Help center
/
Deliverability & compliance
/
Email deliverability
/
Deliverability best practices and tools

DNS and SPF setup troubleshooting in Klaviyo

Estimated 5 minute read
|
Updated May 5, 2026, 12:00 AM EST

DNS and SPF setup troubleshooting in Klaviyo

What DNS records Klaviyo uses

Klaviyo uses standard DNS records to prove that you are allowed to send email from your domain. These include:

  • SPF (TXT record) to list which services can send email for your domain.
  • DKIM (CNAME records, pointing to Klaviyo-hosted DKIM records) to let inbox providers verify that messages were not changed.
  • Other TXT records that some tools use to verify domain ownership.

You add and edit these records in your DNS provider (for example GoDaddy, Cloudflare, Shopify, OVH, IONOS, or your hosting panel), not in Klaviyo.

Which records you add depends on the Klaviyo feature you are setting up:

  • Branded sending domain (marketing, transactional, or service): NS records (Dynamic routing), or CNAME records plus a TXT verification record (Static routing).
  • Dedicated click-tracking domain: a single CNAME at the host Klaviyo provides (for example trk.yourbrand.com).
  • DMARC: a TXT record at the root domain (for example _dmarc.example.com), which you configure outside of Klaviyo.

You usually do not need to add an SPF record to send email through Klaviyo. Klaviyo uses its own Return-Path domain on every email, so SPF passes by default. The SPF section below covers cases where you do want to add or edit an SPF record at your branded sending domain.

Where to find your Klaviyo DNS values

In your Klaviyo account, the domain setup area will show the exact records you need to add. For each record, you will see:

  • Name/Host: the part of the domain where the record should live (for example send or send.yourbrand.com).
  • Type: such as TXT.
  • Value: the long string you must copy and paste into your DNS provider.

Copy each value exactly into your DNS host, matching the Name/Host and Type shown in Klaviyo.

DKIM selectors by send type

For Static routing, the names of the DKIM CNAME records depend on the send type for the branded sending domain you are setting up:

  • Marketing domains use km1 and km2 selectors.
  • Transactional domains use kt1 and kt2 selectors.
  • Service domains use ks1 and ks2 selectors.

A second branded sending domain of the same send type uses the next selector pair. For example, a second marketing domain uses km3 and km4.

Existing static branded sending domains that were set up before send types were available continue to use the legacy kl1 and kl2 selectors. No action is required to keep them working.

Dynamic routing does not use selector-named CNAMEs. You add NS records to delegate the sending subdomain to Klaviyo, and Klaviyo serves the DKIM records on your behalf.

Editing an existing SPF record safely

Most domains should have only one SPF record per hostname. If your domain already has an SPF record and you are adding Klaviyo, you usually need to update the existing record, not create a second one.

General tips:

  • Look for an existing TXT record at your domain that starts with v=spf1.
  • If you find one, add Klaviyo’s required mechanism to that same record instead of creating a new v=spf1 TXT.
  • Make sure the record still begins with v=spf1 and ends with a result such as ~all or -all.

If you are sending from a subdomain (for example send.example.com), make sure you edit or add the SPF record at that subdomain’s host, not the wrong hostname. For instance:

  • Host send or send.example.com for send.example.com.
  • Host @ or blank for the root domain example.com (depending on your DNS provider’s interface).

Adding extra TXT records (audits, verification, etc.)

You can usually add additional TXT records for things like security audits or third-party verifications without affecting Klaviyo, as long as you:

  • Do not create a second SPF record (v=spf1) for the same host.
  • Use the host or name specified by the third party (for example a unique string) so it does not conflict with existing SPF/DKIM records.

If you need to prove ownership of your domain, it is generally safe to add a TXT record at your root domain (e.g. example.com) using the exact host and value given by the auditing service.

Click-tracking domain troubleshooting

A dedicated click-tracking domain uses a single CNAME at your DNS provider. If verification is failing or click-through links are not working as expected, check the following:

  • CAA records on the root domain: for SSL provisioning to succeed, your root domain’s CAA records must allow Google to issue certificates. The root domain should permit 0 issue pki.goog. If your CAA record blocks this, certificate issuance will fail.
  • Verification timing: Klaviyo automatically checks for the CNAME every 15 minutes for up to 2 days after you create the click-tracking domain. You can also click Verify in the Klaviyo UI to trigger an immediate check.
  • Removing the click-tracking domain: when you remove a dedicated click-tracking domain in Klaviyo, the underlying DNS record at your provider is preserved by default so that links in previously sent emails continue to resolve. If you delete the CNAME at your DNS provider, those links will stop working.

For setup details and lifecycle states (Verifying, Action Required, Failed, Verified, Active), see How to set up dedicated click tracking.

Common SPF and DNS issues

If you see DNS or SPF-related errors in Klaviyo when verifying your domain, check the following:

  • Record not found: Confirm that the Name/Host in your DNS provider exactly matches what Klaviyo shows (no extra domain added by the UI).
  • Unverified: DNS changes can take time to update; wait and then click to re-check in Klaviyo.
  • Duplicate SPF: Combine multiple v=spf1 values into a single SPF record for that host instead of having more than one.
  • Records being proxied: some DNS providers (Cloudflare in particular) offer a proxy toggle that hides records behind a CDN. Proxying blocks Klaviyo from verifying the record. Disable proxying for your Klaviyo records and keep it disabled.
  • Root domain appended to a CNAME value: some DNS interfaces append your root domain to anything you paste into the Value field. If a CNAME lookup returns something.klaviyodns.com.example.com instead of something.klaviyodns.com, add a trailing period to the Value or check your provider’s syntax for fully qualified names.
  • DNS provider does not support underscores: DKIM records require underscores in the host (for example km1._domainkey.example.com). If your provider’s UI rejects underscores, contact their support team and they can usually create the record for you. If they cannot, consider moving DNS to a provider that supports underscores.
  • DNS provider does not support the @ symbol: the @ symbol stands for the root domain. If your provider’s UI does not accept @, type the root domain directly (for example example.com) in the Host field instead.
  • DNS propagation delays: after saving a DNS change, allow up to 48 hours for the change to propagate worldwide. Most propagation finishes within a few minutes, but caching at the recipient’s side or your DNS provider can extend that window.

Additional resources

Was this article helpful?
Use this form only for article feedback. Learn how to contact support.

Explore more from Klaviyo

Community
Connect with peers, partners, and Klaviyo experts to find inspiration, share insights, and get answers to all of your questions.
Visit Community
Partners
Hire a Klaviyo-certified expert to help you with a specific task, or for ongoing marketing management.
Hire a partner
Support

Access support through your account.

Email support (free trial and paid accounts) Available 24/7

Chat/virtual assistance
 Availability varies by location and plan type

Log in