DKIM (DomainKeys Identified Mail, RFC 6376) is the cryptographic signature attached to outgoing email so receivers can verify the message wasn't tampered with and that it actually came from a server authorized by your domain. To turn it on for Mailchimp, you publish one or more DNS records at `<selector>._domainkey.<your-domain>` containing the public key matching the private key Mailchimp uses to sign.
Most ESPs (including Mailchimp) ask you to publish CNAME records that point at hosted keys they manage. This is preferable to publishing the raw key text yourself — when the provider rotates keys, your DNS keeps pointing to the rotated key and nothing breaks.
Publish these DNS records
Add the following record(s) to your domain's DNS zone. Most registrars (Cloudflare, Route 53, Namecheap, GoDaddy) accept values exactly as shown.
- Type
CNAME- Host
k1._domainkey- Value
dkim.mcsv.net
- Mailchimp uses a single shared CNAME pointing at their hosted key. They rotate the underlying key without DNS changes on your end.
- Mailchimp also offers Domain Authentication via a different DKIM selector for accounts on Standard or higher plans — that's separate from this baseline setup.
Where in Mailchimp
The DKIM configuration lives in Mailchimp → Account → Domains → Authenticate.
Verify the records
After the records propagate, run the DKIM Checker against your domain with each selector to confirm the public key resolves and parses correctly.
dig +short TXT <selector>._domainkey.your-domain.comCommon pitfalls
- Mailchimp's authentication wizard sometimes verifies CNAMEs against their non-authoritative resolver, which can lag. If verification fails after publishing, wait an hour and retry rather than re-publishing.
- If you exported a list from another tool that included unsubscribed addresses, Mailchimp's import will silently skip them. Don't assume your list size in Mailchimp matches the source.