DMARC for Kit (ConvertKit)

Kit (formerly ConvertKit) is the go-to email platform for creators — bloggers, podcasters, newsletter writers, and course creators who rely on email to connect with their audience. If you use Kit to send emails from your own domain, setting up DMARC protects your brand from spoofing and ensures your messages actually land in subscriber inboxes instead of spam folders.

This guide walks you through DMARC configuration specifically for Kit users, with plain-language explanations of how alignment works and what you need to do in your DNS.

How Kit Handles Email Authentication

Before setting up DMARC, it helps to understand how Kit authenticates the emails it sends on your behalf. Kit offers a domain authentication feature that configures DKIM signing for your custom domain.

Kit's Domain Authentication

When you authenticate your sending domain in Kit, the platform provides a set of CNAME records to add to your DNS. Here is what they do:

CNAME records for DKIM. Kit gives you CNAME records that point to Kit's DKIM signing keys. Once you publish these in your DNS, Kit signs every outgoing email with a DKIM signature tied to your domain. This is the key piece for DMARC compliance.

SPF and the envelope sender. Unlike some platforms that let you customize the Return-Path (envelope sender), Kit uses its own envelope sender domain for outgoing messages. This means SPF checks will authenticate against Kit's domain rather than yours. Since Kit's envelope sender domain does not match your From domain, SPF alignment will not pass for DMARC purposes.

What this means for you: DKIM is your path to DMARC compliance with Kit. The good news is that DKIM alignment is actually more reliable than SPF alignment because DKIM signatures survive email forwarding.

Kit's domain authentication is required for DMARC to work with your sending domain. If you have not set it up yet, do that before adding a DMARC record. Go to Settings → Email → Sending Domain → Authenticate in your Kit dashboard.

Understanding SPF and DKIM Alignment with Kit

DMARC requires that at least one of SPF or DKIM "aligns" with the From domain in your email. Alignment simply means the authenticated domain matches the domain your subscribers see in the From address. For a deeper comparison of these protocols, see SPF vs DKIM vs DMARC.

DKIM Alignment (Your Primary Path)

When Kit's domain authentication is fully configured, every email Kit sends on your behalf is signed with DKIM using your domain. If your From address is hello@yourdomain.com and DKIM signs with yourdomain.com, the domains match and DKIM alignment passes.

This is the alignment method you should rely on as a Kit user. Even when a subscriber forwards your email to a friend, the DKIM signature stays intact and DMARC continues to pass. That matters a lot for creators whose content gets shared frequently.

Why SPF Alignment Does Not Work with Kit

SPF checks the envelope sender (Return-Path), not the visible From address. Kit uses its own domain as the envelope sender, so the SPF-authenticated domain will not match your From domain. SPF itself will pass (Kit's servers are authorized to send from their envelope domain), but SPF alignment for DMARC purposes will fail.

This is completely normal and nothing to worry about. As long as DKIM alignment passes, your emails pass DMARC. Many email platforms work this way.

Do not panic if your DMARC reports show SPF alignment failures for Kit. This is expected behavior. What matters is that DKIM alignment passes, and it will as long as your domain authentication is set up correctly.

Setting Up Your DMARC Record

With Kit's domain authentication complete and DKIM verified, you are ready to add a DMARC record to your DNS.

Confirm Kit domain authentication is complete

In your Kit dashboard, go to Settings → Email → Sending Domain. Verify that your domain shows as authenticated. The CNAME records for DKIM should show a verified status. If they are still pending, double-check that the DNS records are published correctly.

Generate your DMARC record

Start with a monitoring-only policy so you can see what is happening before enforcing anything: v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; pct=100;. This tells inbox providers to send you reports about every email claiming to be from your domain without blocking anything.

Add the DMARC record to your DNS

Log in to your DNS provider (wherever you manage your domain — Cloudflare, Namecheap, GoDaddy, etc.) and create a new TXT record. Set the name (or host) to _dmarc and the value to your DMARC record string. The full hostname will be _dmarc.yourdomain.com.

Wait for DNS propagation

Save the record and give it time to propagate. This usually takes anywhere from a few minutes to a couple of hours. You can check back periodically to see when it goes live.

