Setup Guide

How to Set Up SPF, DKIM, and DMARC for Mandrill (Mailchimp Transactional)

Mandrill is Mailchimp's transactional email add-on, used for sending application-triggered emails — password resets, receipts, notifications, and other programmatic messages. It is entirely separate from Mailchimp's marketing email infrastructure. If you use both services, each requires its own authentication configuration and they will appear as distinct sources in your DMARC aggregate reports.

Plan note: Mandrill requires a Mailchimp Standard plan or above. It is not available on Free or Essentials plans.

SPF Configuration

Mandrill requires you to add their SPF include to your domain's record:

DNS Record:

Type:  TXT
Host:  @
Value: v=spf1 include:spf.mandrillapp.com ~all

Combined with other services:

v=spf1 include:_spf.google.com include:spf.mandrillapp.com ~all

spf.mandrillapp.com resolves entirely to flat IP ranges — no nested includes. It consumes only 1 DNS lookup and adds zero additional nested lookups.

SPF alignment note: Adding this include authorizes Mandrill's IPs, but the default return-path is @mandrillapp.com, which will not align with your From domain under DMARC. Adding a custom return-path CNAME (see DKIM section) is required to achieve SPF alignment.

Verify your total lookup count with the SenderClarity SPF Checker.

DKIM Configuration

Mandrill uses two CNAME records for DKIM, enabling automatic key rotation.

  1. In Mailchimp, navigate to Automations → Transactional Email → Launch App.
  2. In the Mandrill app, go to Settings → Domains.
  3. Add your sending domain and click View DKIM Settings.
  4. Mandrill provides two CNAME records:
Type:  CNAME
Host:  mte1._domainkey
Value: dkim1.mandrillapp.com

Type:  CNAME
Host:  mte2._domainkey
Value: dkim2.mandrillapp.com
  1. Add both CNAMEs to your DNS.
  2. Return to Mandrill and click Test DNS Settings to verify.

Custom return-path (SPF alignment): To enable SPF alignment, also configure a custom return-path domain:

  1. In Mandrill, go to Settings → Tracking & Return Path Domains.
  2. Add a subdomain (e.g., bounce.yourdomain.com).
  3. Add a CNAME to your DNS:
Type:  CNAME
Host:  bounce
Value: mandrillapp.com

Without this CNAME, the return-path defaults to @mandrillapp.com and SPF will not align with your domain.

Legacy records note: Older Mandrill accounts may have a single TXT record at mandrill._domainkey.yourdomain.com with a raw public key. This is the deprecated method. The current approach uses the two mte1/mte2 CNAMEs. Both will work, but only the CNAME method supports automatic key rotation.

DMARC Configuration

Start with monitoring mode:

Type:  TXT
Host:  _dmarc
Value: v=DMARC1; p=none; rua=mailto:your-address@reports.senderclarity.com; fo=1

Progress to enforcement after confirming both Mailchimp marketing and Mandrill transactional traffic pass authentication:

  1. p=quarantine; pct=25
  2. p=quarantine; pct=100
  3. p=reject

DMARC Considerations for Mandrill

  • Mandrill and Mailchimp are completely separate systems for DMARC purposes: They use different sending IPs, different SPF includes, and different DKIM selectors. Your DMARC reports will show them as distinct sending sources. Authenticating one does not cover the other — both require independent setup. A common mistake is configuring Mailchimp's DKIM (via Account → Domains) and assuming Mandrill is also covered; it is not.

  • Custom return-path is limited to one domain per Mandrill account: Only one domain can be configured as a custom return-path destination. If you send transactional email for multiple domains through one Mandrill account, only that one domain benefits from SPF alignment. All other domains must rely on DKIM alignment alone.

  • Mandrill IPs are Mailchimp's dedicated ASN: Mandrill sends from IP ranges in ASN 14782, all owned by The Rocket Science Group (Mailchimp's legal entity). These ranges are stable and well-known to spam filters. In your DMARC reports, the source will show as Mailchimp infrastructure — not a third-party cloud provider.

  • SPF default is misaligned: Out of the box, the Mandrill envelope-from is @mandrillapp.com. Your reports will show SPF passing (because spf.mandrillapp.com authorizes those IPs) but not aligned (because mandrillapp.com doesn't match your From domain). DKIM alignment via the mte1/mte2 CNAMEs provides DMARC pass without SPF alignment, but adding the custom return-path CNAME gives you both.

Verification

  • Check your SPF record →
  • Send a test transactional message via the Mandrill dashboard or API and inspect the headers
  • Confirm dkim=pass aligned to your domain (not mandrillapp.com)
  • Monitor DMARC reports in SenderClarity — check that Mandrill and Mailchimp marketing appear as separate sources

Common Issues

Mandrill and Mailchimp appearing as one source: They will not — they use different IP ranges and show separately in aggregate reports. If you only see one, you may only be using one of the two services.

Legacy mandrill._domainkey TXT record still in DNS: The old single-TXT method still functions but does not support automatic key rotation. If Mandrill rotates keys (which they may do for security reasons), your DKIM will break silently until you update the TXT value. Migrating to the mte1/mte2 CNAME records is strongly recommended.

SPF alignment still failing after return-path CNAME: Confirm the CNAME at bounce.yourdomain.com (or your chosen subdomain) points to mandrillapp.com and has fully propagated. Also verify that the custom return-path domain is activated in Mandrill's Settings → Tracking & Return Path Domains.

SPF Lookup Impact

Include Estimated Lookups
spf.mandrillapp.com 1

Mandrill's SPF include resolves to flat IP ranges with no nested includes — one of the lightest includes of any major transactional email provider.