Source Guide: Mailchimp Transactional (Mandrill)
This guide describes the process for configuring Mailchimp Transactional to send DMARC-compliant messages. You will need to configure this source, and others that send on your behalf, before advancing your DMARC policies to a more restrictive state, e.g., quarantine and/or reject.
To bring this source into DMARC compliance, you will need access to the Mailchimp Transactional administrative account and the domain’s DNS management console.
From time to time, these instructions change with very little advance notice. Please always refer to documentation hosted by Mailchimp Transactional for the most complete and accurate information.
General information
Mailchimp Transactional is a paid Mailchimp add-on that allows clients to send one-to-one transactional emails triggered by user actions, such as purchases or account activity. Sales and marketing as well as development teams may use this service in your organization. Mailchimp Transactional supports DMARC compliance through DKIM and SPF alignment.
DKIM
To configure DKIM:
- Navigate to Settings in the app and choose Domains
- Type a new domain in the domain input and click Add
- Next to your domain, click View DKIM settings. A modal will appear with instructions for setting up DKIM on your DNS provider. Add a new TXT record with the name mandrill._domainkey.example.com (replace example.com with the domain you’re setting up)
- The value for the record should be one of the options listed below—some DNS providers escape semicolons for you, while others require you to do it when setting up the record.
With semicolons escaped:
v=DKIM1\; k=rsa\; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrLHiExVd55zd/IQ/J/mRwSRMAocV/hMB3jXwaH
H36d9NaVynQFYV8NaWi69c1veUtRzGt7yAioXqLj7Z4TeEUoOLgrKsn8YnckGs9i3B3tVFB+Ch/4mPhXWi
NfNdynHWBcPcbJ8kjEQ2U8y78dHZj1YeRXXVvWob2OaKynO8/lQIDAQAB\;
With semicolons unescaped:
v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrLHiExVd55zd/IQ/J/mRwSRMAocV/hMB3jXwaH
H36d9NaVynQFYV8NaWi69c1veUtRzGt7yAioXqLj7Z4TeEUoOLgrKsn8YnckGs9i3B3tVFB+Ch/4mPhXWi
NfNdynHWBcPcbJ8kjEQ2U8y78dHZj1YeRXXVvWob2OaKynO8/lQIDAQAB;
- Once you’ve set up the TXT records for both DKIM and SPF, you can verify that you configured everything correctly by clicking the Test DNS Settings button in the sending domains and tracking and return path domains screens.
Reference: Mailchimp Transactional DKIM directions
SPF
For SPF to align and pass DMARC, you must set up a custom return-path.
To configure SPF:
- Add include:spf.mandrillapp.com to the SPF record for your sending domain in your DNS management console.
- Important note: Mailchimp Transactional REQUIRES include:spf.mandrillapp.com to be present in the SPF record of the FROM domain, whether you use the default authentication of madrillapp.com or choose to configure a custom return-path subdomain to achieve SPF alignment.
You can complete the following steps only if you wish to use a custom return-path (tracking) domain. For DMARC compliance we recommend ensuring that DKIM signing is configured regardless of return-path configuration.
- You can also configure a custom return-path and tracking. Navigate to Settings within mandrillapp.com, and then Domains, Tracking & Return Path Domains.
- In the Mandrill App, enter your custom return-path/tracking domain and click Add.
- In DNS for the sending domain add a CNAME (same name as desired custom return-path/tracking domain) that points to mandrillapp.com.
- Once you’ve set up the TXT records for both DKIM and SPF, you can verify that you configured everything correctly by clicking the Test DNS Settings button in the sending domains and tracking and return path domains screens.
Note: The sending domain will also need to be verified. This can be done by publishing a TXT record or receiving a verification email, as shown in example below:
Reference: Mailchimp Transactional SPF directions
If you have a dmarcian account, it may take a few days to see these changes reflected in the dmarcian platform. You can look in the Detail Viewer (shown below) to check SPF and DKIM alignment required for DMARC.
With a team of email security experts and a mission of making email and the internet more trustworthy through domain security, dmarcian is here to help assess an organization’s domain catalog and implement and manage DMARC for the long haul.
Want to continue the conversation? Head over to the dmarcian Forum.