MailChimp domain authentication guide with CloudFlare

How to Authenticate a Domain Name on MailChimp Using CloudFlare (CNAME Bypass Solution)

MailChimp domain authentication guide with CloudFlare

This visual guide shows you (step-by-step) how to authenticate a domain name on MailChimp while using CloudFlare as your DNS manager (free plan). The solution includes a workaround for the CNAME flattening problem.

If you are trying to authenticate your domain name on MailChimp so that your domain appears in the "from" field of MailChimp emails, this guide answers that question completely. The visual guide includes mostly pictures to walk you through the entire process.

If you are tech savvy and know what you are doing then the TL;DR version below will suffice.

If you are not experienced with DNS zone files or nervous about breaking something, I recommend reading the entire guide. If you like, you can skip the preface and go directly to the steps portion.

If you need help or found something wrong with my guide, please leave a comment at the bottom and I will try to address it.

TL;DR Version: How to authenticate your domain on MailChimp using CloudFlare

Below is a table of steps for how to complete the domain authentication quickly and easily.

TL;DR Version - MailChimp domain authentication

Below is a condensed version of the entire guide on how to authenticate your domain name using MailChimp and CloudFlare.

Step 1: Log into and go under Account > Settings > Verified domains. Verify the domain using the email address related to the domain name.
Step 2: On the same verified domains page on MailChimp, click on View setup instructions to get the DNS entries you have to add on CloudFlare.
Step 3: Log into CloudFlare and click on the blue DNS button on the top menu to access your zone file for the domain name in question.
Step 4: Create new DNS records with the following values:
  • CNAME: (name), (value)
  • TXT: (name), v=spf1 ?all (value)
Once the entries are added, click the orange cloud icon on the CNAME entry so that it looks like a gray cloud .
Step 5: If you are a CloudFlare Pro (or above) user, on the DNS page scroll down to the CNAME Flattening section and choose Do not flatten CNAMEs from the drop-down menu on the right.

If you are a CloudFlare free user, you won't see the CNAME option as it is a paid feature. Temporarily upgrade your account to the Pro version so that you have the CNAME options drop-down available. Once you do, complete the rest of this step.
Step 6: Confirm you have entered the correct DNS records and flattening options. Then, go back to the MailChimp domain authentication popup and click "Authenticate domain." This should work.

Note that it takes between 5 - 60 minutes for your CloudFlare DNS changes to propagate. If it didn't work right away, just wait some time.
Step 7: Go back to the CloudFlare DNS settings page and click the gray cloud next to your newly created CNAME entry so that traffic flows through CloudFlare again (it should be orange after you click it). Scroll down to CNAME Flattening and select Flatten all CNAMEs again. Downgrade CloudFlare if you don't want to stay on Pro (optional).
All done! That's it. Note that once you successfully authenticate your domain, it doesn't break the confirmation if you remove the DNS records or change other DNS settings.


I recently set up a new personal MailChimp account to send mass emails to people on my list. To keep my email inbox tidy and avoid too many replies in my personal inbox I set up a generic email address through my domain -

I also wanted to have MailChimp show my email address to recipients of my emails. When I sent out my first test email, I noticed that the emails didn’t come from my domain name. Instead, they came from a default MailChimp server address: “”

Example of a MailChimp email without domain verification

Generic "from" field - Without verifying your domain name through MailChimp, recipients see a generic from address.

I went to my MailChimp dashboard to address this and saw that there was a whole domain verification process you had to go through. Basically, MailChimp asked for two things in order to verify the domain name belongs to me:

  • Verification. Verification is simply confirming that the domain name that you are sending emails from belongs to you. This is a simple process of clicking a confirmation link in your email from the intended address.
  • Authentication. This step proved to be a little more tricky. They asked me to create a few DNS records to prove that I also have control over the domain name.

The following guide will explain step-by-step how to verify and authenticate your domain name while using CloudFlare, a popular DNS manager.


Why you should authenticate your domain name for MailChimp

I debated whether it was worth the trouble in the first place to authenticate it, so I did more research and found out that it was a really good idea indeed. Here are the main reasons why you should authenticate your domain name (some information from MailChimp included).

