Mandrill SPF, DKIM & DMARC Setup Guide

Overview

Mandrill is Mailchimp's transactional email service, now branded as "Mailchimp Transactional." It runs on separate infrastructure from Mailchimp's marketing platform but requires a paid Mailchimp account to access. Its SPF record uses include:spf.mandrillapp.com, costing 1 DNS lookup — separate from Mailchimp's marketing SPF include (servers.mcsv.net).

DKIM Configuration

DKIM in Mandrill uses two CNAME records with selectors mte1 and mte2, pointing to dkim1.mandrillapp.com and dkim2.mandrillapp.com respectively. This CNAME delegation model means Mandrill handles key rotation automatically — when a new key is introduced on one selector, the old key remains active on the other until DNS propagation completes.

Domain Verification Requirements

Mandrill now requires verified sending domains with both DKIM and DMARC configured before it will send email on behalf of your domain. This is a stricter requirement than many transactional providers and catches organizations that try to send before completing DNS setup. Once your domain is verified, DKIM alignment works through the CNAME delegation, and SPF alignment works because Mandrill uses your domain in the return-path.

Mailchimp + Mandrill Dual-Include Cost

Organizations using both Mailchimp (marketing) and Mandrill (transactional) need both SPF includes — include:servers.mcsv.net and include:spf.mandrillapp.com — consuming 2 DNS lookups from the Mailchimp ecosystem alone.

Additional Setup Notes

SPF Lookup Budget with the Mailchimp Ecosystem

The dual-include requirement for Mailchimp + Mandrill is a common pain point for organizations already running tight on SPF lookups. If you're using Google Workspace or Microsoft 365 for business email plus Mailchimp for marketing plus Mandrill for transactional, that's 4 lookups before adding any other services. This is a strong candidate for Managed SPF, which can flatten all of these into direct IP references.

DKIM Key Rotation

Mandrill's CNAME-delegated DKIM is low-maintenance — once the two CNAME records are published, key rotation happens on Mandrill's side without any DNS changes from you. This is an advantage over providers that use direct TXT records for DKIM. Because both mte1 and mte2 selectors are active simultaneously, Mandrill can rotate keys on one selector while the other continues to validate in-flight messages — a zero-downtime rotation model.

Dashboard Navigation

Domain verification in Mandrill is done through the Mailchimp Transactional dashboard (not the main Mailchimp dashboard). The verification process checks for the DKIM CNAME records and a DMARC record on your domain. If either is missing, Mandrill will flag the domain as unverified and block sending. Navigate to Mailchimp Transactional > Sending Domains to check domain status. The main Mailchimp dashboard has a separate domain verification flow for marketing campaigns — do not confuse the two.

Troubleshooting

SPF PermError with Both Mailchimp and Mandrill

A common mistake is including both include:servers.mcsv.net (Mailchimp marketing) and include:spf.mandrillapp.com (Mailchimp Transactional) alongside multiple other providers, pushing the SPF record past the 10-lookup limit. Symptoms include SPF PermError in DMARC aggregate reports and delivery failures to strict receivers. Run an SPF check against your domain to see the total lookup count — if you're at or above 10, either remove unused includes or switch to Managed SPF to flatten the nested lookups.

Unverified Sending Domain Errors

If Mandrill reports your domain as unverified and blocks outbound email, check three things in order:

1. DKIM CNAME records exist — Verify that both mte1._domainkey.yourdomain.com and mte2._domainkey.yourdomain.com resolve to dkim1.mandrillapp.com and dkim2.mandrillapp.com respectively. Some DNS providers auto-append the domain suffix, resulting in a record like mte1._domainkey.yourdomain.com.yourdomain.com — a broken record that looks correct in the control panel.
2. DMARC record is published — Mandrill requires a DMARC record at _dmarc.yourdomain.com. Even a monitoring-only policy (v=DMARC1; p=none; rua=mailto:...) satisfies the requirement.
3. DNS propagation is complete — CNAME and TXT records can take up to 48 hours to propagate, though most providers complete within 1-2 hours. Use a DNS checker to verify the records are visible from outside your network before expecting Mandrill to validate.

DMARC Alignment Failures

If DMARC aggregate reports show alignment failures on messages sent through Mandrill, the most likely cause is that your sending domain is not verified in the Mailchimp Transactional dashboard. Without verification, Mandrill falls back to signing with its own domain, breaking DKIM alignment. SPF alignment also fails if Mandrill uses its default return-path instead of your domain. Verify the domain, confirm both DKIM CNAME records resolve correctly, and re-test.

Edge Cases and Gotchas

Subdomain Sending

Mandrill allows sending from subdomains (e.g., notifications.yourdomain.com), but each subdomain must be verified independently. The parent domain's verification does not cascade to subdomains. You'll need separate DKIM CNAME records for each subdomain, and each subdomain needs its own DMARC record or must rely on the organizational domain's DMARC policy (which it will inherit if no subdomain-level DMARC record exists).

Shared IP vs. Dedicated IP

Mandrill offers both shared and dedicated IP addresses. On shared IPs, your sender reputation is partially influenced by other senders on the same pool. If you notice deliverability issues that correlate with other senders' behavior rather than your own, consider upgrading to a dedicated IP. With a dedicated IP, you can optionally add the IP directly to your SPF record using ip4: notation — but you still need the include:spf.mandrillapp.com unless you are certain Mandrill will only use that specific IP for your traffic.

Mailchimp Transactional vs. Mailchimp Marketing DNS

The Mailchimp ecosystem uses completely separate DNS records for marketing and transactional email. Marketing campaigns use servers.mcsv.net for SPF and have their own DKIM records. Mandrill (Mailchimp Transactional Email) uses spf.mandrillapp.com for SPF and the mte1/mte2 DKIM selectors. Confusing the two — or assuming one covers both — results in authentication failures on whichever stream is missing its records.

Migration Notes

Migrating to Mandrill

If you're migrating transactional email to Mandrill from another provider, add the Mandrill SPF include and DKIM CNAME records before switching traffic. Verify the domain in the Mailchimp Transactional dashboard and send test messages before cutting over production traffic. Keep the old provider's SPF include in place until you've confirmed no email is still routing through them — removing it prematurely causes SPF failures for in-flight or queued messages.

Migrating Away from Mandrill

When decommissioning Mandrill, remove include:spf.mandrillapp.com from your SPF record and delete the mte1 and mte2 DKIM CNAME records. If you are also leaving Mailchimp marketing, remove include:servers.mcsv.net as well. Wait until you are certain no email is still routing through Mandrill before deleting DNS records — check your DMARC aggregate reports for Mandrill source IPs for at least one reporting cycle after the cutover.