Brevo Sender Authentication: SPF, DKIM, and DMARC Setup

Why Sender Authentication Is Non-Negotiable

Before a single email from your Brevo account reliably reaches an inbox, you must authenticate your sending domain. This is not optional — it is a fundamental technical requirement that every serious email sender must complete.

In 2026, Google and Yahoo announced that senders above certain volume thresholds must implement DMARC authentication or risk having their emails rejected. This change formalized what had been best practice for years: SPF, DKIM, and DMARC authentication are now prerequisites for inbox delivery, not nice-to-haves.

Brevo requires domain authentication for its transactional email service and strongly recommends it for all marketing email senders. Without authentication, your emails may be delivered to spam folders or rejected entirely by major email providers.

This guide explains exactly what each authentication record does and provides step-by-step instructions for configuring them in Brevo.

The Three Authentication Standards Explained

SPF (Sender Policy Framework)

SPF is a DNS record that specifies which mail servers are authorized to send email on behalf of your domain. It answers the question: "Is this server allowed to send email from this domain?"

When Gmail receives an email claiming to be from yourcompany.com, it looks up the SPF record for yourcompany.com. If the IP address of the sending server (in this case, a Brevo server) is listed in the SPF record, the check passes. If not, the check fails and the email may be marked as suspicious.

SPF record format:

v=spf1 include:spf.brevo.com ?all

Breaking this down:

• v=spf1 — declares this is an SPF record
• include:spf.brevo.com — authorizes Brevo's sending servers
• ?all — for all other senders, treat with a neutral result (neither pass nor fail). You can also use ~all (soft fail) or -all (hard fail, most restrictive)

Important: You can only have one SPF record per domain. If you already have an SPF record (for example, for another email service like Google Workspace), you must merge the records into a single TXT record rather than creating a second one.

For example, if you already have v=spf1 include:_spf.google.com ~all, you would update it to: v=spf1 include:_spf.google.com include:spf.brevo.com ~all

DKIM (DomainKeys Identified Mail)

DKIM uses public-key cryptography to cryptographically sign your emails. When you send an email through Brevo, the Brevo server adds a DKIM signature to the email header. The receiving server retrieves your public DKIM key from DNS and uses it to verify the signature.

If the signature is valid, it proves two things:

1. The email was sent by someone in control of the DKIM private key (i.e., an authorized sender, not a fraudster)
2. The email has not been modified in transit

DKIM is stored as a TXT record in DNS under a specific selector subdomain. Brevo will give you the exact name and value to use.

DKIM record format:

Name: brevo._domainkey.yourcompany.com
Value: v=DKIM1; k=rsa; p=[long public key string]

The selector (in this case, brevo) is chosen by Brevo. The public key is generated by Brevo and is unique to your account.

DMARC (Domain-based Message Authentication, Reporting, and Conformance)

DMARC builds on SPF and DKIM. It adds a policy that tells receiving email servers what to do when an email fails authentication checks. It also enables reporting, so you can see who is sending email from your domain.

DMARC has three policy options:

• p=none — Monitor only. Emails that fail authentication are delivered normally, but you receive reports about failures. Best starting point.
• p=quarantine — Emails that fail authentication are sent to the spam/junk folder.
• p=reject — Emails that fail authentication are rejected entirely.

A DMARC record also specifies where to send reports via email.

Starter DMARC record (recommended starting point):

Name: _dmarc.yourcompany.com
Value: v=DMARC1; p=none; rua=mailto:dmarc-reports@yourcompany.com

The rua tag specifies where to send aggregate reports. These reports (sent daily by major email providers) show you all domains and IPs that are sending email claiming to be from your domain — helping you spot unauthorized use.

After monitoring for 2-4 weeks and confirming your legitimate email sources all pass authentication, upgrade to p=quarantine, then eventually p=reject.

