How to Set Up DMARC for Brevo (Sendinblue): Configuration and Alignment Guide

Brevo (formerly Sendinblue, rebranded in 2023) is a widely used email marketing and CRM platform popular with small and mid-sized businesses, agencies, and marketing teams. If you send email through Brevo using your own domain, setting up DMARC is essential for protecting your brand from spoofing and meeting the authentication requirements that Gmail, Yahoo, and other major inbox providers now enforce.

This guide covers DMARC configuration specifically for Brevo users, with a focus on the alignment details that determine whether your messages pass or fail DMARC checks.

How Brevo Handles Email Authentication

Before configuring DMARC, it helps to understand how Brevo authenticates the email it sends on your behalf. Brevo offers domain authentication through its dashboard, which sets up both SPF and DKIM for your sending domain.

Brevo's Domain Authentication

When you authenticate a domain in Brevo, the platform provides a set of DNS records to add to your domain. You can find these under Settings > Senders, Domains & Dedicated IPs > Domains. The records typically include:

DKIM records. Brevo provides either TXT or CNAME records that allow it to sign outgoing messages with DKIM using your domain name. When you publish these in your DNS, receiving mail servers can verify that messages claiming to be from your domain were genuinely authorized by you. This is the most important record for DMARC alignment.

SPF inclusion. Brevo requires you to add include:spf.sendinblue.com to your domain's SPF record. Despite the rebrand to Brevo, the SPF infrastructure still uses the sendinblue.com domain. This authorizes Brevo's mail servers to send on your behalf.

Brevo code (domain verification). Brevo also provides a TXT record used to verify domain ownership. This record confirms that you control the domain and is required before Brevo activates authentication for your sending.

Brevo's domain authentication is the foundation for DMARC compliance. If you have not completed domain authentication in Brevo, do that first. Go to Settings > Senders, Domains & Dedicated IPs > Domains in your Brevo dashboard and follow the setup wizard.

Understanding SPF and DKIM Alignment with Brevo

DMARC requires that at least one of SPF or DKIM "aligns" with the From domain in your email. Alignment means the domain authenticated by SPF or DKIM matches the domain in the visible From header. For a deeper comparison of how these protocols work together, see SPF vs DKIM vs DMARC. Here is how alignment works with Brevo specifically.

DKIM Alignment

When Brevo's domain authentication is set up, outgoing messages are signed with DKIM using your domain (like yourdomain.com). If your From address is hello@yourdomain.com, DKIM alignment passes because the signing domain matches the From domain.

This is the most reliable alignment method for Brevo users. DKIM signatures survive email forwarding, so messages forwarded from one inbox to another will still pass DMARC through DKIM alignment.

SPF Alignment and the Envelope Sender

SPF alignment is where Brevo gets complicated. The SPF check evaluates the envelope sender (Return-Path), not the From address. Brevo may set the envelope sender to a Brevo-controlled subdomain rather than your exact domain. When this happens, the SPF check validates against that subdomain instead of your From domain.

Under relaxed alignment (the default), the envelope sender only needs to share the same organizational domain as your From address. If Brevo uses a subdomain of your domain as the envelope sender, relaxed SPF alignment will pass. However, if the envelope sender uses a Brevo-owned domain entirely, SPF alignment will fail regardless of mode.

Under strict alignment (aspf=s), the envelope sender must exactly match the From domain, which is unlikely with Brevo's default configuration.

For the strongest DMARC setup with Brevo, rely on DKIM as your primary alignment mechanism. Because the envelope sender may use a Brevo subdomain, DKIM alignment is more predictable and is not affected by forwarding or Return-Path quirks.

Setting Up Your DMARC Record

With Brevo's domain authentication complete (DKIM and SPF verified), you are ready to add your DMARC record.

Confirm Brevo domain authentication is complete

In your Brevo dashboard, go to Settings > Senders, Domains & Dedicated IPs > Domains. Verify that your domain authentication is fully set up. The DKIM records, SPF inclusion, and Brevo verification code should all show as verified.

Verify your SPF record includes Brevo

Check that your domain's SPF record contains include:spf.sendinblue.com. You can verify this at spfcreator.com. If you have other sending services, make sure they are all included in a single SPF record.

Generate your DMARC record

Start with a monitoring policy: v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; pct=100;. This collects reports so you can verify all your sending sources are passing before you enforce anything.

