Skip to content
← ALL WRITING

2026-04-23 / 9 MIN READ

Email deliverability for DTC: DMARC, SPF, and DKIM plainly

A plain-language walkthrough of DMARC, SPF, and DKIM for DTC operators. What each one does, how to configure them in Klaviyo, and what breaks without them.

Email deliverability is the least glamorous thing about running a DTC brand and the most decisive. You can have the best-copywritten welcome series in the category and lose 60 percent of it to Promotions tab or spam because your domain is not authenticated. No flow optimization fixes this.

This is the plain-language version of what DMARC, SPF, and DKIM actually are, what each one protects against, and how to configure all three correctly for a DTC Shopify store running Klaviyo. No DNS-record gymnastics. No "it's complicated" hand-waving. Just the walkthrough I actually give clients.

AUTHENTICATION STACK
PURPOSE
Lists servers authorized to send from your domain.
DNS RECORD
TXT @ brand.com
v=spf1 include:_spf.klaviyo.com include:shops.shopify.com -all
WITHOUT IT
Any spoofer can claim to send from your domain.
CHAIN RULEAll three are required. Missing any one weakens the whole chain.
The three-layer email authentication stack. Configure all three or you are not authenticated.

What each one does, in one sentence

  • SPF says "these servers are allowed to send email from this domain." If a server sends mail claiming to be from you and it is not on the list, receiving servers can reject or spam-folder it.
  • DKIM signs every outgoing email with a cryptographic signature that proves the message was not tampered with in transit and actually came from the stated sender.
  • DMARC tells receiving servers what to do when SPF or DKIM checks fail, and reports back to you when they do.

You need all three. Missing any one weakens the chain. Having all three but not aligned properly is worse than having none at all because it produces false signals about deliverability health.

Why Gmail and Yahoo forced this conversation in 2024

In February 2024, Gmail and Yahoo started enforcing authentication requirements for bulk senders. Any sender hitting their domains with more than 5,000 messages per day has to have SPF, DKIM, and DMARC all configured correctly. Failure to authenticate now routes mail to spam automatically.

The practical effect for DTC: every brand sending meaningful email volume now has authentication as a hard requirement, not a best practice. The brands that had it already barely noticed the change. The brands that did not saw sudden 30 to 50 percent open-rate drops because their unauthenticated sends started landing in spam at Gmail and Yahoo.

If your brand has not explicitly verified DMARC, SPF, and DKIM in the last 18 months, assume it is not configured correctly. The default Shopify and Klaviyo setups are partial and do not include DMARC.

SPF: the sender authorization record

SPF is a DNS TXT record on your domain that lists the servers authorized to send email from it. When an email arrives at Gmail claiming to be from you@brand.com, Gmail reads the SPF record at brand.com, sees what servers are listed, and checks whether the sending server is on the list.

A typical SPF record for a Klaviyo + Shopify + Google Workspace brand looks like:

v=spf1 include:_spf.klaviyo.com include:shops.shopify.com include:_spf.google.com -all

The pieces:

  • v=spf1 says this is SPF version 1 (there is no version 2).
  • Each include: pulls in the SPF record from another service you use. Klaviyo, Shopify for transactional email, and Google for any employee sending.
  • -all at the end means "any server not in the above list is unauthorized, reject their mail."

Common mistake: using ~all (soft fail) instead of -all (hard fail). Soft fail tells receiving servers "this probably is not authorized, but maybe let it through." Hard fail says "reject." For a mature DTC brand with a stable sending list, hard fail is correct.

Second common mistake: exceeding the 10-lookup limit. Every include: counts as a lookup, and included records can include their own records. If your SPF chain exceeds 10 total lookups, the whole thing silently fails. Tools like MXToolbox SPF Check will flag this.

DKIM: the cryptographic signature

DKIM adds a cryptographic signature to every outgoing message. The receiving server fetches your public key from DNS, verifies the signature, and confirms the message was not tampered with between send and receipt.

In Klaviyo, DKIM is configured from the account settings under Email > Domains. Klaviyo generates a public/private key pair, gives you two CNAME records to add to your DNS, and handles the signing automatically on every send.

The records look like:

klaviyo1._domainkey.brand.com  CNAME  dkim.klaviyomail.com
klaviyo2._domainkey.brand.com  CNAME  dkim2.klaviyomail.com

Once those propagate (usually under an hour), Klaviyo will show "DKIM verified" in the domain settings. That is the signal that the configuration is working.

Common mistake: adding the DKIM records to the wrong domain. If you send email from mail.brand.com but add the DKIM records to brand.com only, they do not apply to your actual sending domain.

Second common mistake: not rotating keys. Klaviyo does not force rotation, but best practice is to rotate DKIM keys annually. Most brands never do and nothing bad happens, but it is a real security hygiene step if you want to be thorough.

DMARC: the policy and the reporting

DMARC is the policy layer. It tells receiving servers what to do when SPF or DKIM checks fail. It also sends you aggregate reports on who is claiming to send from your domain, which is how you catch both misconfigurations and impersonation attempts.

