Email Deep Dive

Email Deliverability Setup: SPF, DKIM, DMARC for Every Platform

Email authentication is not optional in 2026. Google and Yahoo require SPF, DKIM, and DMARC for bulk senders. Here is how to set it up on every major email platform.

16 min readUpdated March 2026

Why This Matters Now

Since February 2024, Google and Yahoo require all bulk senders (5,000+ emails/day) to have SPF, DKIM, and DMARC configured. Without them, your emails go to spam or get rejected entirely. Even if you send fewer emails, authentication improves inbox placement on every platform.

Quick Primer: What SPF, DKIM, and DMARC Do

SPF (Sender Policy Framework): Tells receiving servers which IP addresses are allowed to send email on behalf of your domain. You add a DNS TXT record listing authorized senders.

DKIM (DomainKeys Identified Mail): Adds a cryptographic signature to your emails proving they were not tampered with in transit. You add a DNS TXT or CNAME record with a public key.

DMARC (Domain-based Message Authentication): Tells receiving servers what to do when SPF or DKIM fails (none, quarantine, reject). You add a DNS TXT record with your policy.

Platform-by-Platform: What You Need to Do

PlatformSPFDKIMDMARCCustom Domain Tier
MailchimpAuto (shared)Manual CNAMEManual TXTEssentials $13/mo+
KitAuto (shared)Manual CNAMEManual TXTFree tier
beehiivAuto (shared)Manual CNAMEManual TXTFree tier (Launch)
BrevoAuto (shared)Manual TXTManual TXTFree tier
ActiveCampaignAuto (shared)Manual CNAMEManual TXTStarter $15/mo+

Mailchimp: Authentication Setup

Step 1: Go to Account → Domains → Add & Verify Domain. Enter your sending domain.

Step 2: Mailchimp generates CNAME records for DKIM. Add these to your DNS provider (Cloudflare, GoDaddy, Namecheap, etc.).

Step 3: SPF is handled automatically through Mailchimp's shared sending infrastructure.

Step 4: Set up DMARC yourself by adding a TXT record: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

Tier requirement: Custom domain authentication is available on all plans including Free, but dedicated sending domain features improve on Essentials ($13/mo) and above. Dedicated IP requires Premium ($350/mo).

Kit (ConvertKit): Authentication Setup

Step 1: Go to Settings → Email → Sending Domain. Add your domain.

Step 2: Kit provides CNAME records for DKIM verification. Add them to your DNS.

Step 3: SPF is handled through Kit's shared infrastructure.

Step 4: Add your own DMARC TXT record to your DNS.

Tier requirement: Custom domain sending is available on the free Newsletter plan. Kit handles SPF automatically. DKIM requires manual CNAME setup.

beehiiv: Authentication Setup

Step 1: Go to Settings → Publication → Custom Domain. Add both your website domain and sending domain.

Step 2: beehiiv provides DNS records for DKIM (CNAME records). Add them to your registrar.

Step 3: SPF is handled through beehiiv's shared infrastructure.

Step 4: Add a DMARC TXT record to your DNS.

Tier requirement: Custom domain is available on the free Launch plan. This is a major advantage — most platforms require paid plans for custom sending domains.

Brevo: Authentication Setup

Step 1: Go to Senders & IPs → Domains. Add your domain.

Step 2: Brevo provides TXT records for both DKIM and domain verification. Add them to your DNS.

Step 3: SPF is handled through Brevo's shared infrastructure on Free and Starter plans.

Step 4: Add a DMARC TXT record to your DNS.

Tier requirement: Domain authentication is available on the Free plan. Dedicated IP (for maximum deliverability control) requires Professional at $499/mo.

ActiveCampaign: Authentication Setup

Step 1: Go to Settings → Advanced → I'm sending with a custom mail server domain. Add your domain.

Step 2: ActiveCampaign provides CNAME records for DKIM. Add them to your DNS.

Step 3: SPF is handled through ActiveCampaign's shared infrastructure.

Step 4: Add a DMARC TXT record to your DNS.

Tier requirement: Custom mail server domain is technically available on Starter ($15/mo), but custom sending domain with full branding control is best supported on Plus ($49/mo) and above. Enterprise ($145/mo) offers dedicated account support for deliverability optimization.

DMARC Policy Recommendations

Start with p=none: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com. This monitors without blocking. Run for 2-4 weeks.

Move to p=quarantine: Once you confirm legitimate sources are passing, quarantine unauthenticated emails.

Goal: p=reject: The strongest policy. Reject all unauthenticated emails. Only move here once all your sending sources pass SPF and DKIM.

Frequently Asked Questions

Do I need a dedicated IP for good deliverability?
No. Shared IPs on reputable platforms (Mailchimp, Kit, beehiiv, Brevo, ActiveCampaign) have good reputation because the platforms police their senders. Dedicated IPs only make sense at 100,000+ sends/month and require careful IP warming. On Mailchimp, dedicated IP requires Premium at $350/mo. On Brevo, it requires Professional at $499/mo.
Which platform makes authentication easiest?
All five platforms handle SPF automatically. For DKIM, they all require you to add DNS records manually. beehiiv and Kit stand out because they support custom domains on their free tiers, so you can authenticate immediately without paying.
What happens if I do not set up DMARC?
Without DMARC, receiving servers cannot verify your domain's authentication policy. Your emails are more likely to be filtered as spam, especially by Gmail and Yahoo. Setting up even a basic DMARC policy with p=none is better than nothing.

Explore Further on Sasanova

Tools

MailchimpConvertkitBeehiivBrevoActivecampaign

Guides

Email Deliverability ComparedEmail List Health GuideEmail Platform Feature Tiers Explained