This guide walks you through how to set up SPF and DKIM for your Mailjet emails. Getting these records in place helps your emails land in inboxes instead of junk folders, keeps your domain reputation strong, and supports DMARC enforcement.
SPF SETUP FOR MAILJET
SPF (Sender Policy Framework) is a DNS record that tells receiving servers which services are allowed to send email for your domain. Mailjet handles bounce handling with its own Return-Path domain, but it's still best practice to include them in your SPF record.
To modify your SPF record, do the following:
/msdyn_blobfile/$value)
Please Note: Mailjet's SPF may not align with your domain because of how they handle the Return-Path. That's expected. DKIM usually takes care of DMARC alignment.
DKIM SETUP FOR MAILJET
DKIM (DomainKeys Identified Mail) lets Mailjet sign your messages so recipients can confirm they really came from your domain. It's essential for passing DMARC.
To enable DKIM for Mailjet, do the following:/msdyn_blobfile/$value)
DKIM KEY LENGTH CONSIDERATIONS
The security of your DKIM signature depends partly on the key length you choose. Mailjet allows you to regenerate keys with different encryption strengths./msdyn_blobfile/$value)
/msdyn_blobfile/$value)
/msdyn_blobfile/$value)
Note: The regenerate key option will only be available if the entire domain is validated. If only a sing email address has been verified, this option will be grayed out.
SPF SETUP FOR MAILJET
SPF (Sender Policy Framework) is a DNS record that tells receiving servers which services are allowed to send email for your domain. Mailjet handles bounce handling with its own Return-Path domain, but it's still best practice to include them in your SPF record.
To modify your SPF record, do the following:
- Sing into your domain host (GoDaddy, Cloudflare, Network Solutions)
- Look for your existing SPF record. It should be in a TXT type DNS record.
- If you have a published SPF record, add the following:
- include:spf.mailjet.com
- Make sure you only have one SPF record. Below is an example of how your SPF record should look like if you were to include Mailjet in your current SPF record.
| Domain | DNS Type | Host | Value |
| example.com | TXT | @ | v=spf1 include:spf.protection.outlook.com include:spf.mailjet.com ~all |
Please Note: Mailjet's SPF may not align with your domain because of how they handle the Return-Path. That's expected. DKIM usually takes care of DMARC alignment.
DKIM SETUP FOR MAILJET
DKIM (DomainKeys Identified Mail) lets Mailjet sign your messages so recipients can confirm they really came from your domain. It's essential for passing DMARC.
To enable DKIM for Mailjet, do the following:
- Login to Mailjet.
- Go to Account Settings >Domain & DNS
- Add your sending domain if it's not already listed.
- Mailjet will generate a TXT record for DKIM.
DKIM KEY LENGTH CONSIDERATIONS
The security of your DKIM signature depends partly on the key length you choose. Mailjet allows you to regenerate keys with different encryption strengths.
- 1024-bit: The most commonly used. Still widely accepted by most email providers.
- 2048-bit: Provides stronger encryption and better protection against evolving security threats. Most organizations now consider this the standard.
- 4096-bit: Extremely strong but rarely used. It may exceed DNS character limit and could introduce performance issues.
Start with a 2048-bit DKIM key if your domain host supports it. This offers strong protection against spoofing and is increasingly becoming the industry standard. Plan to rotate your DKIM key's periodically to maintain security hygiene.
Please note: As of April 25, 2024, Mailjet automatically creates 2048-bit DKIM keys for new domain. However, existing domains won't need to update unless manually regenerating they keys.
To regenerate:
- Navigate to Account > Domains & Sender addresses > SPF/DKIM Authentication.
- Click Regenerate Key under the DKIM section.
- Choose your desired bit rate (1024,2048, or 4096)
- Confirm and proceed.
Note: The regenerate key option will only be available if the entire domain is validated. If only a sing email address has been verified, this option will be grayed out.