Checking DMARC Compliance with Brevo
Set up Brevo (formerly Sendinblue) DKIM, SPF and dedicated IPs correctly so your campaigns and transactional mail align with DMARC.
Brevo (the platform formerly known as Sendinblue) handles both marketing and transactional email, which makes it a common choice for small businesses that want everything in one tool. It also means that when DMARC fails, it can fail across your whole email programme at once. This guide walks through authenticating Brevo correctly and verifying that DMARC passes.
How Brevo signs mail
Brevo always signs outbound mail with DKIM. The question is which domain the signature belongs to:
| Setup | DKIM signer | DMARC alignment |
|---|---|---|
| Default Brevo domain | sendinblue.com / brevo.com | Fails |
| Authenticated domain | yourdomain.com | Passes |
| Dedicated IP, no auth | brevo.com | Fails |
A dedicated IP alone does not authenticate your domain. You still need to authenticate the sending domain separately, regardless of whether you're on shared or dedicated IPs.
Step 1: Add your sending domain
In Brevo, go to Senders, Domains & Dedicated IPs → Domains → Add a domain. Enter the domain you send from (e.g. yourdomain.com).
Brevo provides a set of DNS records including:
- DKIM TXT at
mail._domainkey.yourdomain.com - Brevo code TXT record (proves domain ownership)
- DMARC record suggestion (don't blindly copy this — see below)
Publish the DKIM record and the ownership TXT. The DMARC suggestion is just a starter — don't overwrite an existing DMARC record without checking it first in the free DMARC record checker.
Step 2: Configure SPF
Brevo recommends adding their include to your SPF record:
v=spf1 include:_spf.google.com include:spf.brevo.com ~all
Again, watch the 10-lookup SPF limit. If you're close to it, prioritise DKIM and drop less important SPF includes.
Step 3: Click Authenticate
Once DNS records are published and propagated, return to Brevo and click Authenticate this domain. Brevo queries your DNS and confirms the DKIM record matches. The domain should move to a green "authenticated" state.
If authentication fails, Brevo will tell you which record is missing or mismatched. The most common cause is a DNS provider auto-appending the domain to the record name.
Step 4: Verify DMARC alignment
Send a test campaign and inspect the raw headers of the received message. You want to see DKIM signed with d=yourdomain.com (or a subdomain of it). If you see d=sendinblue.com or d=brevo.com, the authenticated domain isn't being used — double-check that the From: address in your campaign matches your authenticated domain.
Step 5: Review your DMARC record
With Brevo authenticated, a reasonable DMARC record is:
v=DMARC1; p=quarantine; rua=mailto:[email protected]; adkim=r; aspf=r
Keep alignment relaxed (adkim=r) so that DKIM signatures on subdomains still count. If you need to construct a new record from scratch, dmarccreator.com will walk you through it.
Dedicated IP considerations
If you're on a dedicated IP with Brevo, you're building IP reputation from scratch. This doesn't change authentication setup, but it does mean:
- Warm up the IP gradually over 2-4 weeks
- Expect some initial deliverability wobbles
- DMARC reports will show fewer but more consistent IP sources
None of this changes the DKIM or SPF requirements.
Common Brevo DMARC issues
| Issue | Cause | Fix |
|---|---|---|
| DKIM never verifies | CNAME published as TXT | Publish as TXT, not CNAME |
| DMARC fails on transactional | Different authenticated domain | Authenticate transactional sender too |
| Campaign shows 'via brevo.com' | From: domain not authenticated | Complete authentication flow |
| Transactional bounces | API using wrong sender | Update API payload sender |
If you use both Marketing and Transactional
Brevo lets you send transactional mail via API or SMTP from the same authenticated domain. Make sure your application code sets the From: header to a sender that matches your authenticated Brevo domain — a common oversight is leaving the From: on a different test domain that was never authenticated.
Monitoring over time
ESPs rotate DKIM keys occasionally. A key that worked last year might silently fail tomorrow. deliverabilitychecker.com monitors your authentication continuously and alerts when something breaks.
Catch Brevo authentication drift early
Monitor DKIM, SPF and DMARC alignment for your Brevo campaigns and transactional mail.
Start Monitoring