Step-by-Step Setup in Brevo

Step 1: Access Domain Settings

Log into Brevo and navigate to one of two places, depending on your use case:

• For marketing emails: "Settings" → "Senders and IPs" → "Domains"
• For transactional emails: "Transactional" → "Settings" → "Sender Domains"

Click "Add a Domain" and enter your domain name (e.g., yourcompany.com).

Step 2: Generate Your DNS Records

Brevo will display the three DNS records you need to add. Make note of all three:

1. The SPF TXT record (or the Brevo include to add to your existing SPF)
2. The DKIM TXT record (name and value)
3. The DMARC TXT record (Brevo provides a recommended starter record)

Step 3: Add Records to Your DNS

Log into your domain registrar or DNS provider. Common registrars and DNS providers:

• GoDaddy: My Products → DNS
• Namecheap: Domain List → Manage → Advanced DNS
• Cloudflare: Websites → [domain] → DNS
• Google Domains: DNS → Manage Custom Records

Add each record as a TXT record. The process is the same for all three:

Field	Value
Type	TXT
Name/Host	(the name provided by Brevo, e.g., brevo._domainkey)
Value/Content	(the full text value provided by Brevo)
TTL	300 or Auto

Important for the DKIM record: Copy the entire public key string exactly as Brevo provides it. Even a single character difference will cause DKIM verification to fail.

Important for SPF: If you already have an SPF record, do not create a second one. Edit the existing record and add include:spf.brevo.com before the ~all or -all at the end.

Step 4: Verify the Records

DNS changes can take anywhere from a few minutes to 48 hours to propagate (though they usually take effect within 15-30 minutes).

Return to Brevo's domain settings and click "Verify." Brevo will check for the presence of each record and confirm it is correct. If verification fails, double-check that you copied the records exactly and wait a bit longer for DNS propagation.

You can also use external tools to verify your DNS records:

• MXToolbox (mxtoolbox.com) — SPF and DMARC lookup
• DKIM Validator — DKIM record lookup
• Google Admin Toolbox — Comprehensive DNS record check

Troubleshooting Common Authentication Errors

"SPF record not found" Check that you added the TXT record to the root domain (@), not a subdomain. The SPF record should apply to yourcompany.com, not mail.yourcompany.com.

"Multiple SPF records found" You have more than one TXT record starting with v=spf1. Merge them into a single record. Delete the duplicate.

"DKIM record not found" Verify that you used the exact subdomain name provided by Brevo (e.g., brevo._domainkey). Check that the record type is TXT, not CNAME or another type.

"DKIM verification failed" The public key in your DKIM record does not match. Re-copy the value from Brevo exactly, including any underscores or special characters.

"DMARC policy not set" You have not added a DMARC record, or it is under the wrong subdomain. The DMARC record must be at _dmarc.yourcompany.com.

Monitoring Your Authentication Health

After setup, monitor your authentication on an ongoing basis:

• DMARC reports: Set up a DMARC report analyzer (tools like Postmark's DMARC Digests or DMARC Analyzer) to interpret the daily reports you receive. They will show you if any emails are failing authentication.
• Brevo domain health: Check the domain status page in Brevo regularly. Brevo will alert you if it detects authentication problems.
• Deliverability metrics: A sudden drop in open rates can signal authentication problems that are causing emails to land in spam.

Brevo Plan Comparison

Plan	Price	Emails/Month	Key Features
Free	$0/month	300/day	Domain authentication support, SPF/DKIM/DMARC setup
Starter	From $25/month	20,000	Full authentication, no daily limit, basic reporting
Business	From $65/month	20,000+	Advanced deliverability analytics, inbox preview
Enterprise	Custom pricing	Unlimited	Dedicated IP, advanced authentication monitoring, BIMI support

Proper sender authentication is the single most impactful technical step you can take to improve your Brevo deliverability. Take the hour required to set up SPF, DKIM, and DMARC correctly, and every email you send will be on a stronger technical foundation.