Add the DMARC record to your DNS

Log in to your DNS provider and add a new TXT record. Set the name to _dmarc and the value to your DMARC record string. The full hostname will be _dmarc.yourdomain.com.

Save and wait for propagation

Save the record. DNS propagation typically takes a few minutes to a couple of hours. You can track propagation by checking your domain periodically.

Verify the record

Check your record at dmarcrecordchecker.com. Confirm the record is valid, shows your policy, and includes your reporting address.

Create your DMARC record

Use our free DMARC generator to build a valid record for your domain.

Generate DMARC Record

Recommended DMARC Record for Brevo Users

For most Brevo users, this starting record works well:

v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; adkim=r; aspf=r; pct=100;

The adkim=r and aspf=r tags explicitly set relaxed alignment for both DKIM and SPF. While relaxed is the default even without these tags, including them makes your intent clear and avoids ambiguity.

After monitoring with p=none for at least two weeks and confirming all legitimate sources pass, move toward enforcement:

Soft enforcement: v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@yourdomain.com; pct=25;

Full enforcement: v=DMARC1; p=reject; rua=mailto:dmarc-reports@yourdomain.com; pct=100;

Troubleshooting Brevo DMARC Alignment Failures

DKIM Alignment Failing

If your DMARC reports show DKIM failures for Brevo messages, check:

Domain authentication is fully verified. Go to Brevo's domain settings and confirm the DKIM records are verified. If they show as pending, the DNS records may be missing or incorrect.
The DNS records are still present. DNS migrations or provider changes can accidentally remove Brevo's records. Use dkimcreator.com to verify your DKIM setup is intact.
Your From address matches the authenticated domain. If you authenticated yourdomain.com but send from other.com, DKIM alignment will fail.

SPF Alignment Failing

SPF alignment failures with Brevo are usually caused by:

Missing SPF include. Verify your SPF record contains include:spf.sendinblue.com. This is the correct include even though the platform rebranded to Brevo.
Envelope sender using a Brevo domain. If the Return-Path uses a Brevo-owned domain rather than a subdomain of your domain, SPF alignment will fail. In this scenario, rely on DKIM alignment instead.
Strict alignment mode in your DMARC record. If you set aspf=s, even a subdomain mismatch will cause failure. Switch to aspf=r (relaxed) or remove the tag entirely.
Too many SPF lookups. SPF records are limited to 10 DNS lookups. If you have many services included, you may exceed this limit, causing SPF to fail entirely. Audit your record at spfcreator.com.

Multiple Sending Services

If you use Brevo alongside other email services (your primary email provider, a helpdesk, another marketing tool), each needs its own authentication. Your SPF record must include all of them in a single record, and each should have DKIM configured. Review your DMARC aggregate reports to identify any service that is failing and fix its authentication before tightening your policy.

Do not move to p=reject until every legitimate sending source passes DMARC. For businesses using Brevo alongside other services, this means verifying authentication for each one individually. One misconfigured service can cause customer-facing emails to get blocked.

Brevo-Specific Best Practices

Always complete domain authentication. Never send through Brevo without completing domain authentication. Unauthenticated sending means no alignment with your From domain and guaranteed DMARC failure.

Keep the sendinblue.com SPF include. Even though the platform is now called Brevo, the SPF infrastructure still uses spf.sendinblue.com. Do not replace this with a Brevo-branded domain unless Brevo's documentation explicitly tells you to.

Verify after DNS changes. If you migrate DNS providers or make changes to your zone file, re-check that all Brevo authentication records (DKIM, SPF include, and verification code) are still in place. A missing record can silently break your DMARC alignment.

Use dedicated IPs if available. On higher-tier Brevo plans, you can use a dedicated sending IP. This gives you full control over your sender reputation and makes SPF troubleshooting simpler since you are not sharing IP addresses with other Brevo customers.

Complete your authentication stack

DMARC works alongside SPF and DKIM. Build a comprehensive SPF record at spfcreator.com that includes Brevo and all your other senders. Verify your DKIM configuration at dkimcreator.com for any services that need it.

Monitor Your DMARC Record

You've created your DMARC record — now make sure it keeps working. The Email Deliverability Suite watches your SPF, DKIM, DMARC, and MX records daily and alerts you when something breaks.

Never miss a DMARC issue

Monitor your SPF, DKIM, DMARC and MX records daily. Get alerts when something breaks.

Start Monitoring