SPF(supported) (dedicated subdomain)

This article covers the SPF and DKIM authentication processes for Klaviyo and how they are managed in Valimail Enforce. Because this service leverages SendGrid's email infrastructure, it requires additions to your DNS records outside of the Valimail platform. Adding Klaviyo as an authorized sender in the Valimail Enforce usually requires a dedicated subdomain to be pointed to the Klaviyo infrastructure and typically the DKIM keys will be added in the Valimail platform.


Configuring DKIM authentication for your Klaviyo emails

Klaviyo requires 3 CNAME records for email authentication, and one TXT record for domain ownership verification.

Please note that, while getting setup is available to all users, only those with Owner, Admin, Manager, and Campaign Coordinator privileges can make changes.

1. Click on your company name in the top right corner of your account.

2. Select Account.

3. Select the Settings dropdown.

4. Choose Domains and Hosting from the main tab.

5. Select Get Started.

6. Input your root domain (e.g., helloworld.com)

7. Specify an arbitrary and unused subdomain (i.e., one that you do not currently have in use elsewhere in your marketing) under Sending Domain (e.g., "send")

8. Click Continue.

9. Hover over and click the text to copy the generated TXT and CNAME records to your clipboard.

In an example where the intended sending domain is send.helloworld.com, with “send” as the subdomain and “helloworld.com” as the root domain, the expected DNS records would be the following:

HostValueRecord Type

If your brand's intended sending domain has two subdomains, such as send.mail.helloworld.com, “send” would be used for the subdomain and “mail.helloworld.com” for the root domain. The expected DNS records would be the following:

HostValueRecord Type

IMPORTANT Note: The 1st CNAME record and the TXT record will need to be added directly in your DNS.

The 2 CNAME DKIM keys will need to be published in Valimail Enforce.

10. Publish all 4 records in the DNS and Valimail Enforce respectively.

11. After all 4 records are published in their respective areas, go back to the Klaviyo account and click Continue to Verify Domain.

12. Review any message that appears. You will see one of the following messages:

  • If a campaign is conflicting, you will see a notification that the deliverability may be impacted. To avoid any conflicting errors, a best practice is to make sure there are no campaigns actively sending or scheduled to go out soon. It is also best practice (but is not required) to pause flows and campaigns until after you apply and test your changes.
  • If your records are valid, you will see a success message. This success message may indicate that you need to warm your infrastructure again. Note that this only applies to brand new Klaviyo accounts or newly registered domains (within the last 30 days). If you are an existing account who has at least a 30-day sending history with Klaviyo, you do not have to re-warm.
  • If your records are not valid, you will see an error indicating what has not been set up correctly.

13. Select Apply Domain.

14. Check the box indicating that you understand that you must warm your infrastructure by changing your sending behavior. If you are an existing Klaviyo account who has a 30 day sending history, you do not need to warm your infrastructure again to move to a dedicated sending domain. 

15. Click Apply Domain.

Klaviyo will now apply your dedicated sending domain to your account, and produce a success message when completed. 

You can also find the instructions on how to set up DKIM in Klaviyo here.

Add a Klaviyo DKIM key in Enforce

1. Go to your domain's Configuration page in Valimail Enforce and publish the newly created DKIM key.

    a. Scroll down and add the two DKIM keys in your configuration, by clicking on Add a DKIM key

    b. Enter the selector name, CNAME target value, associate the keys with Klaviyo and then click Add.

You can find more detailed information on how to add a DKIM key in Valimail Enforce here.

Configuring SPF authentication for your Klaviyo emails

Once you establish that Klaviyo is an authorized sender for your domain, you will need to add the service in your Enabled Senders list in Enforce.

1. Please go to your domain's Configuration page in Enforce.

2. Click on the + sign from the Enabled Senders section:

3. Choose Klaviyo from the list of configurable senders and then click Enable:

We encourage you to use the comment section for any useful information about your sending service, such as the name of the service owner, change request ticket numbers, etc.

As always, if you have any questions, please don't hesitate to submit a ticket.