Klaviyo DMARC Setup for Ecommerce: 2026 Step-by-Step Guide

Written By Jeffrey Lawrence
SPF DKIM DMARC email authentication flow diagram showing pass to inbox and fail to spam reject paths

In February 2024, Gmail and Yahoo started rejecting bulk email from senders without proper authentication. By 2026, deliverability without DMARC isn't degraded -- it's broken. If your Klaviyo DMARC setup for ecommerce isn't right, your campaigns are landing in promotions, in spam, or not landing at all. And that's before you account for Microsoft and Apple Mail tightening their own enforcement.

This guide is the practical step-by-step we use when onboarding new accounts. It covers SPF, DKIM, and DMARC records, the order to set them up, and the most common mistakes we see in audits.

If you want to verify your current setup before reading further, run your domain through our DMARC check tool -- it'll tell you in 30 seconds whether your records are configured correctly.

Why DMARC Matters in 2026

Email authentication has gone from "best practice" to "table stakes" in two years. The relevant changes:

Gmail and Yahoo (Feb 2024): Bulk senders (5,000+/day to Gmail) require SPF, DKIM, and DMARC with at least `p=none` policy. Failure rates are now strictly enforced.

Microsoft Outlook (mid-2025): Aligned its enforcement with Gmail, including stricter handling of unauthenticated mail.

Apple Mail (BIMI-aware): Brand logos in inbox display require both DMARC enforcement and a Verified Mark Certificate (VMC) -- a real differentiator in mobile inbox experience.

For an ecommerce brand sending Klaviyo campaigns at any meaningful volume, the practical impact is straightforward: without proper authentication, your inbox placement rate drops, your campaign revenue drops with it, and you have no visibility into why because the rejections happen at the receiving server. The DMARC reports you'll set up below are how you get visibility.

SPF, DKIM, DMARC: What Each One Does

These three records work together. None of them alone is sufficient.

SPF (Sender Policy Framework) is a DNS record that lists which servers are authorized to send email from your domain. When a receiving server gets an email claiming to be from you@yourbrand.com, it checks the SPF record to see if the sending server is on the approved list.

DKIM (DomainKeys Identified Mail) is a cryptographic signature attached to every email you send. The receiving server uses your public DKIM key (published in DNS) to verify the email wasn't tampered with in transit and that it was actually signed by your domain.

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is the policy that tells receiving servers what to do when SPF or DKIM fails -- and how to report those failures back to you. This is the missing piece for most ecommerce brands.

The check chain at the receiving server: SPF passes? DKIM passes? At least one aligns with your visible "From" domain? If yes, deliver. If no, follow your DMARC policy.

Step 1: Confirm Your Dedicated Sending Domain in Klaviyo

Before any DNS work, confirm your Klaviyo sending domain. Go to Account > Settings > Domains and Hosting. You should see your sending domain configured -- typically send.yourbrand.com or email.yourbrand.com, not your bare yourbrand.com.

DMARC policy rollout timeline from p equals none at week 1 to p equals reject at week 12 with BIMI eligible badge

Two important rules:

1. Use a dedicated sending subdomain. Don't send Klaviyo campaigns from yourbrand.com directly. A subdomain isolates your marketing reputation from your transactional and corporate email.

2. Keep transactional and marketing on separate subdomains. If you send order confirmations through Shopify and campaigns through Klaviyo, use different subdomains so a marketing reputation issue can't affect transactional deliverability.

Klaviyo's interface walks you through subdomain setup if you haven't done this yet. Don't skip this step -- everything below depends on it.

Step 2: Add the SPF Record to Your DNS

In Klaviyo's Domains and Hosting settings, you'll see the SPF record value to add. It typically looks like:


v=spf1 include:_spf.klaviyo.com ~all

Add this as a TXT record on the subdomain you configured (e.g., send.yourbrand.com).

