How do I set up SPF and DKIM for Klaviyo?

Klaviyo authenticates your email through a branded sending domain: you delegate a subdomain (like send.yourdomain.com) to Klaviyo with a few DNS records, and Klaviyo manages the SPF and DKIM records on it automatically. You never paste raw SPF or DKIM values yourself — but you do need to add the delegation records correctly, and Klaviyo's setup does not cover DMARC, which is now required for bulk senders.
Quick Takeaways
- Klaviyo uses a branded sending domain — you add delegation records, Klaviyo handles the SPF/DKIM records behind them.
- Setup needs up to 3 CNAME records (Static routing) or 4 NS records (Dynamic routing), plus 1 TXT record for ownership verification.
- Klaviyo recommends Dynamic (NS) routing; choose Static (CNAME) if your DNS host doesn't support delegating with NS records.
- DNS changes can take up to 48 hours to propagate before Klaviyo can verify them.
- Klaviyo's wizard stops at SPF/DKIM — you still need your own DMARC record to meet Gmail and Yahoo bulk-sender rules.
Where do I start in Klaviyo?
In Klaviyo, open your account settings and go to the Domains tab, then start the branded sending domain setup. Pick the subdomain you want to send from (Klaviyo suggests one like send. or mail. on your root domain). Klaviyo then shows the exact DNS records to add — the values are account-specific, so always copy them from your own dashboard, not from a guide.
Why does this matter beyond deliverability? Without a branded sending domain, your campaigns go out on Klaviyo's shared infrastructure and inbox providers show "via klaviyomail.com" next to your name. You're also pooled with other senders' reputation instead of building your own. With the sender requirements Gmail, Yahoo, and Microsoft have been enforcing since 2024–2025, authenticated sending on your own domain is the baseline for any list that matters — see why Gmail now rejects unauthenticated mail outright.
Should I choose Dynamic (NS) or Static (CNAME) routing?
Klaviyo recommends Dynamic routing, which uses 4 NS records to delegate the subdomain so Klaviyo can manage and rotate the underlying authentication records for best sending performance. Choose Static routing (up to 3 CNAME records) only if your DNS provider doesn't support NS delegation on a subdomain. Both options also require a TXT record that proves you own the domain. Full details are in Klaviyo's setup guide.
The practical difference: with Dynamic routing, Klaviyo can update the records on its side without you ever touching DNS again; with Static routing, a future change on Klaviyo's side could mean another DNS task for you. Functionally both authenticate your mail the same way — DKIM signatures published under _domainkey hosts on your sending subdomain, with SPF passing on Klaviyo's managed return-path.
How do I add the records in my DNS provider?
1. Open your DNS host (Cloudflare, GoDaddy, Route 53...) and add each record exactly as shown in Klaviyo — host and value, no extra dots or spaces. 2. On Cloudflare, set the records to DNS only (grey cloud); proxying breaks verification. 3. Wait for propagation — usually minutes, but allow up to 48 hours. You can confirm the records resolve with a DNS lookup before asking Klaviyo to verify. 4. Back in Klaviyo, click Verify records, then Activate the domain once every record shows green.
After activation, Klaviyo signs your campaigns with DKIM on your branded subdomain and SPF passes automatically — your emails stop showing "via klaviyomail.com" in the inbox.
Common issues with Klaviyo domain verification
Why won't my records verify?
Nine times out of ten it's a copy-paste problem: a trailing space, a missing character, or your DNS host auto-appending your domain to a host that already contains it (producing send.yourdomain.com.yourdomain.com). Check the record with a DNS lookup — if what's published doesn't exactly match what Klaviyo shows, fix the record rather than re-clicking Verify.
Why does verification fail on Cloudflare specifically?
The orange proxy cloud. Cloudflare proxies CNAME records by default, which hides the real value from Klaviyo's verification check. Set every Klaviyo record to DNS only (grey cloud). If you chose Dynamic routing and Cloudflare won't accept NS records on the subdomain, switch to Static routing in Klaviyo instead.
Why do emails still say "via klaviyomail.com"?
The branded domain isn't activated yet — verification and activation are separate steps — or the campaign went out before activation. Send a fresh test campaign after activating; already-sent messages don't update.
Why is DMARC failing even though Klaviyo shows green checks?
Klaviyo's checks confirm its own records, not your DMARC alignment. If your From: address uses your root domain while authentication passes on a different domain, DMARC fails on alignment. Keep your From: domain within the domain family you delegated, and read your DMARC reports to see exactly which check fails.
Why do I still need DMARC after Klaviyo's setup?
Klaviyo's wizard authenticates the mail it sends, but DMARC lives on your root domain and is your policy, not Klaviyo's. Gmail, Yahoo, and Microsoft all require a DMARC policy for bulk senders, and it's what actually stops other people from spoofing your domain. Publish a record starting at p=none, watch the reports to confirm Klaviyo traffic is aligned, then tighten the policy over time. Palisade automates that whole progression — sender inventory, alignment checks, and the safe path to p=reject.
How do I confirm everything works?
Send a test campaign to a Gmail address and open Show original: SPF, DKIM, and DMARC should all read PASS, with your branded subdomain as the authenticated domain. Then run your root domain through the free Email Security Score to catch anything the Klaviyo wizard didn't cover — including your SPF record health, DKIM configuration, and DMARC policy strength.
Frequently asked questions
Do I need to add Klaviyo to my root domain's SPF record?
No. Klaviyo's SPF passes on the delegated sending subdomain, so it doesn't consume any of your root SPF record's 10-DNS-lookup budget. Only add services to your root SPF if they send mail as your root domain directly.
Which subdomain should I pick?
Any subdomain you don't already use for mail — send., mail., or news. are common. Don't reuse a subdomain that another service already sends from, and never delegate your root domain itself.
Will this affect my regular business email?
No. The delegation only covers the sending subdomain Klaviyo manages. Your Google Workspace or Microsoft 365 mail on the root domain keeps its own MX records, SPF, and DKIM untouched.
Can I use one branded sending domain for two Klaviyo accounts?
No — a branded sending domain belongs to one Klaviyo account. For a second account (say, a second brand), set up a separate subdomain or domain.
How long until deliverability improves after setup?
Authentication is immediate once activated, but reputation builds over weeks of consistent sending. If you're moving a large list from shared to branded sending, warm the domain up gradually rather than blasting the full list on day one.