How do SPF records and DKIM keys work with multiple email services like Klaviyo and Shopify?
Summary
What email marketers say10Marketer opinions
Marketer from Email Geeks shares that SPF is for the smtp from domain/return path, not the header domain. DKIM can be anything, but ideally should align with the header.
Marketer from Email Geeks explains that one SPF record is needed for each domain used as the bounce/Return-Path domain, listing the services sending from that domain. Each service signing mail will produce a DKIM key, with the number of DKIM keys depending on Klaviyo's signing setup.
Email marketer from EasyDMARC responds stating that DKIM works using a pair of keys, one public and one private. The private key is used to create a digital signature which is then attached to the outbound email. Recipient servers retrieve the public key from a domain’s DNS records to decrypt the signature. If it matches, authentication passes.
Email marketer from Mailjet explains that when using multiple ESPs like Klaviyo and Shopify, you need to ensure your SPF record includes both ESPs' servers. DKIM requires generating unique keys for each service and adding them to your DNS records. They emphasize the importance of properly configuring both SPF and DKIM for each service to maintain good deliverability.
Email marketer from LinkedIn shares that each provider must have its own DKIM key, and they need to be set up in the DNS records. Additionally, it's important to set up DMARC to ensure that mail is authenticated and that you are compliant with Google and Yahoo's new requirements for 2024.
Email marketer from Reddit shares that the SPF record should have include statements for each email service provider like Shopify and Klaviyo. The user advises checking the specific SPF syntax required by each service's documentation. They cautioned about exceeding the SPF 10 DNS lookup limit.
Email marketer from EmailOctopus explains when you start adding multiple services to your SPF records it can increase the risk of DNS lookup failures due to the 10 DNS lookup limit. They recommend using include statements and making sure it doesn't exceed the limit
Email marketer from StackExchange shares that each service (Klaviyo, Shopify, etc.) has its own DKIM key, and you need to create multiple DKIM records in your DNS. They emphasized using unique selectors for each DKIM key to differentiate between the services.
Email marketer from AuthSMTP responds stating that it is impossible to have more than one SPF record. If you have more than one then it will invalidate the entire record which will negatively affect your mail delivery.
Email marketer from DNS Records responds stating that you should add all the services into one SPF record and use include records to link to the relevant hostnames.
What the experts say4Expert opinions
Expert from Email Geeks explains that there should be different SPF records for each platform, and the bounce domain might not match the main domain.
Expert from Word to the Wise explains that when using multiple ESPs, you need to make sure that the appropriate DNS entries for authentication are in place for each service to avoid deliverability issues.
Expert from Email Geeks states that you cannot use the same bounce string for different ESPs, as it will send bounces to the wrong place.
Expert from Spam Resource emphasizes that for Klaviyo, DKIM matters most for authentication and deliverability.
What the documentation says4Technical articles
Documentation from Google Workspace Admin Help explains that an SPF record lists authorized sending sources for your domain. When using multiple services, the SPF record should include mechanisms (like 'include:') for each service to indicate they are permitted to send emails on behalf of your domain. The SPF record should be placed in a TXT record in your DNS settings.
Documentation from Microsoft explains the importance of the sender policy framework(SPF) record for email authentication. SPF records allows mail systems to verify that mail claiming to come from your domain really is coming from your domain. This helps prevent spoofing. A valid SPF record requires that you use a TXT record type and that the SPF record itself must adhere to the syntax as laid out in RFC 7208
Documentation from SparkPost explains SPF authentication works by verifying that your sending email addresses are allowed to send mail from your sending domains. To do this, you must publish a list of authorized sending mail servers or hostnames in your domain's public DNS records.
Documentation from Cloudflare explains that DKIM keys generated by each email service should be added to the DNS records. When using multiple services like Shopify and Klaviyo, you'll have multiple DKIM records. The documentation stresses the importance of the correct key length and selector usage to avoid authentication issues.