Email deliverability is not a guessing game. When organizations use third-party email platforms like Mailjet, proper SPF and DKIM configuration becomes a non-negotiable requirement for inbox placement, brand trust, and domain reputation.
At AutoSPF, we routinely see legitimate Mailjet emails fail authentication—not because Mailjet is misconfigured, but because SPF and DKIM were implemented incorrectly at the DNS level. Missing mechanisms, overwritten records, alignment issues, and lookup limits are all common culprits.
This guide walks through how to correctly set up SPF and DKIM for Mailjet, explains why each step matters, and highlights the most common mistakes that silently harm delivery. Whether you manage one domain or hundreds, this guide will help you get it right the first time.
Why SPF and DKIM Matter for Mailjet Email Sending
Mailjet is a high-volume email service provider used for transactional and marketing emails. Because Mailjet sends email on behalf of your domain, mailbox providers must be able to verify that Mailjet is authorized to do so.
SPF and DKIM serve different but complementary purposes:
- SPF (Sender Policy Framework) verifies which servers are allowed to send mail for your domain
- DKIM (DomainKeys Identified Mail) verifies that the message content hasn’t been altered and is cryptographically signed by your domain
Without both:
- Gmail may place messages in spam
- Microsoft may throttle or block delivery
- DMARC alignment will fail
- Your domain reputation can degrade over time
Mailjet supports both SPF and DKIM, but DNS ownership and accuracy are entirely your responsibility.
Understanding Mailjet’s Sending Architecture
Before configuring DNS, it’s important to understand how Mailjet sends mail.
Mailjet:
- Sends from shared or dedicated IPs
- Signs email with DKIM keys specific to your domain
- Uses its own sending infrastructure, which must be authorized via SPF
Because of this:
- You must not replace your existing SPF record
- You must add Mailjet to your existing SPF policy
- DKIM must be enabled and verified per sending domain
This is where many SPF failures originate.
How to Configure SPF for Mailjet (The Right Way)
Step 1: Locate Your Existing SPF Record
SPF records are published as TXT records at the root of your domain.
A valid SPF record always starts with:
v=spf1
Most domains already have one. If you create a second SPF record, SPF will fail entirely.
AutoSPF Tip: Only one SPF record is allowed per domain—multiple records invalidate SPF checks.
Step 2: Add Mailjet to Your SPF Record
Mailjet requires the following mechanism:
include:spf.mailjet.com
If your existing SPF record looks like this:
v=spf1 include:_spf.google.com ~all
You would update it to:
v=spf1 include:_spf.google.com include:spf.mailjet.com ~all
Do not remove other services unless you are certain they are unused.
Step 3: Validate SPF Lookup Count
SPF has a hard limit of 10 DNS lookups. Mailjet’s include consumes lookups just like Google Workspace, Microsoft 365, CRMs, and ticketing systems.
If you exceed the limit:
- SPF returns PermError
- Mailbox providers treat the message as unauthenticated
This is one of the most common Mailjet deliverability issues AutoSPF encounters.
AutoSPF Recommendation: Flatten or dynamically manage SPF if your domain uses multiple senders.
Step 4: Choose the Correct SPF Policy
At the end of your SPF record, you’ll see one of the following:
- ~all (soft fail – recommended during setup)
- -all (hard fail – stricter enforcement)
For production domains sending critical mail, -all is preferred only after verification.
How to Configure DKIM for Mailjet
Unlike SPF, DKIM requires domain-specific cryptographic keys published in DNS.
Mailjet supports DKIM signing, but you must enable it manually.
Step 1: Add and Verify Your Sending Domain in Mailjet
In the Mailjet dashboard:
- Navigate to Sender Domains
- Add your domain (e.g., example.com)
- Choose Authenticate this domain
Mailjet will generate DNS records for verification.
Step 2: Publish the DKIM TXT Record
Mailjet typically provides a DKIM record in this format:
Host / Name:
mailjet._domainkey.example.com
Value:
v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A…
Important considerations:
- Publish exactly as provided
- Do not wrap or alter the public key
- Ensure there are no extra spaces or quotation issues
DNS propagation may take up to 24 hours.
Step 3: Verify DKIM Status in Mailjet
Once DNS propagates:
- Mailjet will confirm DKIM verification
- Outgoing mail will be DKIM-signed using your domain
Unsigned Mailjet mail is significantly more likely to be filtered or rejected.
SPF vs DKIM: Why You Need Both for Mailjet
Some organizations mistakenly configure only SPF or only DKIM.
This is insufficient in modern email ecosystems.
Here’s why:
| Authentication | Purpose | Can Be Forwarded? |
| SPF | Server authorization | ❌ No |
| DKIM | Message integrity | ✅ Yes |
Because Mailjet emails may pass through forwarding, gateways, or security layers, DKIM is essential for preserving authentication.
When combined with DMARC, SPF and DKIM work together to:
- Prevent spoofing
- Improve inbox placement
- Enable reporting and policy enforcement
DMARC Alignment Considerations for Mailjet
If your domain has a DMARC policy (p=none, quarantine, or reject), alignment matters.
To pass DMARC:
- SPF or DKIM must pass
- The authenticated domain must align with the “From” domain
Mailjet DKIM typically aligns automatically if configured correctly. SPF alignment may vary depending on bounce domains and configuration.
AutoSPF Insight: DKIM alignment is usually more reliable than SPF for Mailjet, which is why DKIM should never be skipped.
Common Mailjet SPF & DKIM Mistakes (We See These Daily)
❌ Creating Multiple SPF Records
Breaks SPF entirely.
❌ Replacing SPF Instead of Merging
Removes authorization for other services.
❌ Exceeding the 10-Lookup Limit
Results in SPF PermError.
❌ Publishing DKIM at the Wrong Hostname
DKIM will never verify.
❌ Forgetting to Enable DKIM Signing in Mailjet
DNS exists, but messages remain unsigned.
❌ Assuming “Delivered” Means “Authenticated”
Inbox placement depends on authentication, not just SMTP acceptance.
How AutoSPF Simplifies Mailjet Authentication
Manually managing SPF becomes unsustainable as organizations add more tools.
AutoSPF helps by:
- Automatically merging Mailjet into existing SPF records
- Preventing lookup limit failures
- Continuously monitoring SPF health
- Reducing human error during DNS changes
For teams sending through Mailjet alongside Google Workspace, Microsoft 365, CRMs, and marketing platforms, automated SPF management is the only scalable approach.
Testing and Monitoring Your Setup
After configuration, always validate:
- SPF pass
- DKIM pass
- DMARC alignment
Use:
- Mailjet test sends
- Header analysis from real inboxes
- Ongoing DMARC reports
Authentication is not a “set and forget” task—DNS changes, vendor updates, and new tools can silently break it.
Final Thoughts from AutoSPF
Mailjet is a powerful email platform, but its effectiveness depends entirely on correct domain authentication.
A properly configured SPF and DKIM setup:
- Protects your brand
- Improves inbox placement
- Enables DMARC enforcement
- Prevents spoofing and abuse
If you take one thing away from this guide, let it be this:
SPF and DKIM are not optional when using Mailjet—and small DNS mistakes can have outsized deliverability consequences.
At AutoSPF, we help organizations remove that risk entirely by making SPF management automatic, accurate, and scalable.
