Defaults.Exposed

Defaults.ExposedIspravciGuides

Mailchimp, Brevo or Klaviyo Emails Failing DMARC? Turn On Real Domain Authentication (2026)

Objavljeno 2026-07-08

Figures as of 2026-06-29 · methodology v7. Aggregate census data across 261 million graded domains. See how we grade.

Newsletter platforms fail DMARC when they send “from” your domain without authenticating as your domain. The fix is the platform’s custom domain authentication — its DKIM CNAMEs, plus a custom bounce domain where offered. The gap is normal: of 740,321 domains authorising SendGrid, only 18.0% enforce DMARC, according to the Defaults.Exposed census of 261,086,232 domains (2026-06-29).

The fix is a few DNS records and ten minutes in your platform’s settings. Below: why the platform’s shared authentication stopped being enough in February 2024, which switch to flip in Mailchimp, Brevo, Klaviyo and SendGrid, and the fix steps in order — including moving off a freemail From address, which no DNS record can rescue.

Why do newsletter emails fail DMARC when the platform says everything is verified?

Because the platform authenticated itself, not you. Out of the box, an ESP sends your campaigns with its own bounce domain on the Return-Path, and often signs DKIM with its own domain too. Receivers evaluate SPF against the Return-Path (RFC5321.MailFrom) domain, not the From header, so SPF passes cleanly… for the platform’s domain.

DMARC doesn’t care whether SPF or DKIM passed in the abstract. It asks whether either one passed for the domain in your From address — that match is called alignment. The ESP’s SPF pass is on its bounce domain, not yours; without custom-domain DKIM, its signature is on its domain, not yours. Nothing aligns, so your From domain fails DMARC — while the platform’s dashboard shows green ticks, because from where it stands, authentication is working. Turning on custom domain authentication (DKIM signed as your domain) is the entire fix. For the full alignment mechanics, see DMARC fails but SPF and DKIM pass.

What changed in February 2024?

Google and Yahoo began enforcing bulk-sender requirements: aligned authentication for the From domain, a published DMARC policy, one-click unsubscribe, and spam-rate limits. The shared-infrastructure shortcut — ride the ESP’s authentication, send from anything — stopped working. Two consequences for newsletter senders:

The full requirement set is in our data article on the Google and Yahoo sender requirements.

What is the switch called in Mailchimp, Brevo, Klaviyo and SendGrid?

Every platform has the same feature under a different name. What it always produces is a small set of CNAME records for your DNS — that’s how you recognise it, whatever the menu says.

PlatformFeature name (approx.)What you add to DNSNotes
MailchimpDomain authenticationDKIM CNAMEs (k2._domainkey, k3._domainkey)DKIM-only alignment — Mailchimp no longer uses an SPF include; do not add one
BrevoAuthenticate your domainDKIM CNAME set + verification recordVerify the current record set in Brevo’s docs at setup
KlaviyoDedicated sending domainDKIM CNAMEs + bounce (Return-Path) subdomainThe dedicated domain gives you SPF alignment too
SendGridDomain authentication (automated security)CNAME set (DKIM + return-path)No SPF include needed — the CNAMEs cover it

Two patterns worth noticing. First, none of these platforms wants an include: added to your SPF record — modern ESP authentication is CNAME-delegated, and a leftover include just burns DNS-lookup budget. Second, CNAME delegation is a feature: the platform rotates its DKIM keys behind the delegated names without you touching DNS again.

How do you fix newsletter DMARC failures, step by step?

