How to Set Up DMARC for Mailchimp

Overview

This guide walks you through setting up email authentication for Mailchimp campaigns. By the end, you’ll have configured DKIM and DMARC records that authenticate your marketing emails and improve inbox placement.

Mailchimp updated their authentication requirements in March 2024 to comply with Google and Yahoo sender policies. All senders must now authenticate their domain with DKIM and have a DMARC policy in place.

What You’ll Configure

Protocol	Purpose	Mailchimp Method
DKIM	Adds cryptographic signature to verify message integrity	2 CNAME records
DMARC	Tells receivers how to handle authentication failures	1 TXT record
SPF	Authorizes sending servers	Not required (DKIM handles alignment)

Note: Mailchimp no longer requires SPF configuration. Their system uses DKIM for DMARC alignment, which is sufficient for authentication.

Prerequisites

Before you begin, make sure you have:

• Mailchimp account with a paid plan (authentication available on all paid tiers)
• A custom domain you own (e.g., example.com)
• DNS access to create CNAME and TXT records at your domain registrar
• About 20 minutes for setup, plus up to 48 hours for DNS propagation

You cannot authenticate free email addresses (Gmail, Yahoo, Outlook, etc.). You must use a domain you own.

Step 1: Verify Your Domain in Mailchimp

Before authenticating, Mailchimp requires you to verify domain ownership.

1. Log in to your Mailchimp account
2. Click your profile icon → Account & billing
3. Select Domains from the menu
4. Click Add & Verify Domain
5. Enter an email address at your domain (e.g., [email protected])
6. Click Send Verification Email
7. Check your inbox and click the verification link (or enter the verification code)

Once verified, your domain will show a “Verified” status. This confirms you have access to email at that domain but doesn’t complete authentication yet.

Step 2: Start Domain Authentication

1. On the Domains page, find your verified domain
2. Click Start Authentication (or Authenticate if you see that button)
3. Select your DNS provider from the dropdown
   • If your provider isn’t listed, select Other
4. Click Next

Mailchimp will generate your DNS records.

Step 3: Add DKIM Records (2 CNAME Records)

Mailchimp provides two CNAME records for DKIM. Add both to your DNS.

Understanding the Records

You’ll receive records similar to these:

Type	Host/Name	Value/Points To
CNAME	k1._domainkey.example.com	dkim.mcsv.net
CNAME	k2._domainkey.example.com	dkim2.mcsv.net

The exact values may vary. Always use the values shown in your Mailchimp dashboard.

Adding Records to Common DNS Providers

Cloudflare:

1. Go to your domain → DNS → Records
2. Click Add record
3. Select CNAME as the type
4. For Name, enter k1._domainkey (Cloudflare adds your domain automatically)
5. For Target, enter dkim.mcsv.net
6. Important: Turn OFF the orange proxy cloud (DNS only mode)
7. Click Save
8. Repeat for the second CNAME record (k2)

GoDaddy:

1. Go to My Products → your domain → DNS
2. Click Add in the Records section
3. Select CNAME as the type
4. Enter k1._domainkey as the Host
5. Enter the Points To value from Mailchimp
6. Set TTL to 1 hour
7. Click Save
8. Repeat for k2

Namecheap:

1. Go to Domain List → Manage → Advanced DNS
2. Click Add New Record
3. Select CNAME Record
4. Enter k1._domainkey as the Host
5. Enter the Value from Mailchimp
6. Click the checkmark to save
7. Repeat for k2

AWS Route 53:

1. Go to your hosted zone
2. Click Create record
3. Enter k1._domainkey as the Record name
4. Select CNAME as the Record type
5. Enter the value from Mailchimp
6. Click Create records
7. Repeat for k2

Common Entry Mistakes to Avoid

• Don’t include your full domain if your provider adds it automatically. Enter k1._domainkey not k1._domainkey.example.com
• Don’t enable proxy/CDN for these records (Cloudflare users)
• Don’t add quotes around the CNAME value
• Check for trailing dots — some providers add them automatically

Step 4: Add DMARC Record (1 TXT Record)

Mailchimp requires a DMARC policy. Add this TXT record to your DNS:

Type	Host/Name	Value
TXT	_dmarc	v=DMARC1; p=none; rua=mailto:[email protected]

Replace [email protected] with an email address where you want to receive DMARC aggregate reports.

Important Notes About DMARC

• You can only have one DMARC record per domain
• If you already have a DMARC record, don’t create a second one — your existing record is fine
• Mailchimp’s suggested p=none policy is a starting point for monitoring; you should progress to p=reject over time

If You Already Have DMARC

If your domain already has a DMARC record (from Google Workspace, Microsoft 365, or another service), you don’t need to add another one. Your existing DMARC policy applies to all email from your domain, including Mailchimp.

