How do SPF records and DKIM keys work with multiple email services like Klaviyo and Shopify?

Summary

When utilizing multiple email services such as Klaviyo and Shopify, it is crucial to properly configure both SPF and DKIM records to ensure optimal email deliverability and prevent spoofing. Each service requires its own DKIM key, and these keys must be set up correctly in the DNS records, utilizing unique selectors for differentiation. Although some sources suggest separate SPF records for each platform, the prevailing guidance indicates that a single SPF record that includes all authorized sending sources—using the 'include:' mechanism for each service—is the correct approach. The SPF record should be placed in a TXT record within the DNS settings and pertain to the bounce or Return-Path domain. It's essential to avoid exceeding the SPF 10 DNS lookup limit and to adhere to SPF syntax guidelines outlined in RFC 7208. Furthermore, implementing DMARC is critical for compliance with evolving email authentication standards and for instructing recipient servers on handling unauthenticated mail. For Klaviyo, prioritizing DKIM configuration is especially important.

Key findings

  • Unique DKIM Keys per Service: Each email service requires a unique DKIM key, ensuring proper authentication.
  • Single SPF Record with Includes: Use a single SPF record including all services via 'include:' mechanisms to authorize sending sources.
  • SPF and DKIM Importance: Properly configured SPF and DKIM records are essential for email deliverability and reducing spoofing.
  • DMARC Implementation: DMARC should be implemented to ensure compliance with authentication standards and manage unauthenticated mail effectively.
  • Klaviyo DKIM Priority: For Klaviyo, DKIM plays a particularly important role in authentication and deliverability.

Key considerations

  • SPF Record Syntax: Adhere to RFC 7208 guidelines for accurate SPF record syntax.
  • DKIM Selector Uniqueness: Use unique DKIM selectors for each email service to prevent conflicts and authentication failures.
  • SPF Lookup Limit: Manage your SPF record to stay within the 10 DNS lookup limit and avoid authentication issues.
  • Bounce Domain Configuration: Configure SPF records for the bounce or Return-Path domain, which may differ from the header domain.
  • DNS Propagation Time: Allow sufficient time for DNS record changes to propagate fully to avoid temporary authentication failures.

What email marketers say
10Marketer opinions

When using multiple email services like Klaviyo and Shopify, proper configuration of SPF and DKIM is crucial for maintaining email deliverability. Each service requires its own DKIM key, and these keys must be correctly set up in the DNS records, using unique selectors to differentiate between services. The SPF record should include all authorized sending sources, using 'include:' mechanisms for each ESP. While multiple SPF records are not allowed, a single SPF record should include all authorized sending services. It's important to avoid exceeding the SPF 10 DNS lookup limit when adding multiple services. DMARC should also be configured to ensure compliance with new email authentication requirements.

Key opinions

  • Unique DKIM Keys: Each email service (Klaviyo, Shopify, etc.) must have its own DKIM key.
  • Single SPF Record: A single SPF record should include all authorized sending services using 'include:' mechanisms.
  • DNS Lookup Limit: Avoid exceeding the SPF 10 DNS lookup limit by efficiently managing SPF records.
  • DMARC Importance: Implementing DMARC ensures proper authentication and compliance with new email requirements.

Key considerations

  • SPF Syntax: Check the specific SPF syntax required by each email service provider's documentation.
  • DKIM Selectors: Use unique selectors for each DKIM key to differentiate between email services.
  • Authentication Alignment: DKIM should ideally align with the header 'from' domain.
  • DMARC Policy: Implement a DMARC policy to tell receiving servers how to handle unauthenticated mail.
Marketer view

Marketer from Email Geeks shares that SPF is for the smtp from domain/return path, not the header domain. DKIM can be anything, but ideally should align with the header.

March 2023 - Email Geeks
Marketer view

Marketer from Email Geeks explains that one SPF record is needed for each domain used as the bounce/Return-Path domain, listing the services sending from that domain. Each service signing mail will produce a DKIM key, with the number of DKIM keys depending on Klaviyo's signing setup.

July 2021 - Email Geeks
Marketer view

Email marketer from EasyDMARC responds stating that DKIM works using a pair of keys, one public and one private. The private key is used to create a digital signature which is then attached to the outbound email. Recipient servers retrieve the public key from a domain’s DNS records to decrypt the signature. If it matches, authentication passes.

July 2022 - EasyDMARC
Marketer view

Email marketer from Mailjet explains that when using multiple ESPs like Klaviyo and Shopify, you need to ensure your SPF record includes both ESPs' servers. DKIM requires generating unique keys for each service and adding them to your DNS records. They emphasize the importance of properly configuring both SPF and DKIM for each service to maintain good deliverability.

July 2024 - Mailjet
Marketer view

Email marketer from LinkedIn shares that each provider must have its own DKIM key, and they need to be set up in the DNS records. Additionally, it's important to set up DMARC to ensure that mail is authenticated and that you are compliant with Google and Yahoo's new requirements for 2024.

December 2023 - LinkedIn
Marketer view

Email marketer from Reddit shares that the SPF record should have include statements for each email service provider like Shopify and Klaviyo. The user advises checking the specific SPF syntax required by each service's documentation. They cautioned about exceeding the SPF 10 DNS lookup limit.

