3,932 Australian domains analysed. Most fail basic email authentication. [2026 Report]

How to Set Up SPF, DKIM and DMARC for Brevo (2026)

DMARC Busta Team
March 9, 2026
9 min read
How to Set Up SPF, DKIM and DMARC for Brevo (2026)

Brevo (formerly Sendinblue) is a marketing and transactional email platform used by businesses of all sizes to send campaigns, automations, and SMTP relay traffic. Without proper SPF, DKIM, and DMARC configuration, mail sent through Brevo on your domain is vulnerable to spoofing and increasingly likely to land in spam. By the end of this guide you will have all three DNS records published and verified.

Before you begin

  • Write access to the DNS zone for the domain you are sending from (via your registrar or DNS host — Cloudflare, Route 53, GoDaddy, etc.)
  • Admin-level access to your Brevo account
  • The ability to send a test email from your domain and view full message headers
  • An existing SPF record on your domain, or confirmation that no SPF record currently exists (check with dig TXT your-domain.com or an online DNS lookup tool)

Step 1: Identify what's sending from Brevo

Before touching DNS, confirm which sending infrastructure Brevo is using for your account. Brevo can send through shared IP pools, dedicated IPs, or custom subdomain setups depending on your plan. If you have transactional email configured separately from your marketing campaigns, both paths must be authorized. Log in to your Brevo account and check under your sending domain settings — Brevo may require you to authenticate a specific sender domain rather than your root domain. Use whichever domain appears in your From: header (for example mail.your-domain.com or your-domain.com) as the domain you publish DNS records for throughout this guide.

Step 2: Add the SPF include

Brevo's outbound mail servers must be listed in your domain's SPF record. Brevo's SPF include string, based on their published documentation, is include:spf.sendinblue.com — however, you should confirm the current value in Brevo's own DNS setup documentation or inside your account's sender domain authentication panel before publishing, as vendors occasionally change or add include strings.

Your SPF record must be a single TXT record on the root of your sending domain (or subdomain). You cannot have two separate SPF TXT records — merge any existing content into one.

Before (existing SPF record, example):

your-domain.com.  TXT  "v=spf1 include:_spf.google.com ~all"

After (Brevo added):

your-domain.com.  TXT  "v=spf1 include:_spf.google.com include:spf.sendinblue.com ~all"

If you have no existing SPF record, publish a new one:

your-domain.com.  TXT  "v=spf1 include:spf.sendinblue.com ~all"

SPF lookup limit warning: SPF evaluation resolves a maximum of 10 DNS lookups. Each include: mechanism typically resolves to at least one additional lookup, and nested includes add more. If your domain already sends through several platforms (Google Workspace, Microsoft 365, Salesforce, etc.), you may already be close to the limit. Adding Brevo could push you over. Use a tool such as DMARC Busta's SPF Auto-Repair or a free SPF lookup counter to audit your current lookup depth before publishing.

Step 3: Enable DKIM in Brevo

DKIM adds a cryptographic signature to your outgoing mail that receiving servers use to verify the message was not tampered with in transit. Brevo generates a DKIM key pair and gives you the public key to publish in DNS.

Retrieve your DKIM public key from Brevo

  1. Log in to your Brevo account.
  2. Navigate to the sender domain authentication section — this is typically found under your account or settings menu in an area labeled something like Senders & IPs or Domains. Locate the domain you want to authenticate and look for a DKIM or DNS configuration option. (Verify the exact path in Brevo's current help documentation, as the interface is periodically updated.)
  3. Brevo will display a DKIM TXT record for you to publish. Copy the full record value — it will be a long string beginning with v=DKIM1; k=rsa; p= followed by the public key.
  4. Note the selector name Brevo assigns. It will appear as the subdomain prefix for your DKIM record name (for example, mail._domainkey). Brevo has historically used the selector mail, but confirm the exact selector shown in your account panel before publishing.

Publish the DKIM TXT record in DNS

Create a new TXT record in your DNS zone using the selector and value provided by Brevo:

Record name:  mail._domainkey.your-domain.com
Record type:  TXT
TTL:          3600 (or your DNS provider's default)
Value:        "v=DKIM1; k=rsa; p=<public-key-string-from-brevo>"

If the public key string is very long (over 255 characters), your DNS provider may require you to split it into two quoted strings within the same TXT record:

"v=DKIM1; k=rsa; p=<first-half-of-key>"
"<second-half-of-key>"

Most modern DNS consoles handle this automatically or document how to split TXT strings. Check your provider's documentation if you see an error about record length.

Verify Brevo recognizes the record

Return to the domain authentication section in Brevo and trigger a DNS check or verification step if the platform provides one. Brevo typically shows a green checkmark or "Verified" status once it can resolve the DKIM record. DNS propagation can take a few minutes to several hours depending on your TTL settings.

