How to Set Up DMARC for Mailchimp: Email Authentication Guide

If you send marketing emails through Mailchimp, you need DMARC set up on your domain. Without it, your campaigns are more likely to land in spam, and your domain is vulnerable to spoofing. The good news is that Mailchimp has made authentication easier in recent years, and adding DMARC on top of it is straightforward once you understand how the pieces fit together.

This guide covers how Mailchimp handles email authentication, what you need to do on the DNS side, and how to get your DMARC record working properly alongside your Mailchimp sending.

How Mailchimp Handles Email Authentication

Mailchimp requires you to authenticate your sending domain before you can use it as your "From" address. This is not optional — Mailchimp enforces this for all users. When you authenticate your domain in Mailchimp, you are setting up both SPF and DKIM so that emails sent through Mailchimp's servers can pass authentication checks.

Here is what happens behind the scenes. When you verify a domain in Mailchimp, the platform gives you DNS records to add. These typically include a CNAME record for DKIM signing and may include records for SPF alignment. Once published, Mailchimp signs your outgoing emails with DKIM using your domain, and the SPF check passes because Mailchimp's servers are authorized to send on your behalf.

If you have not yet authenticated your domain in Mailchimp, do that first. Without domain authentication, your emails are sent using Mailchimp's shared domain, which means DMARC alignment will fail for your domain. Go to Settings > Domains in your Mailchimp account to start the process.

SPF and DKIM After Authentication

Once you complete Mailchimp's domain authentication, your emails will pass DKIM alignment because Mailchimp signs them with your domain. For SPF, Mailchimp sends from its own servers, so SPF alignment depends on how Mailchimp has configured the return path for your account. In most cases, DKIM alignment is the reliable path for DMARC to pass.

This is an important point: even if SPF does not perfectly align (which can happen with third-party senders), your DMARC check will still pass as long as DKIM alignment succeeds. DMARC requires only one of the two -- SPF or DKIM -- to align and pass. For a detailed comparison of how each protocol contributes, read SPF vs DKIM vs DMARC.

Prerequisites Before Adding DMARC

Before you add a DMARC record, confirm these things are in place:

Mailchimp domain authentication is complete. In your Mailchimp account, go to Settings > Domains and verify that your sending domain shows as authenticated. If it says "pending" or shows warnings, resolve those first by adding the DNS records Mailchimp provided.

Your SPF record includes all sending sources. If you send email from other services besides Mailchimp (Google Workspace, a CRM, a transactional email service), those need to be in your SPF record too. You can build a complete SPF record at spfcreator.com.

DKIM is active for your other sending services. If you use Google Workspace or another email provider alongside Mailchimp, make sure DKIM is enabled there as well. You can generate DKIM keys at dkimcreator.com.

The Recommended DMARC Record for Mailchimp Users

If this is your first time setting up DMARC, start with a monitoring-only policy:

v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; pct=100;

This record tells receiving mail servers to send you daily reports about every email that uses your domain, without blocking or quarantining anything. Replace dmarc-reports@yourdomain.com with an email address you control.

Starting with p=none is critical when you use Mailchimp because it gives you time to verify that Mailchimp's authentication is working correctly before you start enforcing. You do not want to switch to p=reject and accidentally block your own marketing campaigns.

Adding the DMARC Record to Your DNS

Your DMARC record gets added to your domain's DNS, not inside Mailchimp. The process depends on where your DNS is hosted.

Log in to your DNS provider

Go to wherever your domain's DNS is managed. This could be your domain registrar (GoDaddy, Namecheap, Cloudflare) or a separate DNS hosting service. Navigate to the DNS records section for your domain.

Add a new TXT record

Create a new record with type TXT. Set the Name or Host field to _dmarc. Some providers automatically append your domain, so you only need to enter _dmarc — do not type _dmarc.yourdomain.com unless your provider requires the full name.

Paste your DMARC record as the value

In the Value or Content field, paste your complete DMARC record string. For example: v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; pct=100;. Set the TTL to 3600 (one hour) or leave the default.

Save and verify

Save the record and wait a few minutes for DNS propagation. Then check your record at dmarcrecordchecker.com to confirm it is live and correctly formatted.

Common Mailchimp DMARC Issues

DKIM Alignment Fails

If your DMARC reports show DKIM alignment failures for emails sent through Mailchimp, the most common cause is incomplete domain authentication. Go back to Settings > Domains in Mailchimp and verify the CNAME records are published and showing as verified. Mailchimp will not sign emails with your domain's DKIM key until authentication is fully complete.

Another cause is having multiple Mailchimp accounts or audiences using the same domain but only authenticating on one. Each account that sends as your domain needs its own authentication setup.

SPF Failures in Reports

It is normal to see SPF failures in your DMARC aggregate reports for Mailchimp-sent emails. This happens because Mailchimp sends from its own IP addresses, and the return path may not align with your domain. As long as DKIM alignment passes, your DMARC result will still be a pass. Do not panic about SPF failures from Mailchimp if DKIM is working.

Emails Landing in Spam After Adding DMARC

If your Mailchimp campaigns start landing in spam after you publish a DMARC record with p=none, the DMARC record itself is not causing it. A p=none policy does not instruct mail servers to take any action. Look at other factors: your sending reputation, email content, list hygiene, and engagement rates. These are the more common reasons for spam folder placement.

If you have moved to p=quarantine or p=reject and see deliverability drops, check your reports immediately. You may have a legitimate sending source that is failing authentication.

Check your email authentication

Verify your SPF, DKIM, and DMARC records are all working together.

Run a Free Check

Moving Toward Enforcement

Once you have been running at p=none for at least two weeks and your reports confirm that all Mailchimp emails pass DKIM alignment, you can start tightening your policy.

Move to p=quarantine; pct=25; first. This sends 25% of failing messages to spam while you monitor. After a week with no issues, increase to pct=100. Then move to p=reject for full protection against spoofing.

Before enforcing, double-check that every service sending email as your domain is properly authenticated -- not just Mailchimp. CRM platforms, transactional email tools, and even your main email provider all need passing SPF or DKIM. If you manage Mailchimp campaigns for multiple client domains, our DMARC for agencies guide walks through multi-domain authentication workflows. For a detailed walkthrough of the enforcement process, see our DMARC policy levels guide.

Keep SPF and DKIM in sync

DMARC depends on SPF and DKIM working correctly. If you add a new sending service or change email providers, update your SPF record at spfcreator.com and set up DKIM at dkimcreator.com before the switch.

Monitor Your DMARC Record

You've created your DMARC record — now make sure it keeps working. The Email Deliverability Suite watches your SPF, DKIM, DMARC, and MX records daily and alerts you when something breaks.

Never miss a DMARC issue

Monitor your SPF, DKIM, DMARC and MX records daily. Get alerts when something breaks.

Start Monitoring