Setup Guide

How to Set Up SPF, DKIM, and DMARC for AWeber

AWeber is a long-established email marketing platform popular with small businesses, bloggers, and online marketers. It handles newsletters, autoresponders, and broadcast campaigns. AWeber's authentication model is DKIM-only for DMARC purposes — SPF alignment is not achievable by design, and AWeber's own documentation explicitly advises against adding an SPF include.

SPF Configuration

AWeber recommends you do not add an SPF include for their service. The envelope-from (return-path) for all AWeber-sent email is always an AWeber-owned domain — adding include:send.aweber.com to your SPF record authorizes their IPs but will not help with DMARC alignment since the return-path domain never matches your From domain.

If a third-party tool or older guide instructs you to add an SPF include for AWeber, skip it. It consumes a DNS lookup with no DMARC benefit.

Your SPF record should include only services whose return-path aligns with your domain:

Type:  TXT
Host:  @
Value: v=spf1 include:_spf.google.com ~all

Verify your total lookup count with the SenderClarity SPF Checker.

DKIM Configuration

AWeber uses three CNAME records for DKIM with automatic key rotation. All three must be present.

  1. Log in to AWeber and click your profile name (top-right).
  2. Click My Accounts, then select the Domains & Addresses tab.
  3. Find your domain and click the gear icon to reveal the three CNAME records.
  4. Add all three CNAMEs to your DNS:
Type:  CNAME
Host:  aweber_key_a._domainkey
Value: aweber_key_a.send.aweber.com

Type:  CNAME
Host:  aweber_key_b._domainkey
Value: aweber_key_b.send.aweber.com

Type:  CNAME
Host:  aweber_key_c._domainkey
Value: aweber_key_c.send.aweber.com
  1. Optionally, use AWeber's Connect Domain automated setup, which supports over 40 DNS providers.

AWeber rotates keys automatically across the three selectors. All three must be present in your DNS at all times — removing any one of them will cause DKIM failures when AWeber rotates to that key.

Cloudflare users: Disable the proxy toggle (orange cloud) for these CNAME records. They must be DNS Only mode to function correctly.

DMARC Configuration

Start with monitoring mode:

Type:  TXT
Host:  _dmarc
Value: v=DMARC1; p=none; rua=mailto:your-address@reports.senderclarity.com; fo=1

Progress to enforcement after confirming AWeber traffic is passing via DKIM:

  1. p=quarantine; pct=25
  2. p=quarantine; pct=100
  3. p=reject

DMARC Considerations for AWeber

  • SPF alignment is permanently unavailable: AWeber does not support a custom return-path domain. The envelope-from is always an AWeber-owned domain. This is an architectural limitation that cannot be worked around — DKIM is the only mechanism that will ever provide DMARC alignment for AWeber traffic. Do not add include:send.aweber.com expecting SPF to help; it wastes a DNS lookup.

  • Three-key rotation is invisible to recipients but requires all three CNAMEs: AWeber automatically rotates between the three DKIM keys (aweber_key_a, _b, _c). Mail is signed with whichever key AWeber is currently using. If any of the three CNAMEs is missing, AWeber will eventually rotate to that key and your DMARC reports will start showing DKIM failures — possibly weeks after you set up authentication, making the root cause hard to diagnose.

  • AWeber's IPs are well-defined and stable: AWeber sends from two CIDR ranges (204.194.222.0/23 and 216.185.208.0/22). These are distinct from common cloud provider IP ranges and are easy to identify in DMARC aggregate reports. Once DKIM is configured, all traffic from these ranges should show as aligned pass.

  • Free mailbox domains (Gmail, Yahoo) as From addresses break AWeber sending: AWeber reframes sending for subscribers whose list was built before custom domain authentication was common. If you send from a @gmail.com or @yahoo.com From address, AWeber may rewrite the From header to comply with those domains' DMARC policies. Use a custom domain as your From address to avoid this.

Verification

  • Check your SPF record →
  • Send a test broadcast from AWeber to an address you control
  • Check email headers for dkim=pass aligned to your domain (not send.aweber.com)
  • Monitor DMARC reports in SenderClarity

Common Issues

DKIM passes for send.aweber.com instead of your domain: You have not completed domain authentication. Without the three CNAME records, AWeber signs with its own domain, which will not align with your DMARC policy.

One of the three CNAMEs is missing: AWeber's three-key rotation means all three selectors must be present. Check that aweber_key_a, aweber_key_b, and aweber_key_c are all in your DNS. A missing record may not cause immediate failures but will surface when AWeber rotates to that key.

Cloudflare proxy interfering: If CNAMEs have the proxy toggle enabled in Cloudflare, DKIM verification will fail. Set all three to DNS Only.

SPF alignment failures in reports: This is expected and cannot be fixed. AWeber's return-path is always an AWeber domain. Your DMARC compliance depends entirely on DKIM passing and aligning.

SPF Lookup Impact

Include Estimated Lookups
AWeber SPF include (not recommended) 1

AWeber itself recommends against adding their SPF include, as it provides no DMARC benefit. Do not add it unless explicitly required for a non-DMARC reason.