Configuring SPF, DKIM, and DMARC for Brevo (formerly Sendinblue)

To authenticate email sent through Brevo (formerly Sendinblue), add include:spf.brevo.com to your SPF TXT record, configure the two DKIM CNAME records Brevo provides in your dashboard, and publish a DMARC record with at least p=none. All three steps are required for full authentication — SPF alone is no longer sufficient since Google’s and Yahoo’s February 2024 bulk sender guidelines mandate SPF + DKIM + DMARC for any domain sending 5,000+ messages per day to their users.

DMARC (RFC 7489) ties SPF and DKIM together by requiring alignment between the envelope sender and the visible From header. According to Google’s February 2024 bulk sender requirements, a DMARC policy of at least p=none is now mandatory for any domain sending 5,000+ messages per day to Gmail users.

A minimal Brevo-compatible SPF record looks like this:

example.com. IN TXT "v=spf1 include:spf.brevo.com -all"

Brevo’s DKIM setup uses two CNAME records (mail._domainkey and mail2._domainkey) that point at Brevo’s signing key infrastructure. These rotate automatically. DMARC is a separate TXT record at _dmarc.example.com.

This guide walks through each step in the Brevo dashboard and your DNS provider, how to verify all three protocols pass using an email authentication checker, and how to handle the common issue of Brevo’s SPF include pushing you over the RFC 7208 10-DNS-lookup limit when combined with Google Workspace or Microsoft 365.

How Do You Configure SPF record for Brevo?

Brevo users don’t have to configure their SPF records manually. It doesn’t provide an SPF record because SPF’s authentication process uses the Envelope Sender, which is managed by Brevo’s internal server. So, you don’t need to explicitly authorize Brevo as a sender for your domain. 

Even if you add “include:spf.sendinblue.com” to your SPF record, SPF authentication will still fail. So, the best option is to skip it altogether.

How Do You Configure DKIM record for Brevo?

You can manage DKIM for Brevo either automatically or manually. We are mentioning both-

Automatic DKIM setup for Brevo

• Sign in to your Brevo account.

• Click on ‘Authenticate automatically,’ followed by clicking ‘Continue’ in the pop-up box that appears.

• You will be asked to enter your domain host credential. Once done, click ‘Continue.’

That’s it, and the process will be completed.

Manual DKIM setup for Brevo

• Sign in to your Brevo account.

• You will see your DKIM TXT record, which you need to copy.

• Go to your DNS management console and publish the record you copied in the last step.

• Click ‘Save’.

Once done, wait for 24 to 72 hours for the information to propagate across the internet. 

How Do You Configure DMARC record for Brevo?

Just like DKIM, DMARC setup can also be done manually as well as automatically–

Automatic DMARC setup for Brevo

• Sign in to your Brevo account.

• Click on ‘Authenticate automatically,’ followed by clicking ‘Continue’ in the pop-up box that appears.

• You will be asked to enter your domain host credential. Once done, click ‘Continue.’

Manual DMARC setup for Brevo

• Sign in to your Brevo account.

• You will see your DMARC TXT record, which you need to copy.

• Go to your DNS management console and publish the record you copied in the last step.

• Click ‘Save’.

Once done, wait for 24 to 72 hours for the information to propagate across the internet. 

Final step

To verify your Brevo DMARC and DKIM record setups, click “Authenticate this email domain” at the end of the domain authentication page. You will see a green checkmark and “Value matched” messages if your records are correct. If the setups are incorrect, “Value mismatched” messages will appear. You can check your records multiple times by clicking “Check configuration” under your domain and then “Authenticate this email domain”.

Regularly verifying your Brevo DMARC and DKIM records is crucial for maintaining robust email security. Ensuring that your records are correctly configured helps protect your domain from unauthorized use and phishing attacks.