SenderReady

ConvertKit/Kit SPF, DKIM, and DMARC setup review

Kit, formerly ConvertKit, uses Verified Sending Domains to authenticate creator and newsletter email. Review the domain, account-generated DNS records, DKIM/SPF alignment, DMARC policy, and custom-domain confusion before editing production DNS.

Scan the Kit sending domain first

Check public DMARC, SPF, DKIM, MX, BIMI, MTA-STS, and TLS-RPT signals before editing Kit verified sending domain records.

01$0Free scan

Check the public sender-auth records mailbox providers expect.

02$0Shareable action plan

Keep one URL with evidence, owner steps, and decisions.

03$49$49 fix plan

Add human review, provider context, and verification steps.

Optional. Most first scans can run with just the domain.
Checks Gmail, Yahoo, and Microsoft sender requirementsPublic DNS onlyNo mailbox login needed
Example result72/100Needs attention

Review DMARC policy strength before a high-volume send.

Public DNS evidence
DMARC/SPF/DKIM status and caveats are visible before you pay.
Owner-ready next step
The audit adds provider context and a verification checklist.
Get the exact fix plan for your domain.$49 readiness audit: prioritized owner actions, DNS evidence, and verification checks.
Get my $49 fix planView sample
Sender readiness cockpitExample action plan

Public DNS workspace

Overall sender readiness

72/100

Needs attention

Sample output: one warning and one fail mean this domain is not campaign-ready yet.

DMARCPass
SPFPass
DKIMPass
MXPass
BIMIWarning
MTA-STSFail

Fix workspace preview

The scan becomes a focused work surface: evidence, owner action, verification, and the paid context a public lookup cannot infer.

HighDMARC

Review DMARC policy strength before a high-volume send.

Evidence
Evidence: a monitoring-only policy can satisfy visibility needs, but enforcement requires aligned legitimate senders.
Verify after change
Re-scan _dmarc after DNS propagation and confirm aligned SPF or DKIM senders before enforcement.
Paid audit adds
Policy sequence, starter record review, alignment questions, and enforcement caveats.
Get my fix plan

Why Kit setup needs sender context

A verified sending domain can make Kit mail align better with the visible From domain, but DMARC still evaluates the complete sender map. The same domain may also send through Google Workspace, Microsoft 365, Shopify, helpdesk tools, billing tools, event platforms, and transactional providers.

Kit custom page domains are a separate DNS workflow from email authentication. Keep landing-page URLs, Kit Ads page domains, From addresses, return-path alignment, and DMARC policy decisions in separate review buckets.

Setup areas to review

  • Use the current Kit naming with legacy search clarity: ConvertKit is now Kit, but many teams still search for ConvertKit DNS help. Treat the product as Kit in the account and docs, while confirming the route and page title match legacy search intent.
  • Verify the actual sending domain: Kit calls the email-authentication surface a Verified Sending Domain. Add the top-level domain or sending subdomain that appears in the From address, then validate it in Kit after DNS propagation.
  • Copy Kit-generated DNS records: Manual setup uses the DNS records shown in the Kit account, and Kit describes the process as requiring a basic understanding of CNAME records. Do not copy selectors, hostnames, or targets from another account.
  • Check DKIM, SPF, return-path, and DMARC alignment together: Kit says a verified sending domain can put the sender domain in the return-path, DKIM-sign messages using the domain, authenticate SPF using the domain, and allow Kit messages to pass DMARC.
  • Add or preserve one DMARC TXT record: Kit can provide a default DMARC record with p=none, but an existing DMARC policy should not be overwritten blindly. Keep one TXT record at the DMARC host and review reporting before enforcement.
  • Keep custom page domains separate: Kit custom domains for landing pages, forms, Creator Profile URLs, and Kit Ads are separate from Verified Sending Domain authentication. Do not treat a page-domain DNS change as email authentication.
  • Stage reputation-sensitive changes: Kit warns that enabling a verified sending domain can affect engagement metrics while mailbox providers recalculate reputation. Avoid stacking this DNS change with a major list or sending-pattern change.

DNS record examples and caveats

These examples show record shapes only. Kit account settings and current official docs are the authority for generated hostnames, targets, selectors, and any default DMARC record the account displays.

  • Kit verified sending domain CNAME shape: provider-generated host -> provider-generated Kit target. Use the exact records Kit shows. Some DNS providers require shortened hostnames rather than the full domain-qualified value.
  • Kit DKIM CNAME shape: provider-generated selector._domainkey host -> provider-generated Kit target. Selectors and targets are account-specific. Confirm Kit validates the record after DNS propagation.
  • DMARC TXT monitoring shape: v=DMARC1; p=none; rua=mailto:dmarc-reports@example.com. Kit provides a default p=none option, but the reporting address and eventual policy should match the domain owner's DMARC plan.

Safe verification sequence

  1. List Kit broadcasts, sequences, forms, ads, and any other domain senders.
  2. Confirm the From address uses a domain the business owns.
  3. Add the domain or sending subdomain as a Verified Sending Domain in Kit.
  4. Copy the exact DNS records shown in Kit, using shortened hostnames if DNS requires them.
  5. Check public DNS after propagation and revalidate the domain in Kit.
  6. Inspect a Kit test-message header for DKIM, SPF, return-path, and DMARC alignment.
  7. Review DMARC reports before moving from p=none to quarantine or reject.

Kit authentication FAQ

Is ConvertKit still the right provider name for DNS setup?

The current product name is Kit. The route keeps ConvertKit for legacy search intent, but account settings and official docs should be read as Kit guidance.

Does Kit give me universal SPF and DKIM values to copy?

No. Kit's verified sending domain flow shows account-generated records. Use those exact values and avoid publishing generic SPF includes or DKIM selectors from a third-party checklist.

Should I add a separate SPF TXT record for Kit?

Not from a generic guide. Kit documents a verified sending domain flow that authenticates SPF using the domain, and manual setup centers on the records shown in Kit. If SPF needs editing for another sender, keep only one SPF TXT record for the domain.

Can I use a Gmail, Yahoo, or Outlook address as my Kit From address?

Kit recommends sending marketing email from a domain you own rather than a personal or provider domain. Use a business domain so authentication and sender reputation are under your control.

Is my Kit custom domain the same as my verified sending domain?

No. Kit custom domains are for hosted page and opt-in URLs. Verified Sending Domain setup is the email authentication workflow for sending.

Can I set DMARC to quarantine or reject after adding Kit?

Only after Kit and every other legitimate sender using the domain pass aligned SPF or DKIM. Start with monitoring, inspect reports and headers, then move enforcement in stages.

Can a scanner fully verify Kit setup?

A scanner can inspect public DNS and common authentication signals, but full verification needs the Kit Verified Sending Domain status and a signed test-message header.

Turn the scan into a Kit fix list

SenderReady readiness audits organize public DNS findings, Kit-specific review steps, and cautious next actions for the domain owner or DNS admin. The report is a diagnostic aid, not a deliverability guarantee.

View audit options