  • Domain authentication improves the likelihood that your emails will be sent to your recipients in the first place (and not in spam or junk folders)
  • The authentication acts as a “license plate” for your sent email and ensures you are a legitimate party
  • It removes the default MailChimp server information (as seen in the first screenshot) Domain authentication helps brand your emails with your domain name, boosting credibility

Email providers are beefing up security standards

Additionally, popular emails clients such as Gmail are starting to take email related verification and security very seriously. In February of 2016 Google rolled out padlock alerts in Gmail, which is designed to tell users that the email address of the sender is not encrypted using TLS.

Gmail's padlock warning - If an email sender doesn't meet Gmail's encryption standards, the user may see a padlock warning with a red question mark. Source: Google blog

As the image shows, emails that don’t pass Google’s encryption standards show the red “?” and may display a warning when you try to reply. If you try to send mail and the sender is unverified, the person’s inbox may show an additional warning:

Gmail's phishing notice - If an email sender doesn't verify their domain ownership, recipients may see a phishing notice label, discouraging people from opening it.

When users get inbox warnings like this they will be less likely to open your emails (if they see them at all). Additionally, users that are not email savvy may report it as phishing - which will surely hurt your email open rates.


The drawbacks of other guides I tried to solve this problem

Before taking the time to write this post, I tried to follow the other guides I could find online about how to add these records and authenticate the domain name in MailChimp. Let’s review what other guides have instructed about doing this.

MailChimp’s KB Article

MailChimp’s KB article on setting up custom domain authentication is pretty comprehensive, but it doesn’t take into account the nuances of CloudFlare’s DNS defaults and settings.

CloudFlare’s support articles on adding DKIM and SPF records

CloudFlare’s documentation (for SPF records and DKIM records) also include step-by-step instructions on adding these records, but it fails to mention one important nuance related to CNAME flattening (which is important for MailChimp setup).

Simon East’s MailChimp DKIM verification guide

Simon East published a post on Medium where he detailed steps to bypass the CNAME problem that CloudFlare has with domain name verification. However, the steps in his post don’t apply to free CloudFlare users because free users don’t get CNAME options.

Simon East's CNAME solution - Simon's post detailed steps to work around CloudFlare's CNAME flattening issue. Source: Simon East via Medium

I must admit that I thought Simon's post was the best I read and it did give me enough information to find the remainder of the solution. Hats off to Simon!


Steps to authenticate your domain name in MailChimp using CloudFlare (free plan)

As I mentioned in the title of the post, this guide applies to users who use CloudFlare as their DNS provider. However, this guide may work for other DNS providers as well. If you are using CloudFlare Pro or higher, you can skip step 5a.


Step 1: Log into MailChimp and verify your email address

The first thing you need to do is log into by going to their website and clicking the “Log in” button on the top-right of the screen.

Logging in to MailChimp - Log in to MailChimp by visiting their website and clicking "Log in" on the top-right of the screen. Source: MailChimp

Next, click on your name on the top-right and a drop-down menu will appear where you have to click on “Account.”

Accessing your verified domains on MailChimp - Click on the account menu on the top-right to access the domain verification area. Source: MailChimp

Once you are on your account dashboard, click Settings > Verified Domains.

Accessing your verified domains on MailChimp - Click on settings and then "verified domains" to get to your domain authentication page. Source: MailChimp

Then, click on “Verify A Domain” at the bottom of the page.

Verifying a domain on MailChimp - Click on the "Verify A Domain" button to start the verification process. Source: MailChimp

In the popup, enter the email address you have access to and ensure it has the correct domain name that you want to verify (

Verifying a domain on MailChimp - Start the domain verification process by entering the email address associated with the domain. Source: MailChimp

After clicking "Send Verification Email", go to your email and find the email from MailChimp Account Services. There should be a code at the bottom. You can now verify your email address in one of two ways:

  • 1. Click the “Verify domain button”
  • 2. Copy and paste the verification code into MailChimp

The pictures below shows both ways of doing it.

Gmail verification - Click "Verify Domain Access" in the email from MailChimp to verify the domain you own.

MailChimp code verification - Enter the code you received at the bottom of the MailChimp email into the "Verify Domain" box on MailChimp. Source: MailChimp

Either way you choose, it does the same thing.

At this point, you should be on the MailChimp account > domains page and you should see a green checkmark next to the “verification” list item. This means that your email is verified and it’s time to move on to the authentication portion.

