About Email Domain Authentication

To improve your deliverability, Mailchimp automatically adds default authentication to marketing emails sent from Mailchimp domains. If you’re sending emails with a private domain, such as your website, we strongly recommend that you use custom domain authentication to help your emails get delivered to your recipients’ inboxes.

In this article, you'll learn about email domain authentication.

Why authentication matters

Authentication is critical to the delivery of your email from Mailchimp, and works like a tamper-proof seal. It provides a trackable identifier that shows your recipient’s internet service provider that the email hasn’t been tampered with, and it helps your email arrive in their inbox.

Benefits of Mailchimp's default authentication

Mailchimp's automatic DKIM authentication helps, but it’s only part of the authentication process. With Mailchimp’s DKIM, you won’t have to edit any DNS records, and your sending reputation is shared with other Mailchimp users. We recommend that you set up your own DKIM and DMARC for a complete authentication to protect your sending reputation and improve your deliverability rate.

What is DKIM?

After your email domain is verified, you'll set up DKIM authentication by copying some important pieces of information from your Mailchimp account into your domain's CNAME records. DKIM (DomainKeys Identified Mail) is the primary authentication method that verifies that Mailchimp is authorized to send emails on behalf of your domain. DKIM adds an encrypted digital signature to email headers and secured with public key cryptography.

When a receiving server determines that an email has a valid DKIM signature, it can confirm that the email and attachments haven’t been modified. This process is not typically visible to the recipient of the email message.

After your email domain is verified, you'll set up DKIM authentication by copying some important pieces of information from your Mailchimp account into your domain's CNAME records. DKIM is the primary authentication method that verifies that Mailchimp is authorized to send emails on behalf of your domain.

To set up DKIM, you can use Entri to automatically update domain records after providing domain logins. Alternatively, you can copy and paste information from Mailchimp into your domain's CNAME records. We recommend that you work with 2 browser windows or tabs to easily move between the Mailchimp website and your domain's records.

What is SPF?

A Sender Policy Framework (SPF) helps detect forgery by reviewing an email’s listed return-path address. This email address is also referred to as the Mail From or the bounce address. While Mailchimp provides an SPF record (include:servers.mcsv.net), adding this to your domain's SPF record isn't required for authentication with Mailchimp and won't provide DMARC alignment. This is because Mailchimp sends emails from its own servers, resulting in a mismatch between the "envelope from" address (Mailchimp's servers) and the "From" address (your domain).

When an email can’t be sent to its intended recipient after several attempts or a delay, a notification of that failure is usually sent to the return-path address.

What is DMARC?

Domain-based Message Authentication, Reporting & Conformance (DMARC) uses SPF and DKIM to verify the authenticity of emails. For DMARC to pass, either SPF or DKIM (or both) must align with the "From" address. In the context of sending emails via Mailchimp, DKIM is the authentication method that provides this alignment. You can set up your DMARC policy to quarantine or reject messages when DKIM and SPF don’t match up with your DMARC. You’ll also receive DMARC activity reports to see who's sending emails to you and if they are using DKIM and SPF.

We recommend setting up DMARC, even though it is not strictly required for sending emails through Mailchimp, as it provides an additional layer of security and protection against email spoofing. Completing DMARC authentication for your domain not only keeps you compliant with large email services such as Google and Yahoo, but helps make sure that your emails won’t be identified as spam, so you can make sure you’re reaching recipients’ inboxes.

Custom domain authentication

If you use your own email domain, we encourage you to setup Domain Authentication. This will allow Mailchimp to sign DKIM on behalf of your domain, enabling DMARC alignment and potentially improving deliverability. To do this, you'll need to make a few changes in your DNS records, so you may want to ask your website manager or domain registrar for help.

Benefits of custom domain authentication

Authenticating your own domain has three important benefits.

• It removes the default Mailchimp authentication information (such as mailchimpapp.net) that shows up next to your From name in certain email clients. While this works for most email clients, some, like Outlook, may still display authentication information after custom DKIM is set up. This is specific to each email client and isn't something we can prevent.
• It can help your email arrive in recipient inboxes, rather than in spam or junk folders.
• It enables DKIM alignment for DMARC, which is a prerequisite for implementing Brand Indicators for Message Identification (BIMI) to prominently display your logo in your recipients’ inboxes.

Do I need custom domain authentication?

Before you authenticate your domain to use in Mailchimp, review these questions to make sure it's a good fit.

• Is your Mailchimp From email address associated with your email domain, rather than a public webmail address like gmail.com or hotmail.com?
• Are you or your IT team able to make changes to your DNS records?

If you answered yes to all or most of these questions, custom authentication is a good fit for you.

Next steps for custom domain authentication

To authenticate your domain, you'll verify it first, and then edit the CNAME and DMARC records in your domain's DNS records.

Verify an Email Domain

Set Up Email Domain Authentication