If my domain is using gsuite and I am using gmail's DKIM, will that DKIM setting be used by another sender on my spf? ie. Klaviyo?

Question

If I have a domain example.com that is using gsuite (DNS settings at registrar has gmail cnames, spf & txt records etc) and I have another service sending on behalf of the domain (Klaviyo). Do the gmail DKIM and DMARC settings help to strengthen the deliverability of those emails sent by the other service (Klaviyo)?

Reinto · Accepted Answer · 2019-11-22T11:00:24.537

To answer your question: A DMARC reject or quarantine policy helps improve deliverability for all parties that send on behalf of your domain AND properly authenticate by SPF or DKIM, in alignment with your domain.

DKIM consists of a cryptographic key pair. You publish the public key on the Internet and you use the private key to sign headers of your outbound emails. This signing is done on the sending server. So unless Klaviyo is using Google servers to relay your messages, those messages are not being DKIM signed by Google.

You should follow the instructions provided by Klaviyo here, so that the emails you send from their platform, using your email domain, will authenticate properly and will NOT fail DMARC.

Update:

Say you own the domain myexample.com, then you should publish a TXT record at the root of that domain that looks like "v=spf1 include:_spf.google.com ~all". Additionally you can add any other services or servers to this record as you see fit. You don't need to add Klaviyo to your SPF record as they will try to authenticate from the send.myexample.com domain used in the bounce address. That is what you created the first CNAME for. It redirects to an SPF (and MX) record hosted at Sendgrid. Additionally, Klaviyo will authenticate those emails using DKIM.

In order to make DMARC work, you need to publish another TXT record at _dmarc.myexample.com, if you haven't already, looking like: "v=DMARC1;p=none;rua=mailto:DMARC@myexample.com;". Then you'll start receiving aggregate reports at the mailbox you supplied. Once you're confident you've included all required parties in your authentication scheme, you can move to a p=reject policy in order to protect your domain.

Is it possible to set the domain's DNS MX record to gsuite and add Klaviyo (txt) spf to gsuite? I have added those CNAME entries you have kindly linked to from Klaviyo's page but MX toolbox still shows no DMARC? I think it may have to do with the domain registrar's DNS manager. I plan to move the domain to a more reliable registrar. — B.Sabz, Nov 21 '19 at 12:31
I've updated the answer in an attempt to also answer your comment. — Reinto, Nov 22 '19 at 11:56

score 0 · Answer 2 · answered Nov 19 '19 at 18:18

Yes, DKIM and DMARC settings do help deliverability.

I assume that Klaviyo does what my company Autoklose is doing as well, and that's using Gmail API to send the email in your name. That means that they only indirectly affect the sending process and the email itself is sent from Google servers and not Klaviyo's servers.

Also, you have to be aware that DKIM & DMARC are only two of the factors in successfully delivering your email. For example, having DKIM & DMARC correctly set gets you positive points but if your domain is blacklisted, it still might not get delivered.

If my domain is using gsuite and I am using gmail's DKIM, will that DKIM setting be used by another sender on my spf? ie. Klaviyo?

2 Answers2