ConvertKit (now rebranded as Kit) is an email marketing platform used by creators and small businesses to send newsletters and automated sequences. If your From address uses your own domain, you need SPF, DKIM, and DMARC records in DNS so receiving servers accept those messages and don't route them to spam. By the end of this guide you will have all three records published and verified.
Before you begin
- Write access to the DNS zone for the domain you send from (via your registrar or DNS host — Cloudflare, Route 53, GoDaddy, etc.)
- Admin access to your ConvertKit / Kit account with a custom sending domain already added
- The ability to send a test email from that domain and view the full message headers
- A text editor to stage your SPF record changes before applying them
Step 1: Identify what's sending from ConvertKit
ConvertKit sends on your behalf from its own mail infrastructure. Depending on your account tier and whether you use a custom sending domain, mail may leave from ConvertKit's shared sending pool or from a dedicated IP range. Because ConvertKit's infrastructure can span multiple IP blocks and may route through a third-party delivery layer, your SPF record needs the correct include: mechanism that covers all of those addresses — not just one. Before editing DNS, confirm in your ConvertKit account settings which domain is set as the custom sending domain and note any sub-domains (for example, mail.your-domain.com) that ConvertKit may have asked you to configure separately.
Step 2: Add the SPF include
SPF is published as a single TXT record on the root of your sending domain (or subdomain). You may already have an SPF record if you send from other platforms — if so, you must merge the new include: into the existing record rather than creating a second one. Two SPF records on the same name will cause an SPF permerror.
ConvertKit's required SPF include string should be retrieved from your Kit account's email authentication or custom domain settings page. Their documentation typically lists an include: value pointing to their sending infrastructure. A common pattern for platforms that use SparkPost or similar infrastructure is shown below, but you must confirm the exact value in Kit's DNS setup guide before publishing.
Before — an existing SPF record that covers only Google Workspace:
your-domain.com. TXT "v=spf1 include:_spf.google.com ~all"After — with ConvertKit's include added (replace <convertkit-spf-include> with the exact string from Kit's documentation):
your-domain.com. TXT "v=spf1 include:_spf.google.com include:<convertkit-spf-include> ~all"If ConvertKit is the only platform sending from this domain:
your-domain.com. TXT "v=spf1 include:<convertkit-spf-include> ~all"SPF 10-lookup limit: Every
include:,a:, andmx:mechanism that requires a DNS lookup counts against a hard limit of 10. Many SaaS platforms chain several includes internally, so adding two or three platform includes can push you over the limit without warning. Use a tool such as MXToolbox SPF Check after publishing to count your lookups. If you are already near the limit, consider SPF flattening or a delegation solution like DMARC Busta's SPF Auto-Repair.
Step 3: Enable DKIM in ConvertKit
DKIM lets ConvertKit cryptographically sign outgoing messages so receiving servers can verify the mail genuinely originated from an authorized sender for your domain. ConvertKit generates the key pair; you publish only the public key in DNS as a TXT record.
- Log in to your ConvertKit / Kit account.
- Navigate to the email authentication or sending domain settings area. In recent versions of the Kit interface this is typically found under Settings → Email or Settings → Custom Domain — verify the exact path in Kit's current help documentation, as UI labels change between releases.
- Locate the DKIM section. Kit will display a DKIM TXT record to publish. Copy the full record — it includes both the DNS name (the selector) and the value (the public key string).
- Publish the record in your DNS zone. The record name follows the standard format:
<selector>._domainkey.your-domain.com. TXT "v=DKIM1; k=rsa; p=<public-key-string>"Replace <selector> with the selector name shown in your Kit dashboard (Kit's documentation will confirm the exact selector they assign). Replace <public-key-string> with the base64 key value Kit provides.
Long key values: RSA-2048 public keys often exceed 255 characters. Some DNS providers require you to split the value into multiple quoted strings within the same TXT record:
<selector>._domainkey.your-domain.com. TXT "v=DKIM1; k=rsa; p=<first-chunk>" "<second-chunk>"If your DNS provider has a single text field, paste the full key as one string — most modern providers handle the chunking automatically. If they don't, split the key at 255 characters and wrap each segment in its own pair of double quotes within the same record value.
After publishing, allow up to 48 hours for DNS propagation, then confirm the record is resolving with:
dig TXT <selector>._domainkey.your-domain.com +shortStep 4: Publish your DMARC record
DMARC ties SPF and DKIM together and tells receiving servers what to do when mail from your domain fails both checks. It also enables aggregate reporting so you can see which sources are sending as your domain.
