How do I set up SPF and DKIM for Brevo (formerly Sendinblue)?

Brevo (formerly Sendinblue) authenticates your sending domain with three DNS records — and none of them is an SPF record. In Brevo, go to Settings > Senders, Domains, IPs > Domains, add your domain, and publish the records Brevo generates: a Brevo code (TXT) that proves ownership, a DKIM record (two CNAMEs on newer accounts, one TXT on older ones), and a DMARC record. Click Authenticate this email domain and allow up to 48 hours for verification. SPF only enters the picture on a dedicated IP. Here's the full walkthrough, plus the errors that trip people up.
What records does Brevo actually ask for?
Domain authentication in Brevo is mandatory, not optional. Brevo's domain authentication FAQ notes that Gmail and Yahoo have required it for email senders since February 1, 2024, and that Microsoft announced similar standards in May 2025. Brevo enforces it too: unauthenticated domains get their From address temporarily rewritten to something like mycompany@5000001.brevosend.com. Your clients will notice that.
Brevo's manual setup asks for three record types — three or four records total, depending on which DKIM format your account uses:
| Record | Type | Purpose |
|---|---|---|
| Brevo code | TXT | Verifies that you own and control the sending domain |
| DKIM record | 1 TXT, or 2 CNAME records | Digitally signs emails so receivers can confirm they weren't modified |
| DMARC record | TXT | Tells mail servers how to handle mail that fails authentication |
Notice what's missing. Brevo's own FAQ states that SPF and MX records "are not required to authenticate a domain" — Brevo only provides them when you set up a dedicated IP. DKIM does the heavy lifting here, and DMARC ties it to your domain's policy.
How do I find my DNS records in the Brevo dashboard?
Brevo's domain authentication guide has provider-specific instructions for Route 53, Cloudflare, GoDaddy, and others. The short version:
- In Brevo, click the account dropdown and select Settings > Senders, Domains, IPs > Domains.
- Click Add a domain. If the domain is already listed, click Authenticate next to it instead.
- Enter your sending domain — the part after the "@" in your From address.
- Choose a method. Authenticate the domain automatically connects to your domain provider (you log in from within Brevo), then adds the Brevo code, DKIM, and DMARC records and verifies them for you. Authenticate the domain yourself shows each record with copy buttons — keep that tab open while you work in your DNS host.
What do the Brevo DNS records look like?
Which DKIM format you see depends on your account. Newer accounts get DKIM 1 and DKIM 2 records (CNAME type), which use 2048-bit keys by default and let Brevo rotate keys periodically without you touching DNS. Older accounts get a single DKIM record (TXT type) at mail._domainkey with a 1024-bit key. Here's the shape of a full manual setup for yourdomain.com:
Example-shaped values for yourdomain.com — copy the exact values from your Brevo dashboard
# Brevo code — proves domain ownership
Type: TXT
Host: @ / yourdomain.com / blank — whichever your Brevo account shows
Value: <unique verification string — copy from your Brevo account>
# DKIM — option A: two CNAMEs (newer accounts)
Type: CNAME
Host: brevo1._domainkey.yourdomain.com
Value: b1.<token>.dkim.brevo.com
Type: CNAME
Host: brevo2._domainkey.yourdomain.com
Value: b2.<token>.dkim.brevo.com
# DKIM — option B: single TXT (older accounts)
Type: TXT
Host: mail._domainkey.yourdomain.com
Value: k=rsa;p=<public key from your Brevo account>
# DMARC
Type: TXT
Host: _dmarc.yourdomain.com
Value: v=DMARC1; p=none; rua=mailto:rua@dmarc.brevo.com
The in the CNAME targets is unique to your setup, so every value except the DMARC record must be copied directly from the Brevo dashboard — Brevo's troubleshooting guide lists copy and formatting errors among the most common failure causes. Want the CNAME format but only see TXT? Brevo support can switch your account over.
Do I need an SPF record for Brevo?
For standard shared-IP sending: no. Brevo doesn't ask for one, and adding a Brevo include to your SPF record won't change how Brevo mail authenticates — on shared IPs, the SPF check runs against Brevo's own bounce domain, not yours. Keep your existing SPF record as-is for the platforms that do need it, like Microsoft 365 or Google Workspace.
SPF becomes relevant in one case: a dedicated IP. Brevo's advanced dedicated-IP setup has you create seven DNS records of various types — A, MX, CNAME, DKIM, SPF, and DMARC — on the sending subdomain, each with a value copied from your Brevo account.
If the domain already has an SPF record, don't create a second one. A domain can only have one, and Brevo's SPF merge guide shows how to combine them — fold the mechanisms from both records into a single string. Brevo's own example merges a Google Workspace record with Brevo's:
v=spf1 include:_spf.google.com include:spf.brevo.com mx ~all
(The mx comes from Brevo's example record — only carry over mechanisms your records actually contain.) Seeing include:spf.sendinblue.com on a client domain? That's the legacy Sendinblue-era include, and it resolves to the identical record as spf.brevo.com, so it doesn't need replacing. Run any merged result through an SPF checker before saving — a broken SPF record hurts every sender on the domain, not just Brevo.
How does DMARC alignment work with Brevo?