May 2021 - Reddit
Marketer view

Email marketer from EmailOctopus explains when you start adding multiple services to your SPF records it can increase the risk of DNS lookup failures due to the 10 DNS lookup limit. They recommend using include statements and making sure it doesn't exceed the limit

October 2024 - EmailOctopus
Marketer view

Email marketer from StackExchange shares that each service (Klaviyo, Shopify, etc.) has its own DKIM key, and you need to create multiple DKIM records in your DNS. They emphasized using unique selectors for each DKIM key to differentiate between the services.

April 2022 - StackExchange
Marketer view

Email marketer from AuthSMTP responds stating that it is impossible to have more than one SPF record. If you have more than one then it will invalidate the entire record which will negatively affect your mail delivery.

October 2021 - AuthSMTP
Marketer view

Email marketer from DNS Records responds stating that you should add all the services into one SPF record and use include records to link to the relevant hostnames.

September 2024 - DNS Records

What the experts say
4Expert opinions

When using multiple email services like Klaviyo and Shopify, it's critical to have the correct DNS entries for each service to avoid deliverability issues. Each platform should ideally have its own SPF record, and you cannot use the same bounce string for different ESPs. For Klaviyo, DKIM is particularly important for authentication and deliverability.

Key opinions

  • Separate SPF Records: Ideally, each platform should have its own SPF record.
  • Unique Bounce Strings: You cannot use the same bounce string for multiple ESPs.
  • DKIM Importance for Klaviyo: DKIM is particularly important for authentication and deliverability when using Klaviyo.
  • Correct DNS Entries: It's essential to ensure that the appropriate DNS entries for authentication are in place for each ESP.

Key considerations

  • Bounce Domain: The bounce domain might not match the main domain, which can impact SPF configuration.
  • Deliverability: Incorrect DNS configurations for multiple ESPs can lead to deliverability problems.
Expert view

Expert from Email Geeks explains that there should be different SPF records for each platform, and the bounce domain might not match the main domain.

October 2024 - Email Geeks
Expert view

Expert from Word to the Wise explains that when using multiple ESPs, you need to make sure that the appropriate DNS entries for authentication are in place for each service to avoid deliverability issues.

June 2023 - Word to the Wise
Expert view

Expert from Email Geeks states that you cannot use the same bounce string for different ESPs, as it will send bounces to the wrong place.

June 2021 - Email Geeks
Expert view

Expert from Spam Resource emphasizes that for Klaviyo, DKIM matters most for authentication and deliverability.

November 2023 - Spam Resource

What the documentation says
4Technical articles

When using multiple email services like Klaviyo and Shopify, both SPF and DKIM records play critical roles in email authentication. SPF records, published as TXT records in your DNS settings, list authorized sending sources for your domain. For multiple services, include mechanisms like 'include:' for each one. DKIM involves adding keys generated by each service to DNS records, ensuring the correct key length and selector usage. Proper SPF configuration prevents spoofing by verifying that emails claiming to be from your domain are actually sent by authorized servers.

Key findings

  • SPF Records List Authorized Sources: SPF records list authorized sending sources for your domain, preventing email spoofing.
  • TXT Record Type: SPF records are implemented using a TXT record in your DNS settings.
  • Multiple DKIM Records: Multiple services require multiple DKIM records, each with the correct key length and selector.
  • Include Mechanism for SPF: Use the 'include:' mechanism in your SPF record to authorize multiple email services.

Key considerations

  • SPF Syntax: Adhere to the syntax as laid out in RFC 7208 for SPF record format.
  • DKIM Key Length and Selectors: Ensure correct key length and selector usage for DKIM to avoid authentication issues.
  • DNS Propagation: Allow sufficient time for DNS changes to propagate after adding or modifying records.
Technical article

Documentation from Google Workspace Admin Help explains that an SPF record lists authorized sending sources for your domain. When using multiple services, the SPF record should include mechanisms (like 'include:') for each service to indicate they are permitted to send emails on behalf of your domain. The SPF record should be placed in a TXT record in your DNS settings.

February 2022 - Google Workspace Admin Help
Technical article

Documentation from Microsoft explains the importance of the sender policy framework(SPF) record for email authentication. SPF records allows mail systems to verify that mail claiming to come from your domain really is coming from your domain. This helps prevent spoofing. A valid SPF record requires that you use a TXT record type and that the SPF record itself must adhere to the syntax as laid out in RFC 7208

October 2023 - Microsoft
Technical article

Documentation from SparkPost explains SPF authentication works by verifying that your sending email addresses are allowed to send mail from your sending domains. To do this, you must publish a list of authorized sending mail servers or hostnames in your domain's public DNS records.

August 2021 - SparkPost
Technical article

Documentation from Cloudflare explains that DKIM keys generated by each email service should be added to the DNS records. When using multiple services like Shopify and Klaviyo, you'll have multiple DKIM records. The documentation stresses the importance of the correct key length and selector usage to avoid authentication issues.

May 2021 - Cloudflare