Klaviyo DKIM Failing or Not Aligned: How to Diagnose and Fix

DKIM failures at Klaviyo are one of the most common causes of deliverability issues that senders misdiagnose. A message that fails DKIM alignment is rejected outright by ISPs with strict DMARC enforcement (increasingly, Gmail and Microsoft), and it lands in spam at providers with softer enforcement. Most Klaviyo users do not know their DKIM is failing because Klaviyo's dashboard shows "authentication configured" when only SPF is passing.

This article walks through how to check Klaviyo DKIM status, the specific failure modes, and the step-by-step fix for each.

What DKIM Does

DKIM (DomainKeys Identified Mail) cryptographically signs every outbound message with a key that matches a public record in your DNS. Receiving servers verify the signature, which proves two things:

1. The message was sent by a server authorised to sign with that key.
2. The message content has not been modified in transit.

For Klaviyo, DKIM signing happens automatically once you have added the required CNAME records to your DNS and verified them in Klaviyo. The signing uses keys Klaviyo manages; your role is to publish the CNAME records that point to those keys.

DKIM alignment is a separate check. For DKIM to "align" with DMARC, the domain in the DKIM signature (d= in headers) must match the From domain of the message, or a subdomain of it. Klaviyo DKIM typically signs with a subdomain of your sending domain, which aligns correctly for relaxed DMARC (the default). Strict alignment requires an exact match, which can fail if Klaviyo's DKIM signing subdomain differs from the From domain.

How to Check Klaviyo DKIM Status

The fastest way to verify DKIM for a Klaviyo sending domain:

Step 1: Send a test message from Klaviyo to a Gmail address you control.

Step 2: Open the message, click the three-dot menu in the top right, select "Show original."

Step 3: Look for the "DKIM" line at the top. It should say "PASS" with the domain that signed it listed next to it.

Step 4: Check "DMARC" on the same page. If DMARC shows "PASS" with alignment, DKIM is aligned correctly.

If DKIM shows FAIL, or DMARC shows FAIL due to DKIM alignment, you have a problem to fix.

Alternative check methods:

• Mail Tester (mail-tester.com) provides a detailed DKIM check with specific failure reasons.
• MXToolbox DKIM Check queries your DNS directly to confirm the records exist.
• Klaviyo's own domain verification page shows a summary, but it does not catch alignment issues.

Common Klaviyo DKIM Failure Modes

Failure 1: CNAME Records Missing

The most frequent cause. Klaviyo requires two CNAME records in your DNS that point to Klaviyo's DKIM keys. If either is missing, DKIM cannot verify.

How to diagnose: In Klaviyo, go to Account > Settings > Domains and Hosting. If the dedicated sending domain shows "not verified," the CNAMEs are either missing or incorrect.

How to fix: Add both CNAME records exactly as Klaviyo specifies. The typical format is:

• klaviyo1._domainkey.yourdomain.com pointing to dkim.klaviyomail.com (or similar).
• klaviyo2._domainkey.yourdomain.com pointing to a second Klaviyo key.

Copy the exact values from Klaviyo's setup page. Small typos in CNAMEs (missing trailing dot, extra underscore) cause silent failures. After adding, wait for DNS propagation (usually under one hour, up to 24 hours worst case), then click "Verify" in Klaviyo.

Failure 2: CNAME Records Point to Wrong Target

Senders sometimes copy CNAME values from a different Klaviyo account or from outdated documentation. The records are present but point to the wrong Klaviyo keys, so signing fails.

How to diagnose: Compare the CNAME values in your DNS to the values Klaviyo shows in Domains and Hosting. They must match character-for-character.

How to fix: Replace the incorrect CNAMEs with the correct ones from Klaviyo's current setup page.

Failure 3: DKIM Alignment Failure

The CNAMEs are correct, DKIM signs successfully, but DMARC still reports alignment failure because the DKIM d= domain does not match the From domain.

How to diagnose: In the test message "Show original" view, find the DKIM-Signature header. The d= parameter shows the signing domain. Compare this to the From domain of the message. For DMARC relaxed alignment, the signing domain must match the From organisational domain. For strict alignment, they must be identical.

How to fix: If you use DMARC relaxed alignment (the default), DKIM must sign with your From domain or a subdomain of it. Klaviyo's DKIM typically signs with a subdomain like em1234.yourdomain.com, which aligns with yourdomain.com as From under relaxed rules. If you configured DMARC with strict alignment (adkim=s in the DMARC record), the signing domain must exactly match the From domain. In most cases, the right fix is to switch DMARC to relaxed alignment, not to change DKIM.

Failure 4: Broken DNS After Domain Change

A common scenario: you migrated DNS providers, changed domain ownership, or updated nameservers, and the Klaviyo CNAMEs were not carried over.

How to diagnose: DNS records show the CNAMEs are no longer present, or they point to old targets that no longer exist.

How to fix: Re-add the Klaviyo CNAMEs in the new DNS provider. Verify propagation. Re-verify in Klaviyo.

Failure 5: Subdomain Sends Without Authentication

If you send from multiple subdomains through Klaviyo (for example, news.brand.com and shop.brand.com), each needs its own set of CNAMEs. Sending from a subdomain that is not individually authenticated produces DKIM failures.

How to diagnose: Check which subdomains you send from. In Klaviyo's Domains and Hosting, verify each is separately verified.

How to fix: Add CNAME records for each subdomain, or consolidate sending to a single verified subdomain.

DKIM, SPF, and DMARC Together

DKIM is one of three authentication mechanisms. Understanding how they interact helps with diagnosis.

SPF specifies which servers are authorised to send mail from your domain. Klaviyo requires their include in your SPF record.

DKIM cryptographically signs messages. Klaviyo handles signing; you publish the public keys via CNAMEs.

DMARC specifies what to do with messages that fail SPF or DKIM alignment. The policy is p=none (monitor only), p=quarantine (send to spam), or p=reject (reject outright).

For DMARC to pass, at least one of SPF or DKIM must pass AND align. DKIM alignment is usually easier to achieve consistently than SPF alignment, which is why DKIM is often the primary alignment path for Klaviyo senders.

If your DMARC report shows DKIM failing but SPF passing and aligning, DMARC as a whole may still pass. But DKIM failures signal a problem you should fix, both for deliverability and for eventual DMARC enforcement.

Fixing DKIM After Key Rotation

Klaviyo occasionally rotates DKIM keys. When they do, new CNAMEs are published and you may need to add them alongside or instead of the old ones.

If you suddenly see DKIM failures on a previously working Klaviyo account, check whether Klaviyo has issued a key rotation notice (Dashboard notifications, email to the account admin). The fix is usually to add a new set of CNAMEs and let the old ones expire.

Key rotation is normal and generally good for security, but it requires the sender to update DNS records. Failing to do so breaks DKIM until the update is made.

What Happens When DKIM Fails

The immediate consequences of DKIM failure vary by receiving ISP:

• Gmail: Increasingly strict about DMARC alignment. Sustained DKIM failures with a DMARC policy of p=quarantine or p=reject push mail to spam or outright rejection.
• Microsoft: Treats DKIM failures as a reputation negative. Sustained failures contribute to SmartScreen filtering and can trigger S3150 blocks.
• Yahoo: Requires aligned DKIM under the 2024 bulk sender rules. Failures produce rejection.
• Apple: More forgiving but still weighs DKIM in reputation scoring.

Even if mail is still being delivered despite DKIM failure, reputation is being damaged continuously. Fixing DKIM quickly stops the bleed.