What SPF, DKIM, and DMARC settings are needed for Klaviyo and BigCommerce transactional emails?

Summary

To ensure reliable deliverability for Klaviyo and BigCommerce transactional emails, prioritize proper configuration of SPF, DKIM, and DMARC. Begin by setting up SPF and DKIM records in your DNS with values provided by Klaviyo. For SPF, include all authorized sending sources, staying mindful of the 10 DNS lookup limit. DKIM involves key generation and DNS publication. Implement DMARC, starting with a 'p=none' policy to monitor traffic before gradually increasing restriction. Consider using dedicated sending domains and ensure all websites use TLS encryption. Validate your setup using tools like Mail-tester.com. Transactional emails require the same level of authentication as marketing emails, and be aware of how subdomain DMARC policies interact with the root domain.

Key findings

  • Authentication: SPF and DKIM authentication are critical; prioritize DKIM if choosing only one.
  • DMARC: Implement DMARC gradually, starting with 'p=none' to avoid blocking legitimate emails.
  • SPF Record: Include all authorized sending sources in your SPF record, staying within the 10 DNS lookup limit.
  • SSL/TLS: Use SSL/TLS on all websites.
  • Validation: Test SPF, DKIM and DMARC using available tools.

Key considerations

  • ISP Filtering: Some ISPs reject emails without DKIM.
  • Subdomains: Be mindful of the interactions between DMARC for the root domain and subdomains.
  • Dedicated Domains: Consider using dedicated sending domains for transactional emails.
  • BigCommerce Reliance: BigCommerce relies on email providers like Klaviyo to handle authentication.
  • DMARC Policy Impact: Improper DMARC deployment can cause delivery issues.

What email marketers say
11Marketer opinions

To properly configure SPF, DKIM, and DMARC for Klaviyo and BigCommerce transactional emails, it's crucial to authenticate your sending domains. This involves creating SPF records that include all authorized sending sources, such as Klaviyo and any other third-party email services, and DKIM records for email signing. Implementing DMARC with a gradual policy shift from 'p=none' to 'p=reject' helps protect against spoofing. Using dedicated sending domains, deploying SSL, and validating sending subdomains are also recommended. Tools like Mail-tester.com can be used to verify the setup.

Key opinions

  • Authentication: Full SPF and DKIM authentication and alignment are beneficial for deliverability.
  • DMARC Policy: Implement DMARC, starting with a 'p=none' policy and gradually moving to 'p=reject'.
  • SSL Deployment: Deploy SSL on all possible domains and subdomains.
  • Website Validation: Ensure sending domains resolve to a legitimate website.
  • Multiple Services: When using multiple email services include all authorized sending sources in SPF record.

Key considerations

  • ISP Rejection: Some ISPs might reject emails without DKIM.
  • DMARC Risks: Incorrect DMARC implementation can cause delivery issues.
  • Dedicated Domains: Using dedicated sending domains can isolate reputation.
  • SPF Limit: Avoid exceeding the 10 DNS lookup limit in SPF records.
  • Testing: Use tools to validate SPF, DKIM, and DMARC setup.
Marketer view

Email marketer from Mailerlite explains that DMARC helps protect your brand from email spoofing and phishing attacks. By implementing DMARC, you instruct email providers on how to handle emails that fail SPF and DKIM checks, reducing the risk of malicious emails being sent from your domain.

October 2021 - Mailerlite
Marketer view

Email marketer from EmailGeek Forum explains that start with a DMARC policy of 'p=none' to monitor your email traffic and identify any issues with SPF and DKIM. Then, gradually move to 'p=quarantine' and eventually 'p=reject' once you are confident in your email authentication setup.

October 2023 - EmailGeek Forum
Marketer view

Email marketer from Stackoverflow shares that when using multiple email services (like Klaviyo and BigCommerce transactional emails), your SPF record needs to include all authorized sending sources. This is done using the 'include:' mechanism, listing each service's SPF record.

May 2024 - Stackoverflow
Marketer view

Email marketer from Email Geeks advises to deploy SSL on all possible domains and that it is recommended that your sending domain would resolve with a legitimate website.

May 2023 - Email Geeks
Marketer view

Email marketer from Reddit explains that SPF records should include all servers that are authorized to send emails on behalf of your domain. This often includes Klaviyo's sending servers, as well as any other third-party email services.

August 2021 - Reddit
Marketer view

Email marketer from PostmarkApp recommends using dedicated sending domains for transactional emails to isolate reputation and improve deliverability.

October 2023 - PostmarkApp
Marketer view

Email marketer from SparkPost shares BIMI (Brand Indicators for Message Identification) requires DMARC to be properly set up to display your brand logo in email inboxes.

August 2023 - SparkPost
Marketer view

Email marketer from Gmass explains to use tools like Mail-tester.com to check your SPF, DKIM, and DMARC setup. These tools analyze your email headers and provide feedback on any issues.

March 2022 - Gmass
Marketer view

Email marketer from Email Geeks shares that DMARC policy should be there, but which policy depends on the level of implementation. It is advised to start with p=none and when you are certain that everything is working as intended you should slowly move to the p=reject.

December 2023 - Email Geeks
Marketer view

Email marketer from EasyDMARC details that SPF records should start with 'v=spf1' and end with a mechanism like '-all' or '~all'. The '-all' mechanism tells receiving servers to reject emails that don't match the SPF record, while '~all' indicates a soft fail.

