Cases and Gotchas

Shopify and Klaviyo SPF Overlap

Shopify stores using Klaviyo often have both include:shops.shopify.com and include:klaviyomail.com in their SPF record. These are separate services with separate infrastructure — there is no overlap or deduplication. Both includes are required if both services send email on behalf of your domain.

Custom Return-Path (Bounce Domain)

One of Klaviyo's three CNAME records configures a custom return-path, enabling SPF alignment in addition to DKIM alignment. This is handled automatically as part of the domain authentication process — you do not need to configure a separate bounce domain like some other providers require. If the return-path CNAME is missing, DKIM alignment alone must carry DMARC compliance.

Subdomain Sending

Klaviyo supports sending from subdomains (e.g., mail.yourdomain.com), and many e-commerce brands use this to isolate marketing email reputation from transactional and corporate email. Each subdomain requires its own domain authentication in Klaviyo with separate CNAME and TXT records. The parent domain's authentication does not extend to subdomains.

Klaviyo SMS and Email Authentication

Klaviyo also offers SMS marketing, but SMS has no relationship to email authentication (SPF, DKIM, DMARC). Enabling or configuring SMS in Klaviyo does not affect your email DNS records in any way.

Shared vs. Dedicated Sending Infrastructure

Most Klaviyo accounts use shared sending IPs. Deliverability on shared IPs depends partly on the aggregate reputation of all senders on the pool. Klaviyo offers dedicated sending domains and IPs for higher-tier accounts. If you're on dedicated infrastructure, your domain authentication setup is the same — the CNAME records and SPF include do not change. The benefit is reputation isolation, not a different DNS configuration.

Multiple Brands on One Klaviyo Account

Klaviyo supports multiple sending domains within a single account — useful for e-commerce brands with multiple storefronts. Each sending domain requires its own set of CNAME records and TXT verification record. A single Klaviyo account can authenticate multiple domains, each independently verified.

Migration Notes

Migrating to Klaviyo

Add include:klaviyomail.com to your SPF record and publish all four DNS records (3 CNAME + 1 TXT) before sending production campaigns. Complete domain authentication in Settings > Domains and send test messages to confirm both SPF and DKIM alignment pass in DMARC evaluation. Keep the old marketing platform's DNS records in place until you've migrated all campaign workflows and confirmed zero volume from the old infrastructure in DMARC aggregate reports.

Migrating Away from Klaviyo

Remove include:klaviyomail.com from your SPF record and delete the 3 CNAME records and the TXT verification record. Monitor DMARC reports for one full reporting cycle (typically 24 hours) to confirm no email is still routing through Klaviyo before completing DNS cleanup. Be aware that Klaviyo may have scheduled or automated flows (abandoned cart, post-purchase, etc.) that continue sending after you think you've stopped — check Klaviyo's flow status before removing DNS records.

Migrating Between E-Commerce Marketing Platforms

If switching from another marketing platform (e.g., Mailchimp, Omnisend, or Drip) to Klaviyo, add Klaviyo's DNS records alongside the existing provider's records. Both sets of records can coexist during the transition period, though the extra SPF includes temporarily increase your lookup count. Plan the transition to minimize the overlap period if you're near the 10-lookup limit. Complete Klaviyo domain authentication and verify DMARC alignment before decommissioning the old platform.