SparkPost SPF, DKIM & DMARC Setup Guide

Overview

SparkPost (now part of Bird, formerly MessageBird) is a high-performance transactional email platform built on the Message Systems MTA technology that powers a significant share of global email traffic. Its SPF record uses include:_spf.sparkpostmail.com, costing 1 DNS lookup. SparkPost is often chosen for high-volume transactional workloads where deliverability and throughput are critical.

DKIM Configuration

DKIM in SparkPost is configured during the sending domain setup process. SparkPost generates a DKIM TXT record with an auto-generated selector (format varies per account, e.g., scph0717). You publish this TXT record in your domain's DNS, and SparkPost signs outbound messages with the corresponding private key. Both 1024-bit and 2048-bit RSA keys are supported. If your DNS provider has a character limit on TXT records, you may need to use the 1024-bit option — but 2048-bit is strongly recommended for current security standards.

DMARC Alignment and Custom Bounce Domains

DMARC alignment requires two things: a verified sending domain (for DKIM alignment) and a custom bounce domain (for SPF alignment). Without a custom bounce domain, the return-path uses sparkpostmail.com, causing SPF alignment failures in DMARC evaluation. The custom bounce domain is configured by adding a CNAME record that points a subdomain (like bounces.yourdomain.com) to SparkPost's bounce handling infrastructure.

Additional Setup Notes

Brand Transitions: SparkPost, MessageBird, and Bird

SparkPost has undergone brand transitions — from SparkPost to MessageBird to Bird — but the underlying email infrastructure and SPF include mechanism have remained unchanged. If you see documentation referencing any of these names, the DNS setup is the same. The SPF include remains _spf.sparkpostmail.com regardless of which brand name appears in the dashboard or documentation. Do not search for a bird.com or messagebird.com SPF include — they do not exist for this service.

Domain Verification

Domain verification in SparkPost uses a DNS TXT record placed on your sending domain. This record is separate from the DKIM record and only used to prove domain ownership. Once verified, SparkPost will sign messages using your domain. The verification TXT record can be removed after verification completes, though keeping it causes no harm.

Custom Bounce Domain Setup

Custom bounce domain setup is the most commonly missed step. Without it, DMARC reports will show SPF alignment failures even though your SPF record includes SparkPost correctly. The fix is a single CNAME record pointing your bounce subdomain (like bounces.yourdomain.com) to SparkPost's bounce handling infrastructure — the exact target is provided in the SparkPost dashboard when you configure the domain.

SPF Lookup Budget

If you're running SparkPost alongside other email providers and approaching the 10-lookup limit, Managed SPF can consolidate the nested lookups into direct IP references, freeing up budget for additional providers.

Troubleshooting

SPF Alignment Fails Despite Valid SPF Record

The most frequent SparkPost authentication issue: your SPF record includes _spf.sparkpostmail.com, SPF checks pass, but DMARC aggregate reports show SPF alignment failures. This happens because the envelope sender (MAIL FROM) still uses sparkpostmail.com instead of your domain. The fix is to configure a custom bounce domain. Navigate to Configuration > Sending Domains in the SparkPost dashboard, select your domain, and add a bounce domain. Publish the CNAME record SparkPost provides, wait for DNS propagation, and verify it in the dashboard.

DKIM TXT Record Too Long

Some DNS providers truncate or reject TXT records exceeding 255 characters. A 2048-bit DKIM key produces a record well beyond this limit. Most modern providers support multi-string TXT records (splitting the value into 255-character chunks within a single record), but some older control panels do not handle the splitting correctly. If your DKIM check fails after publishing the record, verify that the full key value is present by querying the record directly with a DNS lookup tool. If the record is truncated, either switch to a DNS provider that supports long TXT records or use the 1024-bit key option in SparkPost.

Domain Verification Stuck in Pending

If domain verification stays in "Pending" after publishing the TXT record:

1. Check the record hostname — SparkPost expects the verification TXT record on the apex domain (e.g., yourdomain.com), not a subdomain. Some DNS providers auto-append the domain, so entering yourdomain.com in the hostname field creates yourdomain.com.yourdomain.com.
2. Check DNS propagation — Use an external DNS checker to confirm the TXT record is visible from outside your network. Internal DNS caches can show stale results.
3. Re-trigger verification — In the SparkPost dashboard, click "Verify" again after confirming the record is published. SparkPost does not continuously poll — it checks on demand.

Emails Bouncing with 550 Errors

If messages sent through SparkPost bounce with 550 5.7.1 or similar authentication-related rejection codes, the receiving server is likely enforcing a strict DMARC policy on your domain and both SPF and DKIM alignment are failing. Confirm that your sending domain is verified in SparkPost, your DKIM TXT record resolves correctly, and your custom bounce domain CNAME is in place. All three must be working for full DMARC compliance.

Edge Cases and Gotchas

EU Data Residency

SparkPost offers EU-hosted accounts with a separate endpoint (app.eu.sparkpost.com). The SPF include mechanism is the same (_spf.sparkpostmail.com) regardless of whether you use the US or EU endpoint. There is no separate EU-specific SPF include — do not add a second one.

Subaccount Sending Domains

SparkPost supports subaccounts, and each subaccount can have its own sending domains. DKIM selectors are unique per domain, not per subaccount. If multiple subaccounts send from the same domain, they share the same DKIM key and SPF configuration. Subaccount isolation is at the API level, not the DNS level.

Dedicated IPs and SPF

On SparkPost's dedicated IP plans, you can add the dedicated IP directly to your SPF record using ip4: notation. This eliminates the DNS lookup cost of the include:_spf.sparkpostmail.com mechanism. However, if SparkPost ever changes or adds to your dedicated IP allocation, you must manually update your SPF record — there is no automatic sync. For most organizations, keeping the include: is safer. For organizations at the lookup limit, Managed SPF handles this automatically.

Migration Notes

Migrating to SparkPost

Add the SparkPost SPF include, DKIM TXT record, and custom bounce domain CNAME to your DNS before switching traffic. Verify the domain in the SparkPost dashboard and send test messages to confirm DKIM signing and SPF alignment. Keep the old provider's DNS records in place until you've confirmed all traffic has migrated — DMARC aggregate reports from the old provider should show zero volume before you remove their records.

Migrating Away from SparkPost

Remove include:_spf.sparkpostmail.com from your SPF record, delete the DKIM TXT record for the SparkPost selector, and remove the custom bounce domain CNAME. Check DMARC aggregate reports for at least one full reporting cycle (typically 24 hours) to confirm no email is still routing through SparkPost's infrastructure before deleting DNS records.