If you have other senders on the same subdomain (you generally shouldn't, but it happens), you'd combine them:


v=spf1 include:_spf.klaviyo.com include:_spf.othervendor.com ~all

A common mistake: never have two separate SPF records on the same subdomain. SPF allows only one TXT record per domain. If you create a second one, both fail.

After adding, wait for DNS propagation (typically 15-60 minutes, sometimes longer) and verify in Klaviyo that SPF shows as authenticated.

Step 3: Add Klaviyo's DKIM Records

Klaviyo provides two CNAME records for DKIM. They look like:


Host: klaviyo1._domainkey.send.yourbrand.com
Type: CNAME
Value: dkim.klaviyomail.com

Host: klaviyo2._domainkey.send.yourbrand.com
Type: CNAME
Value: dkim2.klaviyomail.com

Add both. They sign outbound mail with two keys for redundancy and easier key rotation.

After DNS propagation, return to Klaviyo's domain settings and click verify. Both DKIM records should show as authenticated. If they don't, the most common causes are:

- The record was added at the apex domain instead of the subdomain

- The CNAME value has a trailing period or extra whitespace

- DNS hasn't propagated yet (give it up to 24 hours)

Step 4: Publish Your DMARC Record (Start With p=none)

DMARC lives at _dmarc.yourbrand.com (or _dmarc.send.yourbrand.com if you're scoping to the subdomain).

The recommended starting record:


v=DMARC1; p=none; rua=mailto:dmarc-reports@yourbrand.com; ruf=mailto:dmarc-forensic@yourbrand.com; fo=1; pct=100

What each tag does:

v=DMARC1 -- version (required, always this).

p=none -- your policy. `none` means "report failures but don't reject." This is the right starting point for every brand.

rua= -- aggregate reports go to this address (daily summaries from Gmail, Yahoo, etc.).

ruf= -- forensic reports (per-failure detail). Optional but useful for debugging.

fo=1 -- generate forensic reports if either SPF or DKIM fails.

pct=100 -- apply the policy to 100% of mail.

Use a real, monitored address for rua -- the daily reports are XML and useful only if you parse them. Most brands use a DMARC monitoring service (e.g., DMARC Digests, Postmark DMARC, EasyDMARC) to convert raw reports into a readable dashboard.

Step 5: Monitor Reports and Tighten the Policy

p=none is the starting line, not the finish line. Over the next 4-6 weeks, monitor your DMARC reports. You're looking for:

Legitimate sources of mail you forgot about. Tools that send on behalf of your domain -- Shopify transactional, Gorgias, customer service tools, internal alerts, sales rep email signatures. Any of these need to be in SPF/DKIM or moved to a different sending subdomain.

Spoofing attempts. Unauthorized senders trying to use your domain. The reports will show foreign IP addresses sending mail that fails authentication.

Once your legitimate sources are accounted for and your authentication pass rate is consistently 95%+, tighten the policy:


v=DMARC1; p=quarantine; pct=10; rua=mailto:dmarc-reports@yourbrand.com

This sends 10% of failing mail to spam folders. If the world doesn't end after 2 weeks, raise to 25%, then 50%, then 100%. Then move to p=reject -- the receiving server outright drops failing mail. Reject is the gold standard for sender reputation and is required for full BIMI eligibility.

This phased rollout typically takes 8-12 weeks end to end. Don't rush it. A premature p=reject policy can drop legitimate mail you didn't realize was authenticating poorly.

Common Klaviyo DMARC Setup Mistakes

The five mistakes we see most often when auditing accounts:

1. SPF record at the apex instead of the subdomain. If your Klaviyo domain is send.yourbrand.com, the SPF record must be on send.yourbrand.com, not on yourbrand.com. This single mistake accounts for roughly a third of the failed setups we see.

2. Multiple SPF records on the same domain. Adding a new vendor by appending another SPF record breaks both. Combine into a single record or move the new vendor to a different subdomain.