DMARC passes when SPF or DKIM passes and the passing domain aligns with your From domain. With Brevo on shared IPs, alignment comes entirely from DKIM: once your domain is authenticated, Brevo signs your mail with a key published on your own domain, so the signature aligns and DMARC passes. dmarcian's source guide for Brevo confirms the SPF side: DMARC compliance through SPF requires a dedicated IP. That's why Brevo skips SPF for everyone else. If alignment is new territory, our guide on why DKIM signatures fail alignment covers the mechanics.
Two things to know about Brevo's DMARC record. First, p=none is monitoring mode — it satisfies Gmail and Yahoo's minimum but doesn't block spoofed mail. Second, rua=mailto:rua@dmarc.brevo.com sends your aggregate reports to Brevo. If you want visibility across all your sending services (or your clients' domains), add your own reporting address alongside it. Brevo documents the merged format:
v=DMARC1; p=none; rua=mailto:rua@dmarc.brevo.com, mailto:dmarcreports@yourdomain.com
Keep exactly one DMARC record on the domain either way.
How do I verify that Brevo authentication worked?
- At the bottom of the DNS records page in Brevo, click Authenticate this email domain.
- Check the status. Authenticated means you're done. Not authenticated means the records haven't been found yet — propagation can take up to 48 hours, and you can re-run the check as often as you like.
- Confirm the records resolve publicly with a DNS lookup tool. Query
brevo1._domainkey.yourdomain.comandbrevo2._domainkey.yourdomain.com(CNAME setup) ormail._domainkey.yourdomain.com(TXT setup) and compare against what Brevo shows. - Validate the published key with a DKIM checker using selector
brevo1,brevo2, ormail. - Send a test email to a mailbox you control and open the headers — Brevo's own check is to look for
dkim=passin the authentication results.
Work through these after adding the records at your DNS host
Once the domain shows Authenticated, leave the records alone. Brevo warns that modifying or deleting them later causes delivery problems for as long as you send through the platform.
Common issues
DKIM shows as not verifying
Usually a copy problem or a DNS host quirk. Brevo's troubleshooting guide calls out three repeat offenders: providers that append your domain to the host automatically, turning mail._domainkey.yourdomain.com into mail._domainkey.yourdomain.com.yourdomain.com (fix: enter only the prefix, or add a trailing dot); providers that reject the @ symbol (fix: use the bare domain or leave the host empty); and Route 53 or Google Domains refusing two records with the same type and name (fix: add the extra value as a second line inside the existing record).
DKIM CNAMEs fail behind Cloudflare
Two Cloudflare rules from Brevo's setup guide: turn the proxy (orange cloud) off on both DKIM CNAMEs, and disable CNAME flattening — if flattening is on, Cloudflare serves the record as TXT and DKIM fails. While you're in there, see our guide to adding a DMARC record in Cloudflare.
You already have an SPF record
Never add a second SPF record — merge Brevo's mechanisms into your existing one as shown above, with a single all qualifier at the end. More than one SPF record is invalid, and Brevo warns it damages deliverability for the whole domain.
A DKIM record with the same value already exists
If your domain already carries a DKIM record with the same value as the one Brevo provides, Brevo gives two options: replace the old record (only if you've stopped using the service that needed it) or contact Brevo support to issue a different DKIM value — which then has to be updated on every domain in your Brevo account. DKIM collisions get more common as client stacks grow — here's how to manage multiple DKIM records cleanly.
Multiple DMARC records detected
More than one DMARC record breaks DMARC entirely — receivers treat it as no policy at all — so Brevo flags this during authentication. Keep one record; if several tools want report copies, merge the rua addresses into that single record.
It authenticated, then broke days later
If a domain flips back to "Not authenticated" after passing — Brevo says this typically shows up within a day or a few days — the DNS records were most likely modified or deleted, a common casualty of website migrations. Re-add the records from the Brevo dashboard and re-verify.
Frequently asked questions
Does Brevo support SPF alignment?
Only with a dedicated IP. On shared IPs, DMARC compliance comes through the aligned DKIM signature — which is fine, since DMARC only needs one aligned pass.
Which domain should I authenticate in Brevo?
The sender domain — whatever follows the "@" in your Brevo From addresses, including subdomains like email.yourdomain.com. Authenticate each domain you send from. Free-mail domains like gmail.com can't be authenticated.
Can I use a 2048-bit DKIM key with Brevo?
CNAME-type DKIM records use 2048-bit keys by default. TXT-type records default to 1024-bit; Brevo support can activate a 2048-bit key (its value starts with sib2k), and you'll need to update the existing DNS record with the new value. If it exceeds your DNS host's 255-character field limit, split it into two quoted strings.
Will automatic authentication overwrite my existing DMARC record?
It will ask to. If you decline — say, because the domain already runs p=quarantine or p=reject — use manual authentication and keep your record. Note that Brevo requires domains with enforcement policies to be authenticated before you can even create a sender.
What does this mean for MSPs managing client domains?
One Brevo domain takes ten minutes plus propagation. Twenty client domains — each with its own DNS host and half-remembered DKIM history — is where this eats real hours, and where a monitoring gap means a client's newsletter quietly lands in spam. Palisade automates the monitoring half: every domain's SPF, DKIM, and DMARC state in one dashboard, with alerts when a record changes or alignment breaks. And if the same client sends through other platforms, we have matching setup guides for Klaviyo and other major senders.

Written by
Samuel ChenardCEO & Co-Founder, Palisade
Samuel Chenard is the CEO and co-founder of Palisade, the DMARC automation platform for MSPs. He writes Palisade's guides on DMARC, SPF, DKIM and email deliverability.
More from Samuel →