April 2023 - EasyDMARC
Marketer view

Email marketer from Email Geeks shares that full authentication and alignment won't hurt to do. Some ISPs simply reject your mail without DKIM, some will send it to spam folder and Gmail, for example, will display "Sent via _unsigned.domain.com"_ as a warning on your emails. SPF in theory does not matter much, but there out there old installations of Microsoft Exchange mail servers that check for SPF on the mail.from domain and are rejecting mails if they fail the SPF check.

April 2022 - Email Geeks

What the experts say
7Expert opinions

Configuring SPF, DKIM, and DMARC for Klaviyo and BigCommerce transactional emails requires careful attention to authentication and alignment. While spam filters may not directly prioritize SPF or DKIM, they contribute to building a positive sender reputation. Either SPF or DKIM alignment is essential, with DKIM being the preferred option. Transactional emails need as much authentication as marketing emails. Subdomain interactions with root domain DMARC policies need consideration. Avoid exceeding the SPF 10 DNS lookup limit, and start with a 'p=none' DMARC policy to monitor traffic before implementing stricter policies. Ensure all websites use TLS encryption.

Key opinions

  • Authentication Importance: SPF and DKIM are crucial for building a positive sender reputation, even if spam filters don't directly rely on them.
  • DKIM Preference: Prioritize DKIM alignment if choosing between SPF and DKIM.
  • Transactional Email Authentication: Ensure transactional emails are authenticated as strongly as marketing emails.
  • TLS Encryption: All websites should use TLS encryption.

Key considerations

  • Subdomain DMARC: Consider interactions between DMARC policies for the root domain and subdomains.
  • SPF Lookup Limit: Avoid exceeding the 10 DNS lookup limit in SPF records to prevent failures.
  • DMARC Deployment: Start with a 'p=none' DMARC policy and monitor traffic to avoid blocking legitimate emails.
Expert view

Expert from Spamresource explains that for SPF records it's important to understand the 10 DNS lookup limit. Including too many services in your SPF record can cause it to exceed this limit, leading to SPF failures.

June 2023 - Spamresource
Expert view

Expert from Email Geeks shares you shouldn’t be deploying any website that’s not using TLS as it’s 2020, certificates are free.

March 2021 - Email Geeks
Expert view

Expert from Email Geeks explains that you absolutely _have_ to have one of SPF or DKIM aligned, and if you can only do one and have a choice, aim for DKIM.

July 2023 - Email Geeks
Expert view

Expert from Email Geeks shares that transactional emails are at least as important to get authentication on as the marketing emails.

April 2024 - Email Geeks
Expert view

Expert from Email Geeks explains that spam filters mostly don’t care about SPF or DKIM but they help identify your mail stream to build a reputation of sending wanted mail.

September 2024 - Email Geeks
Expert view

Expert from Word to the Wise shares that when deploying DMARC, start with a 'p=none' policy to monitor your email traffic and identify legitimate sending sources before moving to more restrictive policies. This helps prevent unintentional blocking of legitimate emails.

April 2024 - Word to the Wise
Expert view

Expert from Email Geeks shares if you're sending from subdomains you may need to pay attention to the interactions between DMARC for the root domain and the subdomain. Also, don't forget that "aligned" just means (ish) share a common parent domain.

March 2022 - Email Geeks

What the documentation says
5Technical articles

Configuring SPF, DKIM, and DMARC for Klaviyo and BigCommerce transactional emails requires setting up SPF and DKIM records in your DNS settings using TXT records with specific values provided by Klaviyo. DKIM involves generating a private key, signing emails, and publishing the public key in DNS. Microsoft recommends Powershell and CNAME records for DKIM configuration. BigCommerce relies on the email provider (like Klaviyo) for authentication. DMARC records define policies (none, quarantine, reject) for handling authentication failures.

Key findings

  • SPF/DKIM Setup: Klaviyo requires setting up SPF and DKIM records via TXT records in DNS.
  • DKIM Key Generation: DKIM involves generating a private key and publishing a public key in DNS.
  • DMARC Policy: DMARC records specify policies for handling email authentication failures.

Key considerations

  • BigCommerce Reliance: BigCommerce relies on the chosen email provider (e.g., Klaviyo) for SPF/DKIM management.
  • Microsoft DKIM: Microsoft DKIM setup may require Powershell and CNAME records.
Technical article

Documentation from AuthSMTP shares that DKIM involves generating a private key, using it to sign your emails, and then publishing the corresponding public key in your DNS as a TXT record. This allows receiving servers to verify the authenticity of your emails.

December 2021 - AuthSMTP
Technical article

Documentation from BigCommerce explains how to set up transactional emails. While they don't manage SPF/DKIM they recommend ensuring that your chosen email provider (like Klaviyo) has proper authentication in place.

July 2024 - BigCommerce
Technical article

Documentation from DMARC.org details the syntax of a DMARC record, explaining the meaning of tags like 'v', 'p', 'rua', and 'ruf'. The 'p' tag defines the policy (none, quarantine, reject) for handling emails that fail authentication.

December 2024 - DMARC.org
Technical article

Documentation from Klaviyo explains that to authenticate sending domains in Klaviyo, you need to set up SPF and DKIM records. This involves adding TXT records to your DNS settings with specific values provided by Klaviyo.

August 2023 - Klaviyo
Technical article

Documentation from Microsoft explains that to configure DKIM you need to use Powershell to create a DKIM key and then use 2 CNAME records to publish this for the receiver to check.

May 2024 - Microsoft