SPF for Klaviyo: Setup Guide and Common Issues
Learn how to set up SPF for Klaviyo emails. Covers Klaviyo's branded sending domain approach, DNS setup, adding to existing records, and verification steps.
Last updated: 2026-05-05
Klaviyo is a popular email marketing platform, especially for ecommerce businesses. If you are sending campaigns, flows, or transactional emails through Klaviyo, those messages need to pass SPF authentication. Without it, your marketing emails may land in spam instead of your customers' inboxes.
For a comprehensive overview of SPF, see our complete SPF guide. This guide explains how Klaviyo handles SPF, walks through the setup process, and covers the mistakes that trip people up most often.
How Klaviyo Handles Email Authentication
Klaviyo's approach to email authentication is built around branded sending domains (also called dedicated sending domains) (Klaviyo Help Center). Instead of giving you a simple SPF include to paste into your DNS, Klaviyo has you set up a branded sending domain through CNAME records. This approach handles both SPF and DKIM authentication in one process.
Here is why this matters: when you set up a branded sending domain in Klaviyo, you create CNAME records that point subdomains of your domain to Klaviyo's infrastructure. Klaviyo then manages the underlying SPF and DKIM records on their end. This means you typically do not need to manually add a separate SPF include for Klaviyo.
Klaviyo uses CNAME-based authentication
Unlike some email services that ask you to add an include: to your SPF record, Klaviyo's branded sending domain approach uses CNAME records to handle SPF verification. Follow Klaviyo's specific DNS instructions rather than trying to add a manual SPF include.
Setting Up Your Branded Sending Domain in Klaviyo
The setup process starts inside your Klaviyo account. Klaviyo will generate the exact DNS records you need to add.
Open sending domain settings in Klaviyo
Log into your Klaviyo account. Click Settings in the left sidebar, then go to Email > Sending Domains (the exact path may vary slightly as Klaviyo updates their interface). Click "Add Sending Domain" or "Get Started" to begin the process.
Enter your sending domain
Type in the domain you want to send from (for example, yourdomain.com). Klaviyo will generate a set of DNS records specific to your account. These typically include CNAME records for both DKIM signing and SPF verification.
Copy the DNS records Klaviyo provides
Klaviyo will display several CNAME records to add to your DNS. Copy each record carefully, including the exact hostnames and values. Pay close attention to the record type — these are CNAME records, not TXT records.
Log into your DNS provider
Go to where your domain's DNS is managed. This could be your domain registrar — see our guides for Cloudflare, GoDaddy, or Namecheap — or a separate DNS hosting service.
Add the CNAME records
Create each CNAME record that Klaviyo specified. For each record, enter the hostname (the subdomain part) and the target value exactly as Klaviyo provided. Make sure you are creating CNAME records, not TXT or A records.
Verify in Klaviyo
Go back to Klaviyo's sending domain settings and click the verification button. Klaviyo will check your DNS for the records. Verification can take anywhere from a few minutes to several hours, depending on how quickly your DNS propagates.
Do You Need to Edit Your SPF Record for Klaviyo?
In most cases, no. Klaviyo's branded sending domain approach means SPF is handled through the CNAME records you added. Klaviyo manages the SPF configuration on their end, so you do not need to add a separate include: to your domain's main SPF record.
However, there are situations where you might need to take additional action:
If Klaviyo's setup instructions specifically mention an SPF include, add it to your existing SPF record. Klaviyo's instructions are tailored to your account, so always follow what they show you.
If you have a strict DMARC policy, make sure your branded sending domain is fully verified. The CNAME-based approach aligns authentication with your domain, which is important for DMARC alignment. See softfail vs hardfail to understand the enforcement options.
If you are not using a branded sending domain, Klaviyo sends from their shared domain, and DMARC alignment may fail. Setting up a branded sending domain solves this.
Common Klaviyo SPF Mistakes
Not setting up a branded sending domain
The biggest mistake is skipping the branded sending domain setup entirely. Without it, Klaviyo sends from a shared domain, and your emails lack proper authentication alignment with your domain. This hurts deliverability, especially if you have a DMARC policy.
Adding CNAME records with the wrong hostname
Klaviyo's CNAME records point specific subdomains to Klaviyo's servers. If you enter the hostname incorrectly — for example, including your full domain when only a subdomain prefix is needed — the verification will fail. Some DNS providers automatically append your domain, so if Klaviyo says the hostname is kl._domainkey, you might only need to enter kl._domainkey without adding .yourdomain.com (your DNS provider adds that part).
Creating the records as the wrong type
Klaviyo's DNS records are typically CNAME records. If you accidentally create them as TXT or A records, they will not work. Double-check the record type before saving.
Not verifying after adding records
Adding the records to your DNS is only half the job. You must go back to Klaviyo and click verify. Until you do, Klaviyo may not activate the branded sending domain.
Having multiple SPF records
If you do need to add an SPF include for Klaviyo, remember that your domain can only have one SPF record. Do not create a second TXT record starting with v=spf1. Instead, edit your existing SPF record and add the include to it. Multiple SPF records cause a PermError, which breaks authentication for all your email — not just Klaviyo.
Klaviyo with Other Email Services
Even though Klaviyo's SPF is typically handled through CNAME records, you still need a properly configured SPF record for your other email services. If you use Klaviyo alongside other platforms, our guide on SPF for multiple ESPs explains how to manage them together. Make sure your main SPF record covers all your other senders:
Google Workspace + other services:
v=spf1 include:_spf.google.com include:sendgrid.net ~all
Microsoft 365 + other services:
v=spf1 include:spf.protection.outlook.com include:servers.mcsv.net ~all
Each include counts toward the 10 DNS lookup limit. One advantage of Klaviyo's CNAME-based approach is that it typically does not add lookups to your main SPF record, leaving room for other services. If you are running low on lookups, see our guide on SPF flattening.
Verifying Your Setup
After completing the setup, confirm everything is working:
1. Check Klaviyo's verification status. In Klaviyo's sending domain settings, your domain should show as verified with green indicators.
2. Check your SPF record with the tool above. Confirm your main SPF record is valid and covers your other email services.
3. Send a test email. Send a campaign or test email from Klaviyo to a Gmail address. Open it, click the three dots, and select "Show original." Look for spf=pass and dkim=pass in the authentication results.
For the best deliverability, also configure DKIM (handled automatically by Klaviyo's branded sending domain) and DMARC (a separate TXT record on your domain). Together, these three protocols protect your domain from spoofing and maximize inbox placement.
References
- RFC 7208: Sender Policy Framework (SPF) — The current SPF specification
- Klaviyo: How to Set Up a Branded Sending Domain — Official Klaviyo email authentication guide
Never miss an SPF issue
Monitor your SPF, DKIM, DMARC and MX records daily. Get alerts when something breaks.
Start Monitoring