Set up SPF, DKIM & DMARC for Customer.io

You've connected a sending domain in Customer.io but DMARC still fails, or you're unsure whether the DMARC record goes on the sending subdomain or the root.

Check your domain first — 10 seconds, free, no signup.
See your DMARC policy, SPF lookup count and every issue explained in plain English.
Run the free check →

What this means

Customer.io's setup has one non-obvious step: it needs an MX record on the sending subdomain to create a custom Return-Path, which is what lets SPF align for DMARC (the mail-from subdomain and the header-from parent match under relaxed alignment). Keep alignment relaxed (aspf/adkim = r, the default) — a strict setting would require an identical domain match and make Customer.io mail fail DMARC. And the DMARC record itself belongs on your root domain (_dmarc.root-domain.com), not on the sending subdomain. Source: Customer.io Docs — Domain Authentication · verified 2026-07-18.

What to do about it

Step 1. Add every record Customer.io lists — including the MX record on the sending subdomain, which creates the aligned Return-Path (easy to skip).
Step 2. Leave DMARC alignment relaxed; do not set aspf=s or adkim=s, which would break Customer.io alignment.
Step 3. Publish the DMARC record on your root domain at _dmarc.yourdomain.com, not on the subdomain.
Step 4. Run the free check below to confirm SPF and DKIM both align before you tighten the policy.

Frequently asked

Will adding these records break the email I already send?

No. Adding SPF includes and DKIM records (whether TXT or CNAME) only adds authentication — it never blocks mail. The only step that can affect delivery is tightening your DMARC policy to quarantine or reject, and that comes later, once reports confirm every legitimate sender passes.

The platform says it “handles DMARC” — do I still need my own record?

Yes. Most platforms handle DKIM (and sometimes SPF) so their mail can pass, but the DMARC record is published on your own domain and controlled by you — it's what tells receivers to act on failures. Providers rarely publish it for you, and you want your own rua= address to see the reports.

How do I confirm it actually worked?

Send yourself a test message and check the headers for dkim=pass and dmarc=pass — or run the free check below on your domain to see SPF, DKIM and DMARC state, and which sending services currently align, in one place.

Don't want to babysit DNS records?
DMARCKeeper monitors your reports, names every sender, and walks you to full p=reject protection.
Start free monitoring →