Mailchimp is widely used by small and mid-size businesses for email marketing. If you're sending campaigns through Mailchimp using your own domain, configuring SPF, DKIM, and DMARC ensures your messages reach inboxes rather than spam folders — and prevents others from spoofing your domain.
SPF Configuration
Mailchimp's SPF include covers their shared sending infrastructure across all plans.
DNS Record:
Type: TXT
Host: @
Value: v=spf1 include:servers.mcsv.net ~all
Combined with other services:
v=spf1 include:_spf.google.com include:servers.mcsv.net ~all
Note: Mailchimp's SPF include is relatively lightweight, consuming approximately 1–2 DNS lookups. Verify your total with the SenderClarity SPF Checker.
DKIM Configuration
Mailchimp supports custom DKIM signing so that your messages are signed with your domain rather than Mailchimp's default domain.
- In Mailchimp, go to Account → Domains.
- Click Add & Verify Domain and enter your sending domain.
- Mailchimp will verify domain ownership via a confirmation email or DNS record.
- Once verified, click Authenticate next to your domain.
- Mailchimp will provide a CNAME record for DKIM:
Type: CNAME
Host: k1._domainkey
Value: dkim.mcsv.net
- Add the CNAME to your DNS.
- Return to Mailchimp and verify the record.
Once authenticated, Mailchimp will sign outgoing messages with a DKIM signature aligned to your domain.
DMARC Configuration
Start with monitoring mode:
Type: TXT
Host: _dmarc
Value: v=DMARC1; p=none; rua=mailto:your-address@reports.senderclarity.com; fo=1
Move toward enforcement after reviewing reports:
p=quarantine; pct=25p=quarantine; pct=100p=reject
DMARC Considerations for Mailchimp
SPF will not align — DKIM is everything: Mailchimp uses
mcsv.netas the return-path domain for all campaigns. This means SPF alignment with your From domain will always fail under DMARC. Your entire DMARC compliance for Mailchimp traffic depends on having custom DKIM authentication completed. Without it, enforcing DMARC will quarantine or reject all your Mailchimp campaigns.Don't confuse Mailchimp with Mandrill: If you use Mailchimp's transactional email add-on (Mandrill), it has its own authentication setup and uses different infrastructure. Mandrill traffic will appear separately in DMARC reports and requires its own SPF include (
spf.mandrillapp.com) and DKIM configuration.Strict SPF alignment (
aspf=s) is incompatible with Mailchimp: If your DMARC record usesaspf=s(strict SPF alignment), Mailchimp emails will never pass DMARC via SPF — even if the SPF check itself passes. Keep the defaultaspf=r(relaxed) or omit it entirely, and rely on DKIM for alignment.Unauthenticated domains now send from Mailchimp's address: Since 2024, if you haven't completed domain authentication, Mailchimp rewrites the From header to a Mailchimp-owned address. This means those campaigns no longer appear in your domain's DMARC reports at all — you lose visibility into an entire email stream. Complete domain authentication to keep Mailchimp traffic visible under your DMARC umbrella.
Verification
- Check your SPF record →
- Send a test campaign to an address you control and check the email headers
- Confirm
dkim=passwith your domain (notmcsv.net) in the Authentication-Results header - Monitor DMARC reports in SenderClarity
Common Issues
DKIM shows mcsv.net instead of your domain: You haven't completed domain authentication in Mailchimp. Without it, Mailchimp signs messages with its own domain, which won't align with your DMARC policy.
SPF alignment failures in DMARC reports: Mailchimp uses its own return-path domain for bounces. In strict SPF alignment mode (aspf=s), this will fail. Use relaxed alignment (aspf=r, the default) or rely on DKIM alignment for DMARC to pass.
Free plan limitations: Mailchimp's free plan has limited authentication options. Custom DKIM domain authentication may require a paid plan.
SPF Lookup Impact
| Include | Estimated Lookups |
|---|---|
servers.mcsv.net |
1–2 |