Mailjet SPF, DKIM & DMARC Setup Guide

Overview

Mailjet (now part of Sinch, alongside Mailgun) is an email delivery platform that handles both transactional and marketing email. Sometimes referred to as Mailjet by Sinch in official communications, the DNS configuration remains unchanged regardless of branding. Its SPF record uses include:spf1.mailjet.com, costing 1 DNS lookup. Mailjet is popular with European organizations due to its EU-based infrastructure and GDPR compliance focus.

DKIM Configuration

DKIM in Mailjet uses the mailjet selector with a TXT record published in your domain's DNS. Domains added after April 2024 default to 2048-bit RSA keys. Older domains may still be using 1024-bit keys and should be regenerated through the Mailjet dashboard to upgrade. Mailjet also offers automatic domain authentication if you log in through one of their supported DNS provider integrations, which can publish the records on your behalf.

DMARC Alignment

DMARC alignment with Mailjet works out of the box once domain authentication is complete. Mailjet uses your domain as both the envelope sender and DKIM signing domain, so both SPF and DKIM alignment pass without additional bounce domain or return-path configuration. This is a simpler model than providers that require a separate custom bounce domain step. Without domain authentication, Mailjet sends from its own domain, causing both SPF and DKIM alignment failures in DMARC evaluation.

Additional Setup Notes

Line Breaks in DKIM TXT Records

The most common DKIM setup issue with Mailjet is line breaks in the TXT record value. Some DNS providers split long TXT values across multiple lines during copy-paste, which breaks DKIM validation. The record must be published as a single continuous string — check your DNS provider's documentation for how to handle long TXT records. If you suspect this is the issue, query the DKIM record with a DNS lookup tool and compare the output byte-for-byte with the value Mailjet gave you.

Upgrading Legacy DKIM Keys

Older Mailjet accounts may be running 1024-bit DKIM keys. You can check and regenerate keys from the SPF/DKIM Authentication section in Account Settings. The regeneration process creates a new TXT record value that you'll need to publish in DNS, replacing the old one. During the transition, there is a brief window where the old key is invalidated and the new key may not have propagated — keep the changeover window short and avoid high-volume sends during propagation.

Sinch Ecosystem: Mailjet + Mailgun

Mailjet and Mailgun are both owned by Sinch, but they maintain separate email infrastructure with different SPF include mechanisms. If you're using both services, you'll need both include:spf1.mailjet.com and include:mailgun.org — 2 lookups for the Sinch ecosystem. Managed SPF can flatten these into direct IP references, freeing up lookup budget for additional providers.

Troubleshooting

DKIM Verification Fails After Publishing Record

If Mailjet reports that DKIM verification failed even though you've published the TXT record:

1. Check for line breaks — Copy the published record value from your DNS provider and compare it with the value from Mailjet's dashboard. Any whitespace, newline, or extra character will break validation.
2. Check the record hostname — The DKIM record must be at mailjet._domainkey.yourdomain.com. Some DNS providers require you to enter only mailjet._domainkey (they auto-append the domain), while others require the full hostname. Entering the wrong format creates a record at the wrong location.
3. Check propagation — Use an external DNS checker to verify the TXT record is visible. Internal DNS caches may show stale data.
4. Check for duplicate records — If you previously had a different DKIM record at the same hostname (from an older Mailjet setup or a different provider using the same selector), the DNS response may return the wrong record. Remove any stale entries.

SPF PermError After Adding Mailjet

If adding include:spf1.mailjet.com pushes your SPF record past the 10-lookup limit, the entire SPF evaluation fails with PermError — meaning no SPF check passes for any provider in the record. This is not a Mailjet-specific issue but is triggered by adding the extra lookup. Run an SPF check to see your total lookup count. If you're at the limit, Managed SPF can flatten the nested includes into direct IP references.

Emails Sent from Mailjet's Domain Instead of Yours

If recipients see messages coming from mailjet.com rather than your domain, domain authentication is not complete. Navigate to Account Settings > Senders & Domains > SPF/DKIM Authentication and verify that your domain shows a green checkmark for both SPF and DKIM. If either is missing, publish the required DNS records and re-verify.

Edge Cases and Gotchas

Automatic DNS Configuration

Mailjet's automatic domain authentication feature works with a limited set of DNS providers (including Cloudflare, GoDaddy, and OVH). If your provider is supported, Mailjet can publish SPF and DKIM records directly — but verify the records it created are correct. Automatic systems occasionally create duplicate records or place records at the wrong hostname. Always confirm with a DNS lookup after automatic setup.

Subdomain Sending

Mailjet supports sending from subdomains, but each subdomain requires its own domain authentication. The parent domain's authentication does not extend to subdomains. You'll need a separate DKIM TXT record at mailjet._domainkey.subdomain.yourdomain.com and the subdomain must be added as a separate sender domain in Mailjet's dashboard.

Multiple Mailjet Accounts

If your organization uses multiple Mailjet accounts (e.g., separate accounts for marketing and transactional), all accounts share the same mailjet DKIM selector. Only one DKIM TXT record can exist at mailjet._domainkey.yourdomain.com, and it must match the active Mailjet account's key. You cannot run two Mailjet accounts on the same domain with separate DKIM keys — consolidate to a single account or use subdomains to separate the streams.

API Key vs. SMTP Relay Authentication

Mailjet supports both API-based sending and SMTP relay. Both methods use the same domain authentication (SPF and DKIM). Switching from API to SMTP or vice versa does not require any DNS changes. The authentication is tied to the domain, not the sending method.

Migration Notes

Migrating to Mailjet

Add include:spf1.mailjet.com to your SPF record and publish the DKIM TXT record at mailjet._domainkey.yourdomain.com before routing traffic to Mailjet. Complete domain authentication in the Mailjet dashboard and send test messages to confirm both SPF and DKIM alignment pass. Keep the old provider's DNS records in place until DMARC aggregate reports confirm zero volume from the old infrastructure.

Migrating Away from Mailjet

Remove include:spf1.mailjet.com from your SPF record and delete the DKIM TXT record at mailjet._domainkey.yourdomain.com. If you were also using Mailjet's domain ownership verification TXT record, remove that as well. Monitor DMARC reports for one full reporting cycle to confirm no residual traffic before completing the cleanup.