Customer.io is a behavioral email and messaging platform used by SaaS companies and product-led businesses. It sends transactional emails (password resets, billing notices), lifecycle campaigns (onboarding, activation, churn prevention), and broadcast messages. Authentication setup in Customer.io uses a subdomain-based architecture — rather than modifying your root domain's DNS records, you add records for a Customer.io-provisioned subdomain of your own domain.
SPF Configuration
Customer.io uses a subdomain-based architecture that keeps authentication records off your root domain. When you add a sending domain, Customer.io provisions a subdomain of your domain — typically cio12345.yourdomain.com (where 12345 is your account ID). All email is sent with this subdomain as the envelope-from.
This means you do not need to modify your root domain's SPF record for Customer.io. The SPF record lives on the provisioned subdomain, and Customer.io populates it automatically when you verify your domain.
For reference, the SPF record on the Customer.io subdomain resolves to:
v=spf1 include:customeriomail.com ~all
If you are sending from a root domain address (not a subdomain) and need to add Customer.io to your root SPF manually, the include is:
Type: TXT
Host: @
Value: v=spf1 include:customeriomail.com ~all
Note that customeriomail.com in turn includes sendgrid.net, consuming approximately 3 total DNS lookups.
Verify your lookup count with the SenderClarity SPF Checker.
DKIM Configuration
Customer.io requires a custom sending domain — authentication setup is mandatory, not optional.
- In Customer.io, go to Settings → Workspace Settings → Email → Sending Domains.
- Click Add Sending Domain and enter your domain.
- Click Show Records to reveal the DNS records to add:
Type: TXT
Host: krs._domainkey.cio12345 (your account ID replaces 12345)
Value: (long public key string provided by Customer.io)
Type: TXT
Host: cio12345
Value: v=spf1 include:customeriomail.com ~all
Type: MX (priority 10)
Host: cio12345
Value: (two MX hostnames provided by Customer.io)
- Add all the provided DNS records to your domain.
- Return to Customer.io and click Verify domain. Propagation can take up to 72 hours.
Optionally, add a link-tracking CNAME for branded click-tracking URLs:
Type: CNAME
Host: e (or your chosen tracking subdomain)
Value: e.customeriomail.com (US) or e-eu.customeriomail.com (EU)
Cloudflare users: Disable the proxy toggle for the link tracking CNAME — set it to DNS Only. The other records (TXT, MX) are not affected by Cloudflare's proxy.
DMARC Configuration
Start with monitoring mode:
Type: TXT
Host: _dmarc
Value: v=DMARC1; p=none; rua=mailto:your-address@reports.senderclarity.com; fo=1
Progress to enforcement after confirming Customer.io traffic is passing authentication:
p=quarantine; pct=25p=quarantine; pct=100p=reject
DMARC Considerations for Customer.io
Customer.io requires relaxed alignment — strict mode will break it: The envelope-from and DKIM
d=tag both usecio12345.yourdomain.com(a subdomain), while your From header usesyourdomain.com(the root domain). Under relaxed alignment (aspf=r; adkim=r, which are the RFC defaults), these share the same organizational domain and DMARC passes. Under strict alignment (aspf=soradkim=s), they do not match and DMARC fails. If your DMARC record uses strict alignment tags, Customer.io mail will fail authentication.Customer.io sends via SendGrid's infrastructure:
customeriomail.comchains tosendgrid.netfor actual delivery. In your DMARC aggregate reports, the sending IPs will be from SendGrid's IP ranges. The envelope-from domain will becio12345.yourdomain.com, confirming it as your Customer.io traffic.Sending domain setup is required for all paid plans: Unlike some ESPs where authentication is optional, Customer.io requires a verified sending domain on all paid accounts. You cannot send production email without completing this step.
Each workspace needs its own sending domain: Customer.io workspaces are isolated environments. If your organization uses multiple workspaces (e.g., for different products or regions), each requires its own sending domain configuration with its own subdomain and DNS records.
Shared IPs are the default — dedicated IPs require Premium or Enterprise: On the Essentials plan, your sending shares IP pools with other Customer.io customers. IP reputation is shared, though DMARC authentication is isolated per customer via the subdomain architecture. Dedicated IPs are available on Premium/Enterprise plans for customers sending at least 50,000 emails per week.
Verification
- Check your SPF record →
- Trigger a test email from a Customer.io campaign or transactional message and inspect the headers
- Confirm
dkim=passandspf=pass— both should show thecio12345.yourdomain.comsubdomain as the authenticated domain - Confirm DMARC shows
passwith relaxed alignment - Monitor DMARC reports in SenderClarity
Common Issues
DMARC failing with strict alignment: If your DMARC record specifies aspf=s or adkim=s, Customer.io mail will fail. The subdomain return-path and DKIM signature require relaxed alignment. Remove the strict tags or replace them with aspf=r; adkim=r (the default behavior).
Verification timeout: Customer.io's domain verification can take up to 72 hours due to DNS propagation. If verification times out, check that all required records (the DKIM TXT, SPF TXT, and both MX records) were added correctly.
Link-tracking CNAME proxied in Cloudflare: If the e.yourdomain.com link tracking CNAME has Cloudflare's proxy enabled (orange cloud), click tracking will break. Set it to DNS Only.
Multiple workspaces, one domain: If two Customer.io workspaces try to use the same domain, each will have a different cio##### subdomain prefix. Both can coexist in DNS since their subdomains are distinct, but ensure each workspace's records are added separately.
SPF Lookup Impact
| Include | Estimated Lookups |
|---|---|
customeriomail.com (on provisioned subdomain) |
~3 |
These lookups occur on the cio12345.yourdomain.com subdomain, not your root domain, so they do not count against your root SPF budget. If you manually add include:customeriomail.com to your root SPF, it consumes 3 lookups there.