Check for an existing record:

dig txt _dmarc.example.com

If you see a response starting with v=DMARC1, you’re already set.

Step 5: Verify Authentication in Mailchimp

1. Return to the Mailchimp Domains page
2. Click Next to proceed to verification
3. Mailchimp will check your DNS records
4. Wait for status to show Authenticated

If verification fails:

• Wait 15-30 minutes and try again (DNS propagation time)
• Double-check record names and values for typos
• Ensure CNAME proxy is disabled (Cloudflare users)
• Mailchimp states verification can take up to 48 hours

Once authenticated, you’ll see a green “Authenticated” status next to your domain.

Using Entri for Automatic Setup

Mailchimp offers automated authentication through Entri, which connects directly to your DNS provider.

1. During authentication setup, choose Authenticate with Entri
2. Select your DNS provider
3. Log in to your DNS provider when prompted
4. Entri automatically adds the required records

This method is faster but requires granting temporary access to your DNS settings. It’s a good option if you’re uncomfortable manually adding DNS records.

DMARC Policy Progression

Starting with p=none lets you monitor authentication without affecting delivery. Progress to enforcement over 4-8 weeks:

Week 1-2: Monitoring

v=DMARC1; p=none; rua=mailto:[email protected]

Review DMARC reports to ensure Mailchimp emails pass authentication.

Week 3-4: Quarantine test

v=DMARC1; p=quarantine; pct=25; rua=mailto:[email protected]

25% of failing emails go to spam. Monitor for false positives.

Week 5-6: Full quarantine

v=DMARC1; p=quarantine; pct=100; rua=mailto:[email protected]

Week 7+: Full enforcement

v=DMARC1; p=reject; rua=mailto:[email protected]

Unauthorized emails are rejected entirely.

Authenticating Multiple Domains

If you send Mailchimp campaigns from multiple domains:

1. Verify and authenticate each domain separately
2. Each domain needs its own DKIM CNAME records
3. Each domain needs its own DMARC record (or an organizational policy on the parent domain)
4. Switch between authenticated domains when creating campaigns

Mailchimp Transactional (Mandrill)

If you use Mailchimp Transactional (formerly Mandrill) for transactional emails, the authentication process is slightly different:

DKIM for Transactional

Add these CNAME records:

Type	Host/Name	Value
CNAME	mte1._domainkey.example.com	dkim1.mandrillapp.com
CNAME	mte2._domainkey.example.com	dkim2.mandrillapp.com

SPF for Transactional (Optional)

For Mailchimp Transactional, you can optionally add SPF:

v=spf1 include:spf.mandrillapp.com ~all

Or add include:spf.mandrillapp.com to your existing SPF record.

Verifying Your Configuration

After setup, verify authentication is working:

Check DKIM Records

dig cname k1._domainkey.example.com
dig cname k2._domainkey.example.com

Both should return Mailchimp’s DKIM servers.

Check DMARC Record

dig txt _dmarc.example.com

Should return your DMARC policy.

Send a Test Campaign

1. Create a test campaign in Mailchimp
2. Send it to a Gmail or Yahoo address you control
3. Open the email and view original headers (Gmail: three dots → Show original)
4. Look for:
   • dkim=pass
   • dmarc=pass

Troubleshooting

”Authentication pending” for more than 48 hours

• Verify CNAME records are published correctly
• Check for typos in record names or values
• Ensure you’re not using a CNAME proxy (Cloudflare)
• Try removing and re-adding the records

Emails going to spam despite authentication

Authentication alone doesn’t guarantee inbox placement. Also check:

• List quality and engagement rates
• Email content and subject lines
• Sending frequency and consistency
• Unsubscribe and complaint rates

”Domain not eligible for authentication”

• Free email domains (Gmail, Yahoo, etc.) cannot be authenticated
• The domain must be verified first before authentication
• Ensure you’re using a domain you own

DMARC reports show Mailchimp failures

• Confirm both DKIM CNAME records are published
• Check that you’re sending from the authenticated domain
• Verify the authentication status shows green in Mailchimp
• Allow 24-48 hours after authentication for all systems to update

Already have DMARC but Mailchimp says it’s missing

Mailchimp checks for a DMARC record but doesn’t validate its contents. If you have a valid DMARC record and Mailchimp doesn’t detect it:

• Wait for DNS propagation
• Verify the record exists with dig txt _dmarc.yourdomain.com
• Contact Mailchimp support if the issue persists

What’s Next

Once your Mailchimp authentication is complete:

1. Monitor DMARC reports for 2-4 weeks before increasing enforcement
2. Authenticate other sending sources (transactional email, CRM, support system)
3. Progress your DMARC policy from p=none to p=reject
4. Review Mailchimp deliverability reports to track authentication success rates

---

Need help monitoring your DMARC reports or troubleshooting authentication issues? Verkh provides guided remediation and identifies which senders need attention. Start free