Every eCommerce brand using Klaviyo has a dirty little secret sitting in their email headers: their emails are being signed under klaviyomail.com, not their own domain.
Most teams have no idea. The Klaviyo onboarding dashboard shows green checkmarks. SPF and DKIM records exist. But pull up the raw headers on any delivered email — specifically the dkim=pass header.d= line — and it shows klaviyomail.com, not the brand’s domain. That’s a DKIM alignment failure on the brand domain, happening silently on every send.
I’ve reviewed authentication setups for eCommerce brands across every major sending volume tier, and this is the single most common gap — more common than missing DMARC records, more common than broken SPF. Brands that have been on Klaviyo for three or four years, sending millions of emails, still building reputation on someone else’s domain.
Setting up a Klaviyo custom sending domain is a 15-minute DNS fix. It’s also one of the highest-leverage deliverability changes an eCommerce brand can make.
Why the Default Klaviyo Setup Costs You
What Is a Klaviyo Custom Sending Domain?
A custom sending domain in Klaviyo is a branded subdomain you control — typically mail.yourbrand.com — that replaces Klaviyo’s shared sending infrastructure as the authenticated origin of your emails.
It works via CNAME records that point your subdomain to Klaviyo’s servers. Once verified, Klaviyo signs all outgoing email with DKIM using d=mail.yourbrand.com instead of d=klaviyomail.com. Your DKIM signature now belongs to your brand — which means DMARC alignment passes on your domain, and sender reputation accrues to your brand rather than to Klaviyo’s shared infrastructure.
Why Klaviyo’s Default Setup Breaks DMARC Alignment
Domain alignment is the mechanism DMARC uses to connect your authentication records to the domain your subscribers actually see. SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance) can all pass on your ESP’s domain — but DMARC on your domain only passes if one of those checks aligns with your visible From address.
With Klaviyo’s default setup, d=klaviyomail.com doesn’t match @yourbrand.com. DMARC alignment fails on your brand domain, regardless of whether Klaviyo’s own authentication is passing cleanly.
According to Google’s Email Sender Guidelines, DKIM is the preferred alignment path because the DKIM signature travels with the message and survives forwarding — unlike SPF, which checks the sending server and breaks when mail is forwarded or relayed. Gmail evaluates DKIM alignment as the primary authentication signal.
Google’s 2024 bulk sender requirements made DMARC — including alignment on the sending domain — mandatory for anyone sending more than 5,000 emails per day to Gmail accounts. If you’re sending above that threshold without a custom sending domain, you’re out of compliance on every send. The mechanism is straightforward: when Gmail cannot verify that the authenticated domain matches the domain in the From address, it has no basis for trusting your sender reputation — and that uncertainty shows up as lower inbox placement.
What You Need Before You Start
- DNS access — your domain registrar (GoDaddy, Namecheap, Cloudflare, or equivalent) where you manage DNS records
- A subdomain chosen —
mail.yourbrand.comis standard;em.orsend.also work. Never use the root domain (yourbrand.com) directly as a sending domain - Klaviyo admin access — account owners and admins only
No pre-creation needed. Klaviyo generates the exact CNAME values for whatever subdomain you enter in the setup wizard.
Step-by-Step: Setting Up Your Klaviyo Custom Sending Domain
Step 1: Open Sending Domain Settings in Klaviyo
Navigate to Settings → Email → Sending Domains and click Add sending domain.
Enter your chosen subdomain — for example, mail.yourbrand.com — and click Continue. Klaviyo generates three CNAME records unique to your subdomain. Keep this window open.
Step 2: Add the Three CNAME Records to Your DNS Panel
Log into your domain registrar and add the records Klaviyo provided:
| Record Type | Host / Name | Value / Target |
|---|---|---|
| CNAME | mx._domainkey.mail (example) | Klaviyo-provided value |
| CNAME | s1._domainkey.mail (example) | Klaviyo-provided value |
| CNAME | mail (Return-Path) | Klaviyo-provided value |
Copy the exact values from Klaviyo’s wizard — do not paraphrase or reconstruct them. The first two CNAMEs are your DKIM records. The third is the Return-Path CNAME, which handles bounce routing and SPF pass rates.
Watch for this: some registrars auto-append your root domain to the hostname field. If you type mail and the registrar adds .yourbrand.com, the record resolves as mail.yourbrand.com.yourbrand.com — broken DNS. Check your registrar’s documentation on whether to include or omit the root domain in the Name field.
Step 3: Verify in Klaviyo
Return to Settings → Email → Sending Domains and click Verify DNS records. Klaviyo checks each CNAME in real time.
DNS propagation typically finishes within 24–48 hours but often resolves in under an hour. If verification fails right after you add the records, wait 30–60 minutes before retrying. Do not delete and re-add records — that restarts the propagation clock.
Step 4: Set the Domain as Your Default
Verification alone doesn’t activate the domain. In the Sending Domains panel, explicitly set your verified domain as the default sending domain.
This routes all new campaigns and flows through your custom domain going forward. Any existing flows already in progress are not retroactively changed.
