F.A.Q.

What are Klaviyo’s SPF and DKIM records?


Userlevel 4
Badge +3

Klaviyo automatically applies the necessary SPF (sender policy framework) and DKIM (DomainKeys Identified Mail)records when you have a dedicated sending domain set up for your account. When the CNAME records are added to your DNS, a subdomain is created and delegated over to Klaviyo to control and make use of. At this point, Klaviyo automatically adds the necessary SPF/DKIM records to set your account up to send emails using your own dedicated domain. On your end, you only need to add the prescribed CNAMEs; no records are required.

For additional resources, you can learn How to Set up a Dedicated Sending Domain in this article.


16 replies

Userlevel 7
Badge +53

Hey @tabayersupport,

Can you elaborate further on your point of spam filtering softwares requiring verification and that mail is being relayed from an allowed mail server? As @wei.he pointed out, when setting up a dedicated sending domain and applying the necessary CNAME records within your DNS backend, this creates a subdomain that is delegated over to Klaviyo to make use of under your root domain. 

After setting up a dedicated sending domain, are you by chance test sending to recipients who share the same email domain? If so this can often times be caused by your own organization’s internal filters as @wei.he has previously mentioned:

Additionally, I would add that I’ve seen this occur with inappropriate or lack of domain warming since switching to using a dedicated sending domain. Domain warming is an important step after setting up and using a dedicated sending domain or even just switching from different ESPs as it gives inbox providers time to get acclimated again to your sending infrastructure. An added benefit of warming your domain is in strengthening your sending reputation. Sending reputation is crucial as inbox providers will still keep track of this through your root domain even if you switch between ESPs. 

David

 

 

Hello, i’ve added the cname records  and the send.rootdomail.com has been verified. However, every test I do which has the sender and reply email as Press@rootdomain.com falls into junk / spam on the recipient side. Surely spam filtering software will need to verify that mail is being relayed from an allowed mail relay server so we would need to add klaviyo mail relay as allowed to relay on rootdomain.com. 

Alternatively, as I understand it, klaviyo automatically add the records on the subdomain.rootdomain.com / eg send.rootdomain.com and provided the mail is sent from eg press@send.rootdomain.com, then its seen as legitimate and we can have the reply to set as say press@rootdomain.com. However, in both cases above, mail is being categorised as spam at the moment. 

Kindly advise how to solve this. 

Userlevel 7
Badge +53

Hey @carl543

Excellent question! 

Setting up a dedicated sending domain is the only method of authentication method Klaviyo supports. At this time Klaviyo does not support the use of SPF records for authentication purposes. 

David

I understand the the dedicated sending domain concept, but my marketing team is currently sending out email (through Klaviyo) from “opportunities@myDomain.com” and want to continue to send email out with legitimate reply-to mailboxes.

Can someone share the SPF records we need in order to support this without setting up a dedicated sending domain?

 

Thanks.

Userlevel 4
Badge +3

@American BenchCraft Thank you for your questions!

 

Yes, you would need to authenticate your Klaviyo account to a subdomain of the root domain (TLD) that you are planning to use for your email sends. When you enter in the CNAME records for the subdomain you are planning to use, you are passing over the subdomain to Klaviyo to allow us to place in the appropriate SPF and DKIM records. 

If you authenticated your Klaviyo account with your root domain, your root domain would no longer be pointed at your website, thus, resulting in errors when someone tries to visit your site. 

Do note that if you authenticate your account to a subdomain, your From-Address can still make use of the root domain. For example, if your dedicated sending domain is send.website.com, your From-Address can be hello@website.com. 

So if I want to use my TLD as I migrate from another ESP. Klaviyo does not allow that TLD to be authenticated with SPF/DKIM? You HAVE to use a sub domain off the TLD? Please advise as that seems counterintuitive to adhering to best practices.   

Userlevel 4
Badge +3

Hi @Page V, thank you for your question! 

 

An unauthenticated email send is when your email’s From-Address domain does not align with the sending domain that it is sending on. For example, your From-Address is hello@domainA.com while your sending domain is send.domainB.com. This misalignment is often seen as potential spoofing as the sending domain is not authenticated to send on behalf of the From-Address domain and can result in filtering.

 

The SPF/DKIM that you set on your Google Workspace would not impact their Klaviyo send.

 

 

Badge

Hi @wei.he - question: what is an unauthenticated Klaviyo email send?

Working on an account that is about to set up SPF / DKIM in their Google workspace, and want to know how it’s going to impact their Klaviyo sends. (They’re on a shared domain.) 
 

Userlevel 4
Badge +3

Hi @Drewdle81! The SPF and DKIM records for your Google Workspace will not affect your sending on Klaviyo in anyway. However, if your domain currently have a DMARC policy in place, it will affect your unauthenticated Klaviyo email sends.

Badge

Hi @Drewdle81! Nope, we only make use of CNAME records to allow you to authenticate your Klaviyo account to send on your domain. The CNAME record will pass over the subdomain you plan on using to Klaviyo to take control off and send emails from. In doing so, we will automatically apply the necessary SPF and DKIM records onto that subdomain. 

 

Thank you. Follow up question: Once I have completed the setup for Google Workspace SPF and DKIM for my domain, will my Klaviyo emails be adversely affected since they aren’t specified as a “permitted sender” in the SPF record? Or should that remain the same?

 

I will authenticate the domain through Klaviyo soon, but need to do it at a good time when I can go through the whole warm-up process.

Userlevel 4
Badge +3

Hi @Drewdle81! Nope, we only make use of CNAME records to allow you to authenticate your Klaviyo account to send on your domain. The CNAME record will pass over the subdomain you plan on using to Klaviyo to take control off and send emails from. In doing so, we will automatically apply the necessary SPF and DKIM records onto that subdomain. 

Badge

I’m currently adding the SPF/DKIM records to my domain for Google Workspace. Haven’t yet configured a dedicated sending domain through Klaviyo. Is there an spf record I can add for now to allow klaviyomail in addition to Google?

Badge +1

Got it! Thanks for the prompt reply.

Userlevel 4
Badge +3

Hi @Nuetron! Thank you for your comment. The dedicated sending domain you set up on Klaviyo is only meant for your Klaviyo email sends. Your WooCommerce emails would still need to be sent on a separate SMTP.

Badge +1

If I have the Klaviyo dedicated sending set up, the Klaviyo plugin installed in wooComm and the integration set up in Klaviyo can I use Klaviyo as my SMTP for native WooComm emails or do I still need a separate SMTP?  

Userlevel 1
Badge +1

Awesome!

Reply