Klaviyo DMARC Setup Guide: From p=none to p=reject

DMARC is the final piece of email authentication. SPF says who can send for your domain. DKIM cryptographically signs each message. DMARC tells receiving servers what to do when SPF or DKIM fail or do not align with the From address. Without DMARC, the authentication story is incomplete. With DMARC configured badly, legitimate mail gets rejected.

This guide walks through a full Klaviyo DMARC setup, the three-stage policy progression, how to read DMARC reports, and the Klaviyo-specific failure modes to watch for.

What DMARC Does for a Klaviyo Sender

Three things DMARC accomplishes:

Enforcement. When a receiving server sees a message that fails SPF or DKIM alignment against your From domain, DMARC tells it how to handle the message. Quarantine it to spam, reject it outright, or let it through (monitor-only). Without DMARC, receiving servers guess.

Visibility. DMARC reports (XML files sent to an address you specify) tell you which servers are sending mail claiming to be from your domain. This includes Klaviyo sending correctly, your transactional ESP, your customer service tool, and, occasionally, unauthorised senders attempting phishing.

Compliance. Gmail and Yahoo's 2024 bulk-sender rules require DMARC for senders above certain volume thresholds. Klaviyo senders above 5,000 messages per day to Gmail need DMARC published, at minimum with p=none.

The Three-Stage Klaviyo DMARC Progression

Do not jump straight to p=reject. The standard progression gives you time to catch authentication failures before they produce rejection of legitimate mail.

Stage 1: p=none (Monitor Mode)

Publish a DMARC record that tells receivers to deliver mail normally but send you reports on what fails.

v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; ruf=mailto:dmarc-forensics@yourdomain.com; pct=100; sp=none

Parameters:

• v=DMARC1 — version, always this value
• p=none — policy, monitor only
• rua=mailto:... — aggregate report destination
• ruf=mailto:... — forensic report destination (optional)
• pct=100 — percentage of failing mail to apply the policy to
• sp=none — subdomain policy (apply the same as main)

Duration: Stay at p=none for at least four weeks. Review aggregate reports to confirm Klaviyo DKIM and SPF are passing and aligning for your sending domain, and to identify any other legitimate senders (transactional ESP, CRM, customer service) that need to be authenticated.

Stage 2: p=quarantine with low pct

Once reports show stable alignment for all legitimate senders, progress to quarantine, but start with a low percentage (pct=25) so only 25% of failing mail is quarantined.

v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@yourdomain.com; pct=25; sp=quarantine

Duration: Two weeks at pct=25, then move to pct=50, pct=75, then pct=100. Total stage 2 duration: roughly four to six weeks.

Watch reports for any legitimate mail that is now being quarantined. If you see alignment failures from a sender you recognise, pause the ramp until that sender is correctly authenticated.

Stage 3: p=reject

When aggregate reports show no alignment failures from legitimate senders for at least two consecutive weeks, progress to reject.

v=DMARC1; p=reject; rua=mailto:dmarc-reports@yourdomain.com; pct=100; sp=reject

At this stage, any mail from your domain that fails SPF and DKIM alignment is rejected by receiving servers. This is the strongest protection against phishing and impersonation, and it is what Gmail and Yahoo increasingly prefer.

Duration: Permanent, once you reach it. Continue monitoring DMARC reports for drift.

Klaviyo DKIM and SPF Alignment for DMARC

For DMARC to pass, at least one of SPF or DKIM must pass AND align with the From domain. Klaviyo's setup affects both paths.

SPF alignment: Klaviyo sends with a return-path at a Klaviyo-owned domain (something like bounces.klaviyomail.com). For SPF relaxed alignment, this does not match your From domain, so SPF alignment fails by default for Klaviyo. This is expected and not a problem, provided DKIM alignment passes.

DKIM alignment: Klaviyo DKIM signs with a subdomain of your sending domain (for example, em1234.yourdomain.com). For DMARC relaxed alignment (the default), this aligns with yourdomain.com as the From organisational domain. For strict alignment (adkim=s), this fails because the signing subdomain does not exactly match the From.

The practical implication: use DMARC relaxed alignment (the default) with Klaviyo. Strict alignment will cause DKIM to fail alignment and DMARC to reject legitimate Klaviyo mail.

Reading Klaviyo DMARC Reports

Aggregate DMARC reports are XML files sent to the rua address. They list every sender that claimed your From domain in the reporting period, with counts and alignment results.

Reading them manually is painful. The XML is verbose and formatted for machines. Use a DMARC monitoring service (Postmark DMARC Digests, Valimail Monitor, dmarcian, EasyDMARC, MXToolbox DMARC Analyzer) that parses the XML and shows you a human-readable dashboard.

What to look for:

Source IPs and domains. Each sending source should be identifiable as a legitimate sender (Klaviyo, your transactional ESP, your CRM). Unknown sources sending on your behalf are suspicious.

SPF and DKIM pass/fail rates. For each source, what percentage of mail passed SPF alignment and DKIM alignment. Klaviyo should show 100% DKIM alignment pass.

Disposition. For each reporting period, what action receivers took. At p=none, disposition should be "none" (delivered). At p=quarantine or p=reject, failing mail should show the corresponding disposition.

Alignment mismatches. The most important diagnostic. If legitimate Klaviyo mail is failing alignment, something is wrong with DKIM configuration.

Common Klaviyo DMARC Failure Modes

Failure 1: Klaviyo DKIM not signing. Your DMARC reports show Klaviyo mail with DKIM failing. Cause: CNAMEs not correctly configured in DNS, or not verified in Klaviyo. Fix: follow our DKIM troubleshooting guide.

Failure 2: Strict alignment configured accidentally. DMARC record includes adkim=s or aspf=s, and legitimate Klaviyo mail fails alignment. Fix: remove strict alignment from the DMARC record, or switch Klaviyo's signing domain to match From exactly (more complex, usually not worth it).

Failure 3: Subdomain not covered. Your DMARC policy applies to the main domain, but not to subdomains you send from. Fix: ensure sp= in the DMARC record is set correctly for your subdomain policy.

Failure 4: Third-party sender not authenticated. DMARC reports show mail from an unknown IP failing alignment. Could be a legitimate third-party tool (transactional ESP, CRM, analytics) that was not set up with proper authentication. Fix: identify and authenticate the tool, or remove its access to send on your behalf.

Failure 5: Reporting address overwhelmed. DMARC reports are sent to the rua address, and they can be voluminous for high-volume senders. An unmonitored reporting mailbox means you miss important signals. Fix: use a DMARC monitoring service instead of a raw mailbox.

When to Not Use DMARC

DMARC is broadly beneficial, but it has edge cases.

If you send mail through services that cannot be authenticated (unusual today, but occasionally an issue with older transactional systems), moving to p=reject will reject legitimate mail from those services. The fix is to authenticate those services, not to avoid DMARC.

If you host mail on your own infrastructure alongside Klaviyo and the infrastructure is poorly maintained, DMARC may reveal issues that were previously hidden. The fix is to address those issues, not to skip DMARC.

What is never a good reason to skip DMARC: "it is complicated." Yes, it is complicated. And it is also now a requirement for Gmail and Yahoo bulk sending.

For a full picture of your current DMARC status including Klaviyo-specific alignment, the €49 Klaviyo Trial Audit parses your DMARC reports, identifies all senders claiming your domain, and flags alignment issues in 24–48 hours. The free Klaviyo Posture Report covers the DNS-level DMARC policy and DKIM/SPF record verification in under an hour.