Step 5: Confirm DKIM Alignment in Raw Headers
After your first send, check that alignment is actually working. Send a test from Klaviyo to a Gmail address you control. In Gmail, open the message → three-dot menu → Show original. Find the Authentication-Results header:
dkim=pass header.d=mail.yourbrand.comIf header.d still shows klaviyomail.com, the domain isn’t set as default or propagation isn’t complete. Wait and re-test — don’t skip this step. This 30-second check tells you more than any dashboard.
Does Switching to a Custom Domain Require Email Warm-Up?
Yes — and this is where most setup guides leave you exposed.
Your new custom domain has zero sending history with ISPs. The reputation accumulated on Klaviyo’s shared infrastructure belongs to Klaviyo’s domain, not yours. Gmail, Yahoo, and Outlook evaluate sender reputation per domain. A domain with no history is treated with the same caution as a brand-new sender — even if your list is clean and your engagement is strong.
Klaviyo’s official guidance recommends starting with your most engaged subscribers, then increasing volume incrementally over two to four weeks. Monitor bounce rates and spam complaints at each stage.
For senders under 50,000 emails per month, the warm-up window is shorter and more forgiving. For high-volume senders, plan the full two to four weeks before reverting to your full list. Rushing this stage is the most common reason brands see deliverability dip immediately after setting up a custom domain — not a DNS error, but an absent warm-up. According to Litmus’s 2024 State of Email report, deliverability problems are the top concern for email marketers for the third consecutive year — and the majority trace back to authentication and reputation issues, not content.
What Comes Next: DMARC Policy and BIMI
A custom sending domain makes DMARC enforcement possible on your brand domain — but you still need to configure the DMARC record itself. The domain setup doesn’t publish one automatically.
As an email deliverability practitioner and AI Architect working with eCommerce brands, the approach I recommend every time: start with monitoring, confirm alignment across every sending source, then escalate policy. Don’t rush to p=reject before your aggregate reports are clean.
Start with a monitoring-only policy:
v=DMARC1; p=none; rua=mailto:dmarc-reports@yourbrand.comUse the aggregate reports (rua) to confirm alignment is consistent across all sending sources — Klaviyo, transactional mail, CRM, review platforms. Once you’re confident, escalate to p=quarantine, then p=reject.
p=quarantine is also the minimum DMARC policy required for BIMI (Brand Indicators for Message Identification) eligibility — the verified checkmark that appears next to your brand name in Gmail and Yahoo inboxes. The custom sending domain work you’re doing now is the prerequisite. See our BIMI implementation guide for the full path.
The Full Deliverability Picture
A Klaviyo custom sending domain is the foundational infrastructure layer for eCommerce email. Everything else in the email deliverability guide — reputation building, inbox placement, engagement optimization — depends on this being right first.
What it unlocks, specifically:
- DKIM alignment on your brand domain — DMARC can now pass on the domain your subscribers see
- Sender reputation tied to your brand — accrues in Google Postmaster Tools under your domain, not Klaviyo’s
- A path to DMARC enforcement —
p=quarantineandp=rejectbecome viable once every sending source aligns - BIMI eligibility — verified checkmark in Gmail and Yahoo, gated behind
p=quarantine
The InboxEagle deliverability monitoring platform tracks authentication health across all your sending sources — not just Klaviyo — so alignment gaps surface before they affect inbox placement. The Klaviyo integration connects directly to your account.
Frequently Asked Questions
Q: What is a custom sending domain in Klaviyo?
A custom sending domain is a branded subdomain you own — typically mail.yourbrand.com — that Klaviyo uses to authenticate and send your emails instead of its default klaviyomail.com infrastructure. Sender reputation, DKIM signatures, and bounce handling all resolve under your brand domain rather than Klaviyo’s shared pool.
Q: Do I need a custom sending domain in Klaviyo? If you’re sending more than 5,000 emails per day to Gmail, yes — Google’s 2024 bulk sender requirements mandate DMARC alignment, which Klaviyo’s default setup cannot provide. Below that threshold, a custom sending domain is still the correct setup: it’s the only way to build sender reputation on your own domain.
Q: How long does DNS propagation take for a Klaviyo custom sending domain? The DNS records typically propagate within a few hours, though the full window is 24–48 hours. Klaviyo’s setup wizard shows real-time verification status per record. If all three CNAMEs aren’t verifying after 48 hours, check for a double-domain issue in your registrar’s hostname field (see Step 2 above).
Q: Will switching to a custom sending domain hurt my deliverability short-term? It can — if you skip the warm-up. A fresh custom domain has no ISP sending history, and jumping straight to full-list volume will trigger spam filter scrutiny. Start with your most engaged segment and ramp up over two to four weeks, monitoring complaint and bounce rates throughout.
Q: What DNS records does Klaviyo require for a custom sending domain? Three CNAMEs: two for DKIM authentication (signing your emails under your subdomain) and one for your Return-Path (handling bounces and SPF). All three are generated by Klaviyo in Settings → Email → Sending Domains after you enter your chosen subdomain.
If you want to confirm your Klaviyo authentication is actually passing alignment — and see how it looks across every sending source in your stack — try InboxEagle.
Sources
- Klaviyo — Set Up a Branded Sending Domain
- Klaviyo — Domain Warm-Up for Dedicated Sending Domains
- Google Email Sender Guidelines
- Litmus — 2024 State of Email Report
- dmarcian — DMARC Record Wizard
Note: Content created with the help of AI and human-edited and fact-checked to avoid AI hallucinations.
