How to set up SPF, DKIM & DMARC for Customer.io

Customer.io deliberately authenticates through an account-specific subdomain (like cio12345.yourdomain.com) instead of your root domain, specifically so its SPF record never counts against your existing SPF's 10-lookup limit and its records can't collide with anything else in your DNS.

SPF and DKIM (account-specific subdomain)

Add a sending domain in Customer.io first — it generates a unique subdomain and the exact records for your account. Copy them from there; the values below are illustrative only.

Type
TXT
Host / Name
cio12345

Your account-specific subdomain — copy the real one from Customer.io's dashboard.

Value / Content
v=spf1 include:[value shown in dashboard] ~all

Example only — generated per account; this SPF record lives entirely on the subdomain and doesn't touch your root domain's SPF.

Type
TXT
Host / Name
krs._domainkey.cio12345

Same account-specific subdomain.

Value / Content
k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB…

Example only — copy the exact DKIM value from the same dashboard screen.

  1. Customer.io → Settings → Workspace Settings → Email → Add Sending Domain.
  2. Enter the domain, display name, and from-address, then use Automatic setup (via Entri, if your DNS provider is supported) or copy the records for manual setup.
  3. Do not delete any existing records on your root domain while doing this — the new records live entirely on the generated subdomain.

DMARC

DMARC is per-domain, not per-provider — one record at _dmarc.yourdomain.com covers Customer.io and everything else that sends as you. Start in monitor-only mode:

Type
TXT
Host / Name
_dmarc

Some providers want the full _dmarc.yourdomain.com here.

Value / Content
v=DMARC1; p=none; rua=mailto:your-report-address

Example only — replace your-report-address — our DMARC generator builds the record, or sign up free and we generate it with a report address that feeds your monitoring dashboard.

Provider note: Because the SPF/DKIM records live on an account-specific subdomain rather than your root domain, they align under DMARC's relaxed mode the same way any subdomain does — no extra configuration needed on your end.

Full walkthrough: how to set up DMARC without breaking your email, and why aligned authentication is what DMARC actually checks.

Verify it worked

After DNS propagates (minutes to an hour), send a message from Customer.io to our inbox test — it shows the real SPF/DKIM/DMARC verdicts a receiver computes, including whether authentication aligned with your domain. Then HealthCheck Email keeps checking daily and alerts you when a record breaks.

Records current as of 2026-07-14. Provider dashboards change — the authoritative reference is Customer.io's official docs.