Table of Contents

Why you should authenticate your domain

Sending an email using MailChimp is super awesome, most of us know that. But I’m often asked how to ensure that an email actually reaches the recipient’s inbox – all too often, emails get dropped into spam/junk folders and there are many reasons why this could happen – but one reason for this could be how your email is digitally signed.

Internet Service Providers (ISPs), like Google, Yahoo, and Microsoft, use DKIM and SPF authentication as a way to scan incoming emails for spam or spoofed addresses. Emails that fail authentication are more likely to arrive in a spam or junk folder.

To help ensure your campaigns reach your recipients’ inboxes and to make your campaigns look more professional, you can set up custom DKIM authentication for your domain, and add MailChimp to your SPF record.

In the image here, you can see that the email is sent ‘from‘ (that’s our email rocket) and is ‘mailed-by‘ (this is MailChimp’s server), but it’s ‘signed by‘ – and it’s this that’s the key difference. If your email isn’t signed by the sending domain, it’s not always easy to distinguish from spam emails that are faking who they’re from.

This is because to all intents and purposes, emails sent from MailChimp IS spoofed. I mean, it’s not really from you – not from your inbox. So we want to make it appear as genuine as possible. So, just like any love letter we send out – we sign it (though, not with a kiss, but with a DKIM and SPF record – this was not my best analogy).

What’s the difference between verifying my domain and authenticating it?

The default (and indeed, the required) method in MailChimp is to verify your domain. This is done by MailChimp sending you an email to say ‘hey – this domain name you want to use for your emails, you can receive emails here, right?’ – you click the ‘yeah I can’ button and bingo, you’re all set.

Sound easy? It is. And that’s why it’s good, but not always good enough.

By authenticating the domain, we’re giving MailChimp permission to send an email on our behalf – delegating access to it. When email services (like Google, Yahoo, and Microsoft) check who’s actually sent an email, we want them to see it was you; not anyone else.

How do I authenticate my domain in MailChimp?

We’re going to make a little change to your DNS. The Domain Name System (DNS) is the mechanism for domain names that signposts the right traffic, to the right location – so where to route emails to and which server to pull your website from. We’re going to tell it, that MailChimp is allowed to send emails on your behalf.

To do this, we need to make two changes to your DNS. To get the values you’ll need, in your MailChimp account, head over to the “Verified domains” section in Settings.

Select your domain from this list (if more than one domain is available) for the specific values for your domain.

We’re then going to create a CNAME record for with the value

And a TXT record for with the value: v=spf1 ?all

The examples I’ve shown here are from Cloudflare, which is the system we use at Hypestar to manage our DNS. I’d encourage you to use it for your management as it can do some pretty awesome things for you aside from easy DNS management (helps keep your site protected from harm)

Ok, so now we’ve got those values set, we can ask MailChimp to verify these settings. Note, that it can take up to 48 hours for DNS changes to propagate around the world (though, in my experience, it’s much faster than that). This is a one-time setup, so from this point on, the emails you send will be digitally signed from your domain.