Step 4: Publish your DMARC record

DMARC tells receiving mail servers what to do when a message fails SPF or DKIM alignment. Start with p=none — this monitors without blocking any mail — and collect reporting data for a minimum of 14 days before moving to p=quarantine or p=reject. Skipping the monitoring phase risks blocking legitimate mail from sending sources you have not yet identified.

Publish the following TXT record on the _dmarc subdomain of your sending domain:

Record name:  _dmarc.your-domain.com
Record type:  TXT
TTL:          3600
Value:        "v=DMARC1; p=none; rua=mailto:dmarc-rua@dmarcbusta.pro; ri=86400; adkim=r; aspf=r"

Tag reference for this record:

Tag Value used Meaning
p none Monitor only — no action taken on failing mail
rua mailto:dmarc-rua@dmarcbusta.pro Aggregate report destination
ri 86400 Reporting interval in seconds (24 hours)
adkim r Relaxed DKIM alignment
aspf r Relaxed SPF alignment

Once you have reviewed at least two weeks of aggregate reports and confirmed all legitimate sending sources are passing, update the policy tag to p=quarantine, monitor for another week or two, then advance to p=reject.

Step 5: Verify it works

Before sending a test email, confirm your DMARC record actually published. Use our free DMARC Checker to look up _dmarc.your-domain.com and verify the record is live, has the correct policy (p=none, quarantine, or reject), and is configured for aggregate reporting. While you are there, run the SPF Checker against your domain to make sure the SPF lookup tree is clean — once both records check out, the live email test below will give you the final confirmation.

After DNS changes have propagated (allow at least 30 minutes; longer if your TTL was previously set high), send a test message from your Brevo account to a Gmail or Yahoo Mail address you control.

Check headers in Gmail

  1. Open the received message in Gmail.
  2. Click the three-dot menu in the top-right corner of the message and select Show original.
  3. In the message source view, look for the Authentication-Results header near the top.

A correctly configured domain will show all three passing:

Authentication-Results: mx.google.com;
  spf=pass (google.com: domain of sender@your-domain.com designates x.x.x.x as permitted sender)
  dkim=pass header.i=@your-domain.com header.s=mail
  dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=your-domain.com

What each result means in context:

  • spf=pass — The sending IP is authorized in your SPF record.
  • dkim=pass — The message signature validates against the public key in DNS.
  • dmarc=pass — At least one of SPF or DKIM aligns with the From: domain, satisfying DMARC.

If any result shows fail or none, refer to the section below before advancing your DMARC policy.

Common errors with Brevo

  • DKIM selector mismatch. The selector name you published in DNS does not match the selector Brevo is signing with. Double-check the selector string in your Brevo account panel and ensure the DNS record name matches exactly — including the ._domainkey.your-domain.com suffix.
  • DKIM public key split incorrectly. Long DKIM keys (2048-bit) exceed the 255-character TXT string limit. If you paste the full key as a single unquoted string, many DNS providers silently truncate it. Follow your DNS provider's documentation for splitting TXT strings into multiple quoted segments within one record.
  • Duplicate SPF records. Publishing a second TXT record with v=spf1 on the same domain instead of merging into an existing one causes a permanent SPF error. There must be exactly one SPF TXT record per domain or subdomain.
  • SPF lookup overflow. Brevo's include resolves to additional lookups internally. If your domain already includes several other platforms, adding Brevo may push your total past 10 lookups. Use SPF flattening or a managed SPF service to stay within the limit.
  • From domain and authenticated domain mismatch. If your email From: header uses your-domain.com but you authenticated mail.your-domain.com in Brevo, DMARC alignment will fail under strict mode. Authenticate the exact domain used in the visible From address, or use relaxed alignment (adkim=r; aspf=r) if subdomain sending is intentional.

How DMARC Busta helps

The steps above are a one-time manual configuration. The harder ongoing work is interpreting aggregate reports, identifying new sending sources that appear over time, keeping your SPF record under the 10-lookup ceiling as you add or remove platforms, and knowing when it is safe to advance your DMARC policy. That is the operational layer DMARC Busta is designed to handle.

DMARC Busta's Autopilot mode monitors your aggregate report data and manages DMARC policy progression automatically — moving from p=none toward p=reject when the data supports it. SPF Auto-Repair uses automated delegation to keep your SPF record within the 10-lookup limit even as your sending stack changes. The platform's managed DMARC reporting and multi-domain dashboard are designed to manage 10,000+ domains, making it practical for MSPs and enterprise teams to maintain enforcement across a large portfolio without manual intervention on each record.

Start your free trial and put your email authentication on autopilot.

Share this article

Twitter LinkedIn

Related Articles

Put Your Email Security on Autopilot

Let AI handle DMARC compliance while you focus on your business.

Start Free Trial Learn About Autopilot