How to set up SPF, DKIM & DMARC for Customer.io
Customer.io deliberately authenticates through an account-specific subdomain (like cio12345.yourdomain.com) instead of your root domain, specifically so its SPF record never counts against your existing SPF's 10-lookup limit and its records can't collide with anything else in your DNS.
SPF and DKIM (account-specific subdomain)
Add a sending domain in Customer.io first — it generates a unique subdomain and the exact records for your account. Copy them from there; the values below are illustrative only.
| Type | TXT |
| Host / Name | cio12345Your account-specific subdomain — copy the real one from Customer.io's dashboard. |
| Value / Content | v=spf1 include:[value shown in dashboard] ~allExample only — generated per account; this SPF record lives entirely on the subdomain and doesn't touch your root domain's SPF. |
| Type | TXT |
| Host / Name | krs._domainkey.cio12345Same account-specific subdomain. |
| Value / Content | k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB…Example only — copy the exact DKIM value from the same dashboard screen. |
- Customer.io → Settings → Workspace Settings → Email → Add Sending Domain.
- Enter the domain, display name, and from-address, then use Automatic setup (via Entri, if your DNS provider is supported) or copy the records for manual setup.
- Do not delete any existing records on your root domain while doing this — the new records live entirely on the generated subdomain.
DMARC
DMARC is per-domain, not per-provider — one record at _dmarc.yourdomain.com covers Customer.io and everything else that sends as you. Start in monitor-only mode:
| Type | TXT |
| Host / Name | _dmarcSome providers want the full _dmarc.yourdomain.com here. |
| Value / Content | v=DMARC1; p=none; rua=mailto:your-report-addressExample only — replace your-report-address — our DMARC generator builds the record, or sign up free and we generate it with a report address that feeds your monitoring dashboard. |
Provider note: Because the SPF/DKIM records live on an account-specific subdomain rather than your root domain, they align under DMARC's relaxed mode the same way any subdomain does — no extra configuration needed on your end.
Full walkthrough: how to set up DMARC without breaking your email, and why aligned authentication is what DMARC actually checks.
Verify it worked
After DNS propagates (minutes to an hour), send a message from Customer.io to our inbox test — it shows the real SPF/DKIM/DMARC verdicts a receiver computes, including whether authentication aligned with your domain. Then HealthCheck Email keeps checking daily and alerts you when a record breaks.
Records current as of 2026-07-14. Provider dashboards change — the authoritative reference is Customer.io's official docs.