MailChimp email verification confirmation - Once verified, MailChimp will show a green checkmark next to "verification." Source: MailChimp


Step 2: Begin the process of domain “authentication”

On the same screen as before, click on the “View setup instructions” button and another popup will come up. It will ask you to authenticate your domain by entering two records in your DNS zone file:

  • DKIM: CNAME entry for
  • SPF: TXT record for

MailChimp's DNS instructions- MailChimp gives you two DNS records you have to add in your zone file to authenticate your domain name. Source: MailChimp

If you try to click authenticate without taking any action, you will see the following error:

No dice - If your authentication fails, MailChimp will give you a red error label letting you know. Source: MailChimp

So, we now have to log into CloudFlare and set up the required records.


Step 3: Log into CloudFlare and go to DNS settings

Go to and click the “Login” button on the top-right of the screen.

CloudFlare login page - Go to and click "login" on the top-right of the screen. Don't mind the pretty redhead, she won't help you authenticate your domain name. Source: CloudFlare

Once you are logged in, click on the blue “DNS” icon in the top menu area:

CloudFlare dashboard - Click the blue "DNS" icon on the top-left of the navigation menu. Source: CloudFlare

You should now be looking at the DNS page as shown below:

CloudFlare DNS dashboard - The DNS dashboard is where you enter and edit zone records for your domain name. Source: CloudFlare


A few words of caution

DNS zone records are extremely important for your website to work properly, so if you don’t know what you are doing do not click anything other than what is listed in this guide. You can break something and if you don’t know how to fix it ASAP you may be in some trouble.

Additionally, if you have a stranger helping you set this up and they ask for your zone file never send them your origin IP address (internet address where your server is). Always redact it, otherwise someone can DDoS you and CloudFlare won’t be able to “stand in front of your site.”

Finally, never disable the orange cloud on the record where your server IP address is. This is how CloudFlare hides it for you in the first place.


Step 4: Enter the correct DNS records into CloudFlare’s zone file

Now it’s time to enter your new DNS records that MailChimp previously provided you. For your convenience, the records are displayed below. Just replace “” with the actual domain name you verified in the email step.

MailChimp domain authentication - DNS records

Use the DNS values below when entering them into CloudFlare. Do NOT use a TXT record for the DKIM value and do NOT use an SPF record for the SPF value (use TXT instead).

TXT v=spf1 ?all

Step 4a. Entering the DKIM record

For the DKIM record, select CNAME from the add record part of the page and enter your values. It should look like this before you click “Add Record.”

Adding a CNAME entry - Add the CNAME entry with the correct values from MailChimp. Source: CloudFlare

Once you have added it, click the little orange cloud on the right. After you click it, it should be gray.

CloudFlare DNS and the orange cloud - Click the cloud icon to turn off the DNS resolution for this entry. Source: CloudFlare

Important note: When you enter CNAME records in CloudFlare the second half of the “Name” portion doesn’t get displayed. I initially thought that CloudFlare was stripping out the “” portion, but it just truncates the entry.

Trimmed CNAME entry - CloudFlare trims the full CNAME entry in your DNS view, as evidenced by the fact that half of it shows up. Source: CloudFlare

To verify this is the case, you can click on the black “X” next to the records and you will see a confirmation box that lists the entire record.

Checking the CNAME entry - CloudFlare trims the full CNAME entry in your DNS view, but by clicking delete you can verify the entire entry was added. Source: CloudFlare

You can safely click Cancel on this screen.

Now, some guides say that you don’t have to enter a CNAME record for DKIM values and can use a TXT record instead. I tried this and it did not work, so stick with the CNAME.


Step 4b. Entering the SPF record

For the SPF record, select TXT from the add record part of the page and enter your values. It should look like this before you click “Add Record.”

Adding a TXT entry - Add the TXT entry with the correct values from MailChimp for SPF. Source: CloudFlare

CloudFlare lists SPF as an option in the record type. Do not select SPF as the record type. I tried it and it did not work. Once you entered the correct value, click "Add Record" and you are completed with this portion.

You may think that you are done, but when you try to verify your new records through MailChimp, you may receive this fatal error.

No dice - If your authentication fails, MailChimp will give you a red error label letting you know. Source: MailChimp

This is because we are not done yet. There’s a few more steps to go through.


Step 5: Disable CNAME flattening

This is the part that most guides neglect to mention. You have to disable CNAME flattening through CloudFlare. It turns out that CloