Mailchimp SPF, DKIM & DMARC Setup Guide

Overview

Mailchimp (now part of Intuit, often referenced as Intuit Mailchimp in billing and official documentation) is the most widely used email marketing platform for small and mid-sized businesses. Its SPF record uses include:servers.mcsv.net, costing 1 DNS lookup. Most Mailchimp users also run a primary email platform (Google Workspace, Microsoft 365) and may have additional transactional senders, making lookup budget management important.

DKIM in Mailchimp uses a single selector (k1) with a 1024-bit RSA key. Mailchimp's domain authentication requires publishing a CNAME record at k1._domainkey.yourdomain.com. Until domain authentication is complete, Mailchimp signs messages with its own domain, which causes DMARC alignment failures if you have a DMARC policy in place.

DMARC alignment with Mailchimp requires completing the domain verification and authentication process. This is critical for organizations with DMARC policies set to quarantine or reject — unauthenticated Mailchimp messages will be treated as suspicious by receiving mail servers.

Additional Setup Notes

DKIM CNAME Delegation

Mailchimp's domain authentication creates a CNAME that delegates DKIM signing to Mailchimp's infrastructure. The record points k1._domainkey.yourdomain.com to dkim.mcsv.net. This delegation allows Mailchimp to manage key rotation while you maintain control of your DNS.

The CNAME approach means you don't need to update DNS when Mailchimp rotates keys — the delegation handles it transparently. However, it also means you can't inspect or control the actual signing key. For most organizations this is the right trade-off; if your compliance requirements mandate key control, Mailchimp may not be the right choice for that sending domain.

1024-Bit Key Limitation

Unlike some providers that use 2048-bit keys, Mailchimp currently uses 1024-bit RSA keys for DKIM. While this is still widely accepted, some security-conscious receiving servers prefer 2048-bit keys. This is an Intuit Mailchimp platform limitation — you cannot upgrade the key size.

In practice, 1024-bit keys pass DKIM verification everywhere. The security difference matters for organizations handling sensitive communications, but for marketing email, 1024-bit provides adequate authentication. If you need 2048-bit DKIM for compliance reasons, consider routing through a different provider for that specific use case.

Bulk Sender Requirements (Google and Yahoo)

If you're sending to Google or Yahoo recipients at volume (5,000+ messages/day), you must complete domain authentication. Both providers now require valid DKIM signatures and SPF alignment for bulk senders. An unauthenticated Mailchimp setup will see significant delivery failures to these inboxes.

The requirements include: a valid SPF record that covers your sending, DKIM signatures from your domain (not Mailchimp's), a published DMARC record (at minimum p=none), easy one-click unsubscribe headers, and spam complaint rates below 0.3%. Mailchimp handles the unsubscribe headers automatically, but SPF, DKIM, and DMARC are your responsibility to configure in DNS.

Mailchimp vs. Mandrill (Transactional)

Mailchimp's transactional email add-on, Mandrill, uses a different SPF include (include:spf.mandrillapp.com) and different DKIM selectors. If you use both Mailchimp for marketing and Mandrill for transactional email, you need both SPF includes — 2 lookups for the Mailchimp ecosystem. Each service requires its own domain authentication setup.

Some organizations mistakenly configure only Mailchimp's domain authentication and assume it covers Mandrill. It doesn't. Mandrill has its own domain verification process with its own DNS records. Check both if you're seeing DMARC failures on transactional emails but not marketing sends (or vice versa).

Troubleshooting

DMARC Alignment Failures on Marketing Sends

The most common Mailchimp authentication issue is DMARC alignment failure because domain authentication was never completed. Without it, Mailchimp signs messages with mcsv.net and uses a mcsv.net return-path — both of which fail DMARC alignment against your From domain.

To diagnose:

1. Check the DKIM-Signature header on a Mailchimp message. The d= value should be your domain. If it shows mcsv.net or mailchimp.com, domain authentication is not active.
2. Check the Return-Path header. It should contain your domain, not a Mailchimp-controlled domain.
3. In the Mailchimp dashboard, go to Account > Settings > Domains. Your sending domain should show as "Verified & Authenticated."

Domain Authentication Shows "Pending"

After publishing the DKIM CNAME record, Mailchimp checks for it periodically. If the status stays "Pending" for more than 48 hours:

• Verify the CNAME record name is exactly k1._domainkey.yourdomain.com — no typos, no extra subdomains.
• Verify the CNAME target is dkim.mcsv.net (not dkim2.mcsv.net or any other variant — use exactly what Mailchimp's dashboard provides).
• Ensure DNS proxy mode is off. Cloudflare orange-cloud (proxied) mode on CNAME records will cause verification to fail.
• Check for conflicting records. If another provider already has a k1._domainkey record published, it may block Mailchimp's verification. Remove stale records before publishing Mailchimp's.

Marketing Emails Going to Spam

If domain authentication is complete (SPF, DKIM, and DMARC all pass) but marketing emails still land in spam, the problem is usually reputation or content, not authentication. Common culprits:

• Purchased or stale lists — Sending to recipients who didn't explicitly opt in damages sender reputation. High bounce rates and spam complaints accumulate quickly.
• Sudden volume spikes — Going from 500 sends/month to 50,000 triggers spam filters. Ramp up gradually when growing your list.
• Content signals — Excessive images, deceptive subject lines, URL shorteners, and aggressive sales language all trigger content-based filters. Authentication proves you are who you say you are; it doesn't vouch for what you're saying.
• Shared IP reputation — Mailchimp sends from shared IP pools (dedicated IPs are available on Premium plans). If another sender on your shared IP has poor practices, your deliverability can suffer. This is outside your control on Standard and Essentials plans.

SPF Lookup Budget with Mailchimp

A typical small business SPF record might include Google Workspace (1 lookup), Mailchimp (1 lookup), a helpdesk tool (1 lookup), and a CRM (1 lookup). That's 4 lookups out of 10 before accounting for nested includes. If you're also using Mandrill, that's a 5th lookup.

Each additional SaaS tool that sends email from your domain eats into the budget. If you're approaching the 10-lookup limit, Managed SPF can flatten all your includes — including servers.mcsv.net — into direct IP references, freeing up budget for additional providers.

Multi-Audience and Multi-Brand Sending

Mailchimp supports multiple audiences (formerly "lists") within a single account. All audiences share the same domain authentication — you don't need separate DNS records per audience. However, if you send from different domains for different brands (e.g., company.com for corporate communications and brand.com for product marketing), each domain requires its own domain authentication with its own CNAME record.

The SPF include servers.mcsv.net covers all sending from Mailchimp regardless of audience or domain. You need it once per SPF record, not once per audience.