Setup Guide

How to Set Up SPF, DKIM, and DMARC for Campaign Monitor

Campaign Monitor (now part of Marigold) is an email marketing platform popular with agencies, designers, and mid-market businesses. It handles newsletters, automated journeys, and transactional campaigns. Campaign Monitor sends all email through its own infrastructure (cmail1.com and cmail2.com), and DKIM alignment is the only path to DMARC compliance — SPF alignment is not achievable.

SPF Configuration

Campaign Monitor has an SPF include you could theoretically add, but it provides no practical DMARC benefit:

Type:  TXT
Host:  @
Value: v=spf1 include:_spf.createsend.com ~all

Important: Campaign Monitor always uses its own bounce domain (cmail1.com or cmail2.com) as the envelope-from — it cannot be changed. This means the return-path will never match your From domain, and SPF will never align under DMARC regardless of whether you add include:_spf.createsend.com. Adding it wastes a DNS lookup without improving your DMARC posture.

Only add this include if a Campaign Monitor support representative specifically advises it for a non-DMARC reason. For DMARC purposes, omit it entirely and focus on DKIM.

Verify your current SPF record with the SenderClarity SPF Checker.

DKIM Configuration

Campaign Monitor supports custom DKIM signing via their sending domains feature.

  1. Log in to Campaign Monitor and click your profile avatar (top-right corner).
  2. Go to Account settings → Sending domains.
  3. Click Add domain and enter your sending domain.
  4. Campaign Monitor generates a DKIM TXT record:
Type:  TXT
Host:  cm._domainkey
Value: k=rsa; p=(provided by Campaign Monitor — unique to your account)
  1. Add the TXT record to your DNS.
  2. Return to Campaign Monitor and click Authenticate Now.

The selector for Campaign Monitor DKIM is cm — the full DNS lookup will be cm._domainkey.yourdomain.com.

DNS compatibility note: Campaign Monitor's DKIM value contains semicolons and underscores, which some DNS providers handle inconsistently. If your DNS provider's interface strips or escapes these characters, contact their support — this is a known friction point with Campaign Monitor's record format.

DMARC Configuration

Start with monitoring mode:

Type:  TXT
Host:  _dmarc
Value: v=DMARC1; p=none; rua=mailto:your-address@reports.senderclarity.com; fo=1

Progress to enforcement after confirming Campaign Monitor traffic passes via DKIM:

  1. p=quarantine; pct=25
  2. p=quarantine; pct=100
  3. p=reject

DMARC Considerations for Campaign Monitor

  • SPF alignment is architecturally impossible: Campaign Monitor's bounce handling infrastructure uses cmail1.com and cmail2.com as the return-path domain for all customers. There is no mechanism to set a custom return-path. This is a platform-level limitation that applies to all accounts at all plan tiers. Plan your DMARC enforcement timeline knowing that DKIM is your only alignment mechanism.

  • DMARC reports will show cmail1.com and cmail2.com as the SPF source: These domains will appear in the SPF row of your aggregate reports alongside Campaign Monitor's sending IPs. The SPF result will show as misaligned — this is expected. The DKIM row will show cm._domainkey.yourdomain.com as the passing, aligned result once setup is complete.

  • Agencies managing multiple client domains need per-domain DKIM setup: Campaign Monitor is heavily used by agencies managing campaigns for multiple brands. Each client domain requires its own DKIM configuration in Campaign Monitor. There is no account-level setting that covers all domains — authentication must be set up individually for every sending domain.

  • Moving to enforcement affects all Campaign Monitor traffic immediately: If you tighten your DMARC policy to p=quarantine or p=reject before completing DKIM setup, all Campaign Monitor campaigns will fail authentication. The cm._domainkey CNAME must be active and verified before any enforcement begins.

  • Campaign Monitor's IPs are identifiable in reports: Traffic appears from IPs in the _spf.createsend.com range. If you see cmail1.com or cmail2.com in the SPF envelope-from column of your reports, that is Campaign Monitor — even if you don't immediately recognize the domain.

Verification

  • Check your SPF record →
  • Send a test campaign from Campaign Monitor and inspect the email headers
  • Confirm dkim=pass with cm._domainkey.yourdomain.com in the Authentication-Results header
  • Monitor DMARC reports in SenderClarity

Common Issues

DKIM TXT record not accepted by DNS provider: Campaign Monitor's DKIM value uses semicolons and underscores. If your DNS interface strips these, the record will be malformed and verification will fail. Try entering the value in quotes if your provider supports it, or contact the provider's support.

Authenticate Now button not changing status: DNS propagation can take up to 48 hours. If it still shows as unauthenticated after that window, verify the TXT record was added to the exact hostname cm._domainkey (not cm._domainkey.yourdomain.com — some providers auto-append the domain, which would double it).

Agency clients seeing DMARC failures before DKIM is set up: If a client already has p=quarantine or p=reject in their DMARC record and you start sending campaigns for them via Campaign Monitor before completing DKIM setup, their campaigns will fail. Complete authentication before sending.

SPF Lookup Impact

Include Estimated Lookups
_spf.createsend.com (not recommended) ~2–3

This include provides no DMARC benefit and is not recommended. Leave it out unless specifically advised otherwise.