Verify your record is working

Check your record at dmarcrecordchecker.com. Confirm the record is valid, shows your chosen policy, and includes your reporting address.

Create your DMARC record

Use our free DMARC generator to build a valid record for your domain.

Generate DMARC Record

Recommended DMARC Record for Kit Users

For most creators using Kit, this starting record works well:

v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; adkim=r; aspf=r; pct=100;

The adkim=r tag sets relaxed DKIM alignment, which means subdomains of your root domain will also align. The aspf=r tag sets relaxed SPF alignment — while SPF alignment will not pass for Kit-sent emails regardless, this keeps the door open for other services you might use that do support SPF alignment.

After monitoring with p=none for at least two weeks and confirming your Kit emails and all other legitimate sources pass, gradually move toward enforcement. For more details on how each level works, read our guide on DMARC policy levels.

Soft enforcement: v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@yourdomain.com; pct=25;

Full enforcement: v=DMARC1; p=reject; rua=mailto:dmarc-reports@yourdomain.com; pct=100;

Troubleshooting Kit DMARC Alignment Failures

DKIM Alignment Failing

If your DMARC reports show DKIM failures for emails sent through Kit, check:

Domain authentication is verified in Kit. Go to Settings → Email → Sending Domain and confirm the status is authenticated. If it shows pending, your DNS records may be missing or incorrect.
CNAME records are still in your DNS. If you recently switched DNS providers or migrated your domain, Kit's DKIM CNAME records may have been lost. Verify they are still published.
Your From address matches the authenticated domain. If you authenticated yourdomain.com but send from otherdomain.com, DKIM alignment will fail. The From domain must match the domain you authenticated in Kit.

SPF Alignment Failing

As discussed above, SPF alignment failures for Kit-sent emails are expected. Kit uses its own envelope sender domain, so SPF will not align with your From domain. This is normal — DKIM alignment is what makes DMARC pass for Kit emails.

Do not move to p=reject until every legitimate sending source passes DMARC. If you use Kit alongside other tools (your hosting provider's email, a helpdesk platform, a payment processor that sends receipts), each one needs its own authentication configured. One overlooked service can cause important emails to get rejected.

Multiple Sending Services

Most creators use more than just Kit. You might have Google Workspace for personal email, a course platform sending purchase confirmations, or a helpdesk tool for support tickets. Each service that sends email from your domain needs its own SPF and DKIM authentication. Review your DMARC aggregate reports to identify every service sending on your behalf and make sure each one passes before tightening your DMARC policy.

Kit-Specific Best Practices

Always authenticate your sending domain. Sending through Kit without domain authentication means your emails rely on Kit's shared domain. That guarantees DMARC failure against your own domain and can hurt deliverability. Authentication takes just a few minutes in your Kit dashboard.

Use a consistent From address. Pick one From address on your authenticated domain and stick with it. Switching between multiple domains or using a free email address (like Gmail) as your Kit From address will cause DMARC alignment issues.

Send a test email after setup. After adding your DMARC record and confirming Kit's domain authentication, send yourself a test broadcast. Check the email headers to verify both DKIM-Signature (signed with your domain) and Authentication-Results (showing dkim=pass) are present.

Review your reports regularly. DMARC aggregate reports tell you exactly which emails are passing and failing. For the first few weeks especially, check these reports to catch any issues early. Our guide on how to set up DMARC covers report interpretation in more detail.

Complete your authentication stack

DMARC works alongside SPF and DKIM. Build a comprehensive SPF record at spfcreator.com that covers all your sending services. Generate and verify DKIM keys at dkimcreator.com for any services that support custom signing.

Monitor Your DMARC Record

You've set up DMARC for Kit — now make sure it keeps working. The Email Deliverability Suite watches your SPF, DKIM, DMARC, and MX records daily and alerts you when something breaks.

Never miss a DMARC issue

Monitor your SPF, DKIM, DMARC and MX records daily. Get alerts when something breaks.

Start Monitoring

How to Set Up DMARC for Kit (ConvertKit): Configuration and Alignment Guide