Set Up Custom Domain Authentication: DKIM and SPF

This feature requires Manager user level or higher.

Internet Service Providers (ISPs), like Google, Yahoo, and Microsoft, use DKIM and SPF authentication as a way to scan incoming emails for spam or spoofed addresses. Emails that fail SPF or DKIM authentication are more likely to arrive in a spam or junk folder.

To help ensure your campaigns reach your recipients’ inboxes and to make your campaigns look more professional, you can set up custom DKIM and SPF authentication for your domain.

In this article, you’ll learn how to set up DKIM and SPF in your DNS records.

Before You Start

Here are some things to know before you begin this process.

  • Custom domain authentication is optional for MailChimp users. Learn more about the benefits of default vs. custom domain authentication.

  • To set up authentication, you need to change some account settings with your DNS provider. If you don't know who your DNS provider is, reach out to your hosting service.

Custom Authentication: Task Roadmap

To authenticate your domain, you’ll need to complete tasks in MailChimp and your domain provider’s zone editor or cPanel. This process requires you to copy and paste information from MailChimp to your domain provider’s site. We recommend that you work with two browser windows or tabs to easily move between your sites.

Here’s a brief overview of the process.

In MailChimp

In Your Domain's cPanel

or Zone Editor

  • Verify your domain.
  • Copy two important pieces of information, your CNAME record for DKIM, and your TXT record for SPF
  • DKIM:

Create a CNAME record for with this value:

  • SPF:

Create a TXT record for with this value: v=spf1 ?all


Verify Domain and Copy Records

To get started, log in to MailChimp to verify your domain and copy your CNAME and TXT records.

Verify Your Domain

You’ll verify your domain in the Settings section of your MailChimp account. Navigate to the Verified domains page and follow the prompts. We’ll let you know when verification is complete.

Verified domain listed with green checkmark

This process requires you to respond to a confirmation email. If you don’t receive the email after a few moments and you’ve checked your spam or junk folders, visit our verification troubleshooting guide.

Copy Authentication Information

After your domain is verified, you’ll copy some important pieces of information in your MailChimp account.

To find your domain’s authentication information, follow these steps.

  1. Navigate to your Verified domains.

  2. Under your domain’s name, click View setup instructions.
    Verified domain slat shows cursor over Authenticate button

  3. In the Domain Authentication pop-up modal, we'll show you what information needs to be added or changed with your domain provider.
    Domain Authentication modal provides instructions, with cursor over Authenticate Domain button.

  4. In another browser tab or window, use this information to edit your domain’s DNS records, and and click Authenticate Domain when you’re done.

About DNS Record Changes

To authenticate your domain, navigate to your domain provider’s site. Then, use the the DKIM and SPF information from MailChimp to update your DNS records.

Domain providers use different names for the page where you’ll update the DNS record, like  cPanel, Zone Editor, Zone File Settings, Manage Domains, Domain Manager, DNS Manager, or something similar.

Example CNAME Record for DKIM

Here’s an approximate example of what your CNAME record will need to look like to set up DKIM authentication. Remember, when you edit your own records, these columns and their labels may look different.

Record Type




CNAME Record



  • DKIM requires underscores in the CNAME file. However, in the past, DNS didn’t allow for underscores and some registrars still do not allow them to appear in the CNAME file. If you receive this type of error when you set up DKIM, the issue is on the registrar's side. We recommend either of these three options: contact your registrar for assistance, set up a secondary custom domain with a registrar that allows underscores, or switch DNS providers.

  • Depending on your provider, you may need to add a period at the end of your CNAME record. Some providers add this period automatically, so you may want to refer to their help site for more information.


Example TXT Record for SPF

Here’s an approximate example of what your TXT record will need to look like to set up SPF authentication. Remember, when you edit your own records, these columns and their labels may look different.  

Record Type




TXT Record v=spf1 ?all


SPF Tips

  • SPF should be set up with a TXT record, rather than an SPF record.

  • Avoid creating more than one TXT record for SPF. However, you can create multiple values in the same record with an include statement.


v=spf1 ?all
  • Depending on your provider, you may need to add quotation marks around your entire SPF record.

“v=spf1 ?all”

How to Edit DNS Records in Common Domain Providers

Here are some instructions for editing DNS records with popular domain providers. If your service isn’t listed here, log in to your provider’s site and search their help documents, or contact their customer support team.

Amazon Web Services: Configuring DNS, Resource Record Types
A Small Orange:

Dreamhost: SPF, DKIM

GoDaddy: Add a CNAME Record

Google Domains: DNS Basics

Hostgator: Manage DNS records

Hover: Edit DNS Record

Namecheap: SPF & DKIM

Network Solutions: Edit DNS Record

Squarespace: Advanced DNS Settings

Stablehost: How do I get to cpanel?

After records are entered into your DNS correctly, your domain should authenticate within a few moments. In some cases, it may take a bit longer. To complete the process, don’t forget to re-open your MailChimp browser tab or window and click Authenticate Domain.

When authentication is successful, you’ll see two green checkmarks on the Verified domains page.

Image: a screenshot of the Verified domains page, with a succesfully authenticated custom domain

MailChimp logs and stores your authentication when you set it up. If you make further changes to the TXT or CNAME records after you authenticate your domain, it could interfere with the information we have on file. Before you make further changes, disable authentication on the Verified domains page, and re-authenticate after your DNS changes are complete.


If you've entered all records correctly and your authentication isn’t working right away, there typically isn’t a cause for concern. You may need to wait a bit longer (up to 24 hours) since it can sometimes take time for servers to recognize your changes.

If you still experience problems, reach out to your domain provider’s help site for tips on troubleshooting DNS records in their service.

Was this article helpful?
What can we do to improve articles like this?

Technical Support