Brevo sender authentication depends on the right sender domain, Brevo code ownership verification, DKIM records, DMARC policy, and dedicated-IP edge cases. Use this review before changing DNS so marketing and transactional streams stay mapped cleanly.
Scan the Brevo sending domain first
Check public DMARC, SPF, DKIM, MX, BIMI, MTA-STS, and TLS-RPT signals before editing Brevo authentication records.
01$0Free scan
Check the public sender-auth records mailbox providers expect.
02$0Shareable action plan
Keep one URL with evidence, owner steps, and decisions.
03$49$49 fix plan
Add human review, provider context, and verification steps.
Optional. Most first scans can run with just the domain.
Checks Gmail, Yahoo, and Microsoft sender requirementsPublic DNS onlyNo mailbox login needed
Example result72/100Needs attention
Review DMARC policy strength before a high-volume send.
Public DNS evidence
DMARC/SPF/DKIM status and caveats are visible before you pay.
Owner-ready next step
The audit adds provider context and a verification checklist.
Get the exact fix plan for your domain.$49 readiness audit: prioritized owner actions, DNS evidence, and verification checks.
Brevo authentication can verify a domain for Brevo sends, but the same domain may also send through Google Workspace, Microsoft 365, Shopify, Zendesk, Intercom, Salesforce, or billing tools. DMARC enforcement should wait until every legitimate sender is mapped.
Brevo also distinguishes standard domain authentication from dedicated-IP setup. That matters because normal authentication focuses on Brevo code, DKIM, and DMARC, while SPF and MX records are not standard authentication requirements.
Setup areas to review
Authenticate the actual sender domain: Brevo says to authenticate the domain or subdomain used to send through Brevo. If multiple From domains send through Brevo, authenticate each one instead of assuming the root domain covers every stream.
Add the Brevo ownership TXT record: The Brevo code TXT record proves that the domain owner controls the sending domain. Copy the name and value from the Brevo Domains page, because values vary by account and domain.
Publish the DKIM record Brevo shows: Brevo can show either one DKIM TXT record or two DKIM CNAME records. Use the exact record type, host, and value from Brevo rather than a generic selector from another account.
Review DMARC before accepting replacement prompts: Brevo can add or verify a DMARC TXT record. If a DMARC record already exists, review it carefully before replacing it, and keep only one DMARC record at the policy host.
Do not add SPF or MX for normal authentication: Brevo says SPF and MX records are not required for standard domain authentication and are provided when setting up a dedicated IP. Audit SPF separately before stacking Brevo with other platforms.
Separate shared-IP authentication from dedicated-IP setup: Brevo dedicated IP setup is a different workflow that can involve NS records or a larger A, MX, CNAME, DKIM, SPF, and DMARC record set. Do not copy dedicated-IP records into a shared-IP sender setup.
DNS record examples and caveats
These examples show record shapes only. Brevo account settings and current official docs are the authority for exact generated hostnames, targets, TXT values, and whether the domain uses TXT or CNAME DKIM.
Brevo code TXT shape:provider-generated host -> provider-generated Brevo TXT value. Use the record name and value copied from Brevo. This is ownership verification, not a universal value.
Brevo DKIM shape:provider-generated DKIM host -> 1 TXT value or 2 CNAME targets. Brevo account screens decide whether the domain uses one TXT DKIM record or two CNAME records.
DMARC TXT monitoring shape:v=DMARC1; p=none; rua=mailto:rua@dmarc.brevo.com. Brevo documents this reporting example, but existing DMARC records should be edited cautiously and kept as a single record.
Safe verification sequence
List Brevo marketing, transactional, automation, and dedicated-IP sends.
Confirm whether the account is using shared-IP sending or a dedicated IP.
Authenticate the exact sender domain or subdomain shown in the From address.
Copy the Brevo code, DKIM, and DMARC records from the Brevo Domains page.
Inspect existing DMARC before replacing or editing the policy record.
Check public DNS after propagation and confirm Brevo authentication status.
Inspect a sent message header for DKIM and DMARC alignment evidence.
Brevo authentication FAQ
Does Brevo require SPF to authenticate my domain?
Brevo documentation says SPF and MX records are not required for standard domain authentication. Brevo provides those records when setting up a dedicated IP, so review the actual Brevo account path before changing SPF.
Why does Brevo show two DKIM CNAME records?
Brevo says two CNAME records can be used as a more secure DKIM setup that allows key rotation. Some accounts may still show a TXT DKIM record, so copy the exact records Brevo displays.
Can I authenticate a Gmail or Yahoo sender in Brevo?
Brevo says free or public sender domains cannot be authenticated because the sender needs a domain they own and control. Use a business domain or subdomain before relying on Brevo domain authentication.
Can Brevo replace my existing DMARC record?
Automatic authentication can ask whether to replace an existing DMARC record. Review the current DMARC policy, reporting destinations, and other senders before replacing it.
Can a public scanner fully verify Brevo setup?
A scanner can inspect public DNS records and common provider signals, but a complete Brevo review still needs the Brevo Domains status page and a signed test-message header.
Turn the scan into a Brevo fix list
SenderReady readiness audits organize public DNS findings, Brevo-specific review steps, and cautious next actions for the domain owner or DNS admin. The report is a diagnostic aid, not a deliverability guarantee.