Start with p=none. This monitoring-only policy collects reports without affecting mail delivery, giving you at least 14 days of data to confirm that ConvertKit — and any other legitimate senders — are passing authentication before you move to p=quarantine or p=reject.
Publish this TXT record on _dmarc.your-domain.com:
_dmarc.your-domain.com. TXT "v=DMARC1; p=none; rua=mailto:dmarc-rua@dmarcbusta.pro; ri=86400"| Tag | Value | Meaning |
|---|---|---|
v |
DMARC1 |
Protocol version — must be present and first |
p |
none |
No enforcement yet — monitor only |
rua |
mailto:dmarc-rua@dmarcbusta.pro |
Address that receives aggregate XML reports |
ri |
86400 |
Reporting interval in seconds (once per day) |
Once you have reviewed your aggregate reports and confirmed that ConvertKit's sending passes SPF and DKIM alignment, progress to p=quarantine and eventually p=reject. Do not rush this — moving to p=reject before all legitimate sources are covered will cause mail to be silently dropped at receiving servers.
Step 5: Verify it works
Before sending a test email, confirm your DMARC record actually published. Use our free DMARC Checker to look up _dmarc.your-domain.com and verify the record is live, has the correct policy (p=none, quarantine, or reject), and is configured for aggregate reporting. While you are there, run the SPF Checker against your domain to make sure the SPF lookup tree is clean — once both records check out, the live email test below will give you the final confirmation.
Send a real email from ConvertKit to a Gmail or Yahoo address you control. In Gmail, open the message, click the three-dot menu in the top-right of the message pane, and select Show original. In Yahoo Mail, open the message and select View raw message. Look for the Authentication-Results header near the top of the raw headers:
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of bounce@your-domain.com designates x.x.x.x as permitted sender)
dkim=pass header.i=@your-domain.com header.s=<selector>
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=your-domain.com- spf=pass — ConvertKit's sending IP is listed in your SPF record and the domain in the envelope
Return-PathorMAIL FROMmatches. - dkim=pass — The DKIM signature in the message header verified correctly against the public key in DNS.
- dmarc=pass — At least one of SPF or DKIM passed and the authenticated domain aligns with the
From:header domain. Both must be true for DMARC to pass.
If any result shows fail or none, do not proceed to stricter DMARC policies until the root cause is resolved. Use the troubleshooting section below as a starting point.
Common errors with ConvertKit
- DKIM selector not found in DNS: The most frequent cause is a typo in the record name when publishing. Copy the selector name exactly as shown in Kit's dashboard — selectors are case-sensitive. Confirm the record is live with
dig TXT <selector>._domainkey.your-domain.combefore sending a test. - Duplicate SPF records: Creating a second TXT record with
v=spf1on the same name instead of editing the existing one causes a permanent SPF error. Your domain must have exactly one SPF record; merge allinclude:mechanisms into it. - SPF lookup count exceeded: ConvertKit may chain additional includes internally. If you are also using Google Workspace, Microsoft 365, Salesforce, or other platforms, the total lookup count can exceed 10. Audit your lookups with an SPF check tool and flatten or delegate as needed.
- DKIM public key truncated or split incorrectly: Some DNS control panels silently truncate long TXT values or add extra whitespace. After publishing, retrieve the raw TXT value with
digand compare it character-for-character against the value Kit provided. A single missing character will invalidate the signature. - From header domain misalignment: DMARC alignment requires that the domain in the
From:header matches the domain that passed SPF or DKIM. If ConvertKit sends using a subdomain (e.g.mail.your-domain.com) but yourFrom:address is@your-domain.com, check whether ConvertKit supports relaxed DKIM alignment or whether you need to adjust your sending domain configuration inside Kit.
How DMARC Busta helps
The steps above are a one-time setup for a single domain. In practice, SPF records drift as you add and remove platforms, DKIM keys rotate, new sending sources appear, and DMARC policy progression requires ongoing review of aggregate report data. DMARC Busta is designed to manage this across 10,000+ domains simultaneously — its Autopilot mode monitors your aggregate reports and advances your DMARC policy from p=none through to p=reject only when the data shows it is safe to do so. SPF Auto-Repair handles delegation and source changes without manual DNS edits. Managed DMARC reporting surfaces the data you need to act on, without the raw XML.
If you manage email authentication for multiple clients or domains — or if you expect your sending infrastructure to change over time — DMARC Busta's Autopilot mode and SPF Auto-Repair are designed to replace the manual process described in this guide with a continuously managed, audit-ready configuration.
Start your free trial and put your email authentication on autopilot.