3. DMARC at the wrong domain level. Setting DMARC at _dmarc.yourbrand.com covers all subdomains by default. Setting it at _dmarc.send.yourbrand.com covers only that subdomain. Most ecommerce brands want the apex DMARC record covering everything, then layer subdomain-specific records if needed.

4. Going straight to p=reject without monitoring. This is the fastest way to drop legitimate transactional mail you didn't know was authenticating poorly. Always start at p=none for at least 4 weeks.

5. Ignoring DMARC reports. Setting up reporting and never reading the reports is worse than not setting up reporting -- you've created a false sense of completeness. Use a monitoring service that sends you a weekly readable summary.

Verifying Your Setup End to End

Once SPF, DKIM, and DMARC are configured, verify with three checks:

1. In Klaviyo: Account > Settings > Domains and Hosting should show SPF and DKIM as authenticated.

2. External DMARC check: Run your domain through our DMARC check tool for an independent verification of all three records.

3. Send a test campaign to Gmail, Yahoo, and Outlook: View the email headers. You should see spf=pass, dkim=pass, and dmarc=pass in the authentication results.

If any of these fail, fix them before sending another campaign. The authentication problem compounds: every send to a major mailbox provider with a failing setup builds reputation damage that takes weeks to recover.

Why This Connects to Revenue

Authentication isn't just a deliverability hygiene checkbox. It's directly tied to revenue. We've seen accounts where fixing SPF/DKIM/DMARC alone -- with no other changes -- moved inbox placement from 78% to 94% over 30 days. On an account doing $80K/month in email-attributed revenue, that's roughly $13K/month of recovered revenue from authentication alone.

For Western Bagel and other accounts we've onboarded, getting authentication right is one of the first three steps. Without it, every flow optimization and campaign improvement compounds against a leaky deliverability foundation.

If your sunset flow and list hygiene aren't keeping pace either -- our retention marketing guide covers how authentication, list hygiene, and engagement segmentation work together as a deliverability system rather than isolated tactics.

Before and after authentication fix showing inbox placement improving from 78 to 94 percent recovering 13K per month

FAQ

What is DMARC and why does Klaviyo need it?

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is a DNS record that tells receiving servers how to handle email that fails SPF or DKIM authentication, and provides reporting on those failures. As of 2024, Gmail and Yahoo require DMARC for bulk senders, and by 2026 it's effectively required for any brand sending meaningful Klaviyo campaign volume.

How do I set up DMARC in Klaviyo?

You don't set up DMARC inside Klaviyo itself -- you set it up in your domain's DNS records. Configure SPF and DKIM in Klaviyo first (Account > Settings > Domains and Hosting), then add a DMARC TXT record at _dmarc.yourbrand.com starting with policy p=none and an rua address for reports. Tighten to p=quarantine and eventually p=reject over 8-12 weeks of monitoring.

What DMARC policy should I use for my ecommerce store?

Start with p=none for at least 4 weeks to monitor authentication without affecting deliverability. Once authentication pass rates are consistently 95%+, move to p=quarantine at 10%, then 25%, then 100% over 4-6 weeks. The final goal is p=reject, which protects your domain from spoofing and unlocks BIMI eligibility for inbox logo display.

How long does Klaviyo DMARC setup take?

The DNS configuration takes 30-60 minutes once you have access to your domain registrar. DNS propagation takes 15-60 minutes for SPF and DKIM. Full DMARC rollout from p=none to p=reject should take 8-12 weeks of monitoring and policy tightening to ensure no legitimate mail is rejected along the way.

Verify Your Authentication Setup Now

Authentication failures are silent revenue leaks. Run your domain through our free DMARC check tool to see exactly which records are missing or misconfigured -- it takes 30 seconds and gives you a prioritized fix list.

For brands that want this handled end-to-end, our Klaviyo Shopify email marketing team treats authentication as part of every onboarding, with full DMARC monitoring and quarterly reviews built in.