A DMARC record is a DNS TXT record at _dmarc.brand.com. A minimal but useful record looks like:

v=DMARC1; p=none; rua=mailto:dmarc-reports@brand.com

The pieces:

  • v=DMARC1 is the version.
  • p=none is the policy. "None" means "collect reports but do not enforce." Start here for 30 to 60 days while you verify everything is authenticating correctly.
  • rua=mailto: is where aggregate reports are sent.

After 30 to 60 days of clean report data, tighten the policy to p=quarantine (send failing messages to spam) and eventually p=reject (drop failing messages entirely).

The Klaviyo dedicated sending domain

By default, Klaviyo sends email from a shared sending domain (klaviyomail.com). The "from" address looks like it is from your brand, but the underlying infrastructure is shared with other Klaviyo customers. This is fine when you are small. It becomes a problem as you scale.

Around $500K to $1M in annual revenue, it becomes worth setting up a dedicated sending domain. This gives you full control of your domain reputation (independent of other Klaviyo customers) and is a prerequisite for the most aggressive deliverability optimizations.

The dedicated domain is usually a subdomain like mail.brand.com or send.brand.com. Klaviyo walks through the setup in their docs. The setup itself is straightforward. The warmup that follows is the part most brands get wrong.

Warmup: the 30-day ramp most brands skip

A new sending domain has zero reputation. Sending 50,000 emails on day one from a new dedicated domain will produce terrible deliverability because receiving servers do not trust the domain yet. Warmup is the process of building reputation by starting small and ramping up over 30 days.

The simplified warmup schedule for Klaviyo:

  • Days 1 to 3: Send only to your most-engaged 500 subscribers (opened in last 7 days).
  • Days 4 to 7: Expand to the most-engaged 2,000.
  • Days 8 to 14: Expand to most-engaged 10,000.
  • Days 15 to 21: Expand to most-engaged 50,000.
  • Days 22 to 30: Full list.

The specific volumes scale with your list size. The principle is: start with subscribers who will definitely open, prove the domain is trustworthy, then expand.

Klaviyo has a documented warmup process that automates most of this. Use it. Manual warmup is error-prone.

What breaks when authentication is wrong

Three failure modes, in order of severity.

Failure 1: Gmail Promotions tab routing

Mildest failure. Your emails reach Gmail inboxes but land in the Promotions tab rather than Primary. Open rates drop 20 to 40 percent because subscribers check Promotions less often.

Fix: fully authenticated (SPF + DKIM + DMARC), sending from a dedicated domain, consistent sender identity across campaigns.

Failure 2: Spam folder routing

Medium failure. A meaningful fraction of sends land in spam at one or more providers. Open rates drop 40 to 70 percent depending on which provider.

Fix: full authentication, warmup if applicable, cleanup of unengaged subscribers so you are not sending to people who never open. Win-back and sunset is the flow that handles this cleanly.

Failure 3: Outright rejection

Worst case. Receiving servers reject your mail entirely. Klaviyo reports high bounce rates and marks subscribers as suppressed.

Fix: this is usually a sign of broken SPF, DKIM, or DMARC policy combined with a bad reputation. Recovery involves fixing authentication, moving to a dedicated domain if you were not on one, and running a cleanup + warmup sequence. Expect 30 to 60 days for reputation to recover.

Where this fits

Authentication is the floor for everything else in the Klaviyo lifecycle playbook. The welcome series architecture calls it out as the prerequisite. The transactional deliverability piece covers the specific failure mode I saw on a client project when the transactional stream was misconfigured.

If you are not sure whether your current authentication is correct and you want someone to verify the whole stack, a DTC stack audit includes the deliverability module. It is usually the quickest win in the audit, because the fix is cheap and the impact is immediate.

FAQ

Is Klaviyo's default authentication sufficient?

Partial. Klaviyo provides SPF (via includes) and DKIM (via CNAMEs you configure), but DMARC is your responsibility. Without DMARC, you are missing the policy and reporting layer, and Gmail's 2024 enforcement changes will treat you as unauthenticated for bulk send purposes.

How long does DNS propagation take?

Usually under an hour, occasionally up to 24 hours. Most TLD registrars publish changes in 15 to 45 minutes. Verify with a tool like dig +short TXT _dmarc.brand.com after you publish.

Should I move to a dedicated sending domain?

Around $500K to $1M annual revenue, yes. Below that, Klaviyo's shared infrastructure is usually fine. The dedicated domain gives you isolation from other Klaviyo customers' reputation, at the cost of a 30-day warmup period when you first cut over.

Can I skip the warmup if I am in a hurry?

No. Sending production volume on a cold domain will damage reputation in ways that take months to recover from. The 30-day warmup feels slow; the 90-day recovery from a botched cutover feels much slower.

How do I know my authentication is working?

Klaviyo's domain settings show SPF and DKIM status. For DMARC, use a tool like mxtoolbox.com/dmarc.aspx to verify the record is published correctly. Then check DMARC reports (the ones sent to your rua address) after a week of sending to confirm alignment.

// related

Let us talk

If something in here connected, feel free to reach out. No pitch deck, no intake form. Just a direct conversation.

>Get in touch