Mandrill SPF & DKIM Configuration: A Complete Step-by-Step Guide by AutoSPF

Email deliverability is no longer optional—it’s foundational. If you’re using Mandrill by Mailchimp to send transactional emails, properly configuring SPF and DKIM is one of the most important steps you can take to protect your domain, improve inbox placement, and prevent spoofing.

DKIM (RFC 6376) signs email messages cryptographically, and unlike SPF, the signature survives email forwarding — which is why DMARC alignment via DKIM is more reliable than SPF alignment for forwarded mail and mailing lists.

At AutoSPF, we see countless domains struggle with delivery issues simply because SPF and DKIM were misunderstood, misconfigured, or partially implemented. This guide walks you through Mandrill SPF and DKIM setup step by step, explains why each step matters, and highlights common mistakes that quietly damage email performance.

Whether you’re setting up Mandrill for the first time or auditing an existing configuration, this guide will help you do it the right way.

Why SPF and DKIM Matter for Mandrill Email Sending

Before jumping into configuration, it’s important to understand what SPF and DKIM actually do and why Mandrill depends on them.

SPF: Proving Who Is Allowed to Send

Sender Policy Framework (SPF) tells receiving mail servers which IP addresses and services are authorized to send email on behalf of your domain.

When Mandrill sends an email using your domain in the “From” address, the receiving server checks:

• Does this IP appear in the domain’s SPF record?

• If yes → SPF passes

• If no → SPF fails or soft-fails

Without SPF, your emails are far more likely to be:

• Marked as spam

• Rejected outright

• Flagged as spoofed

DKIM: Proving the Email Wasn’t Altered

DomainKeys Identified Mail (DKIM) adds a cryptographic signature to every outgoing message. This signature allows inbox providers to verify:

• The email was authorized by your domain

• The message content hasn’t been modified in transit

Mandrill signs messages with DKIM automatically—but only if you publish the correct DKIM records in DNS.

Why Mandrill Requires Both

Modern inbox providers (Gmail, Outlook, Yahoo) expect SPF and DKIM alignment, especially when DMARC is in place. Missing either one dramatically increases the risk of delivery failure.

What You Need Before Starting

Before configuring SPF and DKIM for Mandrill, make sure you have:

• Access to your domain’s DNS provider

• An active Mandrill account

• A verified sending domain

• Basic understanding of DNS records (TXT and CNAME)

If DNS access is handled by a third party (hosting provider, IT team, or registrar), coordinate with them before proceeding.

Step 1: Add Mandrill to Your SPF Record

What Is Mandrill’s SPF Requirement?

Mandrill sends email from shared IP infrastructure. To authorize Mandrill, you must include its SPF mechanism in your domain’s SPF record.

Mandrill’s SPF include value is:

include:spf.mandrillapp.com

Locate Your Existing SPF Record

Most domains already have an SPF record. It looks like this:

v=spf1 ip4:192.0.2.10 include:_spf.google.com ~all

Partial Important: You must never create multiple SPF records.Only one SPF record is allowed per domain.

Update the SPF Record to Include Mandrill

Add Mandrill’s include mechanism before thealltag:

v=spf1 ip4:192.0.2.10 include:_spf.google.com include:spf.mandrillapp.com ~all

If Mandrill is the only service sending email for your domain, your SPF record may be as simple as:

v=spf1 include:spf.mandrillapp.com ~all

Publish the Updated SPF Record

Save the updated TXT record in DNS. SPF changes typically propagate within minutes, but can take up to 48 hours depending on your DNS provider.

Step 2: Verify SPF Is Working Correctly

After publishing the record, verify that:

• There is only one SPF record

• The record starts with v=spf1

• Mandrill is included

• The record does not exceed the 10 DNS lookup limit

At AutoSPF, we frequently see Mandrill SPF failures caused by:

• Nested includes pushing DNS lookups beyond 10

• Duplicate SPF records created by mistake

• Incorrect placement of the all mechanism

If your SPF record is already complex, consider SPF flattening to avoid future failures.

Step 3: Set Up DKIM for Mandrill

SPF alone is not enough. DKIM is critical for authentication and alignment.

Add a Sending Domain in Mandrill

1. Log in to your Mandrill dashboard
2. Navigate to Settings → Sending Domains
3. Click Add a Domain
4. Enter the domain you send email from (e.g., example.com)

Mandrill will generate DKIM DNS records for you.

Step 4: Publish Mandrill DKIM Records in DNS

Mandrill provides two DKIM CNAME records per domain.

They look similar to this:

mandrill._domainkey.example.com → dkim.mandrillapp.com

mandrill2._domainkey.example.com → dkim2.mandrillapp.com

How to Add the DKIM Records

At your DNS provider:

• Create CNAME records

• Use the exact hostnames provided by Mandrill

• Do not modify or shorten them

• Do not use TXT records for Mandrill DKIM

Once added, save the changes.

Step 5: Verify DKIM Status in Mandrill

After DNS propagation:

1. Return to Mandrill’s Sending Domains page
2. Click Test DNS Settings

If configured correctly, Mandrill will display:

• DKIM: Valid

• SPF: Valid

If DKIM fails, common causes include:

• Typo in CNAME hostnames

• Using TXT instead of CNAME

• DNS provider automatically appending the domain twice

Step 6: Understand SPF and DKIM Alignment with DMARC

If your domain has a DMARC policy, alignment becomes critical.

How Alignment Works

• SPF alignment checks the Return-Path domain

• DKIM alignment checks the d= domain in the DKIM signature

Mandrill supports DKIM alignment automatically when configured correctly, which is why DKIM is often more reliable than SPF for transactional email.

For domains enforcing p=quarantine or p=reject, DKIM alignment is essential.

What Are Common Mandrill SPF & DKIM Mistakes We See at AutoSPF?

1. Multiple SPF Records

This is the most common and most damaging mistake. Multiple SPF records cause permanent SPF failure.

2. Exceeding the 10 DNS Lookup Limit

Mandrill + Google Workspace + marketing tools often exceed SPF limits silently.

3. Missing DKIM Records

Some senders rely on SPF alone, which is no longer sufficient for modern inbox filtering.

4. Incorrect DKIM Record Type

Mandrill requires CNAME DKIM records, not TXT.

5. Assuming Setup Is “One and Done”

Email infrastructure evolves. SPF and DKIM must be reviewed whenever:

• A new email service is added

• An old service is removed

• DMARC policies are tightened

How AutoSPF Simplifies Mandrill SPF Management

SPF issues often don’t appear until emails start failing—and by then, reputation damage may already be done.

AutoSPF helps by:

• Automatically flattening SPF records

• Keeping DNS lookups under the 10-limit

• Monitoring changes in included services

• Preventing accidental SPF breaks

• Ensuring Mandrill stays authorized at all times

Instead of manually editing complex SPF records, AutoSPF keeps your domain stable and compliant as your email stack grows.

How Email Authentication Affects Deliverability Over Time

Setting SPF and DKIM once isn’t enough — deliverability is dynamic.

Changes in Your Email Stack

As you integrate:

• Marketing platforms

• CRM systems

• Support tools

• Event-based triggers

Your SPF record grows. You might unknowingly:

• Add third-party includes

• Exceed DNS lookup limits

• Break SPF syntax

AutoSPF mitigates this by flattening and optimizing SPF in real time.

Ongoing DKIM Rotation

Mandrill rotates keys periodically. If DNS CNAMEs are removed or changed without updating Mandrill, signatures will fail and delivery drops.

Regular monitoring ensures continuity.