  1. Run the free scan at defaults.exposed before touching DNS. It shows your domain’s live SPF, DKIM and DMARC state, so you can see the alignment gap you’re about to close.
  2. Turn on custom domain authentication in the platform (table above). It generates CNAME records specific to your account.
  3. Add the CNAMEs to your DNS exactly as given. The classic mistake: DNS panels that auto-append your zone, turning k2._domainkey.yourdomain.com into k2._domainkey.yourdomain.com.yourdomain.com. Paste the host part only if your panel appends the domain. If the platform later reports “no key for signature”, the selector record didn’t land — see DKIM “no key for signature”.
  4. Set the custom bounce domain (Return-Path) where the platform offers one. This aligns the SPF leg too, giving DMARC two ways to pass. Where it isn’t offered (Mailchimp), aligned DKIM alone is a full DMARC pass — one aligned leg is all DMARC requires.
  5. Move your From address onto your own domain if it’s still on freemail. [email protected], not [email protected]. A requirement, not a preference.
  6. Verify in the platform, then re-scan. Wait for the platform’s check to go green (DNS can take minutes to a few hours), send yourself a campaign, and confirm the headers show DKIM signed by your domain. Then work through anything else flagged on the fix DMARC page — if your domain has no DMARC record at all, that’s the next ten minutes.

How many newsletter senders actually have this right?

The census reads it from the DNS side: for each platform, how many domains authorise it — and how many of those protect the domain doing the sending, according to the Defaults.Exposed census of 261,086,232 domains (2026-06-29).

Platform (SPF target)Domains authorising itDMARC-enforced
SendGrid (sendgrid.net)740,32118.0%
Mailgun (mailgun.org)1,306,69235.9%
Amazon SES (amazonses.com)551,44641.9%

Data as of the 2026-06-29 census. “DMARC-enforced” = the authorising domain publishes p=quarantine or p=reject.

Even at the top of the table, most senders on professional platforms leave the domain unprotected: 41.9% of the 551,446 domains authorising Amazon SES enforce DMARC, 35.9% of Mailgun’s 1,306,692 — and only 18.0% of SendGrid’s 740,321. The infrastructure is professional; the domain protection mostly isn’t. The full provider league — mailbox hosts included — is in which email provider has the strongest SPF.

Frequently asked questions

Do I need to add Mailchimp to my SPF record? No — and don’t. Mailchimp uses DKIM-only alignment via its k2/k3 CNAMEs and no longer publishes an SPF include for customers. An old include:servers.mcsv.net does nothing for DMARC and wastes DNS-lookup budget; the aligned leg here is DKIM.

Will domain authentication get my newsletters out of the spam folder? It removes the biggest cause — unaligned mail on a domain with a DMARC policy — and it’s a hard requirement of the Google/Yahoo rules. It won’t fix list-quality problems: high complaint rates and missing one-click unsubscribe keep mail in spam even when authentication is perfect. Fix authentication first; it’s the part with a definite answer.

Can I keep sending campaigns from my @gmail.com address? No. Freemail providers publish strict DMARC policies precisely so nobody else can send as them, and your ESP can never align with gmail.com. Since February 2024 that mail is rejected or junked at scale. A From address on your own domain is the only route.

I turned on domain authentication — why does DMARC still fail? Usually one of three things: the CNAMEs were mangled by a zone-appending DNS panel (step 3), the campaign’s From domain doesn’t match the domain you authenticated, or a different sending source is failing alongside the newsletter. Across all 261,086,232 domains in the 2026-06-29 census, only 10.59% enforce DMARC at all — if yours does, you’re close; re-scan and read which leg is unaligned.

Does this apply to small lists, under 5,000 emails a day? The strictest thresholds are formally for bulk senders, but receivers apply the authentication basics to everyone, and ESPs now require domain authentication regardless of volume. Treat it as mandatory: it’s a few DNS records, and it stops your campaigns breaking the day your list grows.

Send the owner the report

If you’re fixing this for a client — or you own the newsletter but not the DNS — finish the job with evidence. Re-run the free scan after the CNAMEs land and forward the graded report to the business owner: plain language, dated, DMARC alignment fixed. It’s the artefact that answers the cyber-insurance renewal and the next customer security questionnaire — a documented before-and-after, not “I clicked some buttons in Mailchimp”.

Check your domain → · DMARC fails but SPF and DKIM pass → · Fix DMARC → · Fix DKIM → · How we grade → · Aggregate data only. Data stored and processed in the EU.