Kit (formerly ConvertKit) is an email marketing platform built for creators, bloggers, and solopreneurs. It handles newsletters, automated sequences, and broadcast emails. Unlike many platforms, Kit uses a CNAME-based architecture for both SPF and DKIM — which means setup looks a little different from traditional ESP guides.
SPF Configuration
Kit does not use a traditional SPF include: that you add to your root domain's TXT record. Instead, it creates a CNAME-based SPF delegation on a subdomain of your domain. This subdomain (ckespa.yourdomain.com) becomes the envelope sender for your outgoing mail, and Kit serves the SPF record from their side via that CNAME.
This means your root domain's SPF record does not change as part of Kit setup. You do not need to add any include: to your existing SPF.
The CNAME record added during Verified Sending Domain setup handles SPF automatically:
Type: CNAME
Host: ckespa
Value: (provided by Kit — unique to your account)
Verify your root SPF lookup count is still within limits using the SenderClarity SPF Checker.
DKIM Configuration
Kit's authentication is configured through their Verified Sending Domain flow, which sets up DKIM, SPF delegation, and return-path in one process.
- In Kit, go to Settings → Emails → Verified Sending Domains.
- Click Set up your Verified Sending Domain and enter your domain.
- Kit will provide CNAME records to add to your DNS:
Type: CNAME
Host: ckespa
Value: (provided by Kit — unique to your account, handles SPF delegation)
Type: CNAME
Host: cka._domainkey
Value: (provided by Kit — unique to your account, handles DKIM signing)
- Add both CNAMEs to your DNS.
- Return to Kit and click Verify.
Kit supports automated setup via Entri for common DNS providers — a "Set this up for me" option is available in the setup flow if your registrar is supported.
DNS provider note: If using Cloudflare, enter just ckespa and cka._domainkey as the hostname (not the full FQDN). Cloudflare appends your domain automatically.
DMARC Configuration
Start with monitoring mode:
Type: TXT
Host: _dmarc
Value: v=DMARC1; p=none; rua=mailto:your-address@reports.senderclarity.com; fo=1
Progress to enforcement after confirming Kit traffic passes:
p=quarantine; pct=25p=quarantine; pct=100p=reject
DMARC Considerations for Kit
A Verified Sending Domain is mandatory for DMARC compliance: Without it, Kit sends from a
kit.com-owned return-path with no DKIM alignment to your domain. If your domain has any DMARC policy stricter thanp=none, Kit emails will fail and may be quarantined or rejected by recipients. This is not optional — completing the VSD setup is the only path to DMARC alignment with Kit.Kit runs on SendGrid infrastructure: Kit's sending IPs are part of Twilio SendGrid's shared pool. In your DMARC aggregate reports, you will see SendGrid IP ranges as the source, not Kit-specific IPs. Once your Verified Sending Domain is configured, the DKIM
d=tag will show your domain — confirming aligned authentication regardless of the underlying infrastructure.One Verified Sending Domain per account: Kit allows only one VSD per account. If you send emails with From addresses on multiple domains from a single Kit account, only the configured VSD domain will have proper alignment. Emails sent from other domains will have a mismatched return-path, creating SPF alignment failures for those addresses in your DMARC reports.
Pre-existing DMARC enforcement can immediately break Kit mail: If your domain already has
p=quarantineorp=rejectin place, Kit emails will fail as soon as you start sending — before you've had a chance to set up the VSD. Set up your Verified Sending Domain before publishing an enforced DMARC policy, or set up the VSD immediately after switching fromp=none.
Verification
- Check your SPF record →
- Send a test broadcast or automation email from Kit
- Check email headers for
dkim=passaligned to your domain - Monitor DMARC reports in SenderClarity for Kit-sourced traffic
Common Issues
DMARC failures before VSD is set up: Kit's default sending path uses kit.com infrastructure. Any DMARC policy above p=none will cause Kit emails to fail authentication until the Verified Sending Domain is configured and propagated.
CNAME propagation delay: DNS changes can take up to 48 hours to propagate globally. Kit's verification check may fail immediately after adding records — wait and retry before troubleshooting further.
Cloudflare proxy enabled on CNAMEs: If you use Cloudflare, ensure the CNAME records are set to DNS Only (grey cloud). Proxied CNAMEs break DKIM verification.
Multiple domains, one account: If you send campaigns for multiple domains from a single Kit account, only the VSD domain receives aligned authentication. Consider separate Kit accounts for domains where DMARC compliance is critical.
SPF Lookup Impact
| Record | Estimated Lookups Against Root SPF |
|---|---|
| Kit (CNAME-based) | 0 |
Kit's CNAME-based approach does not add any lookups to your root domain's SPF record. SPF resolution for Kit email occurs on the ckespa subdomain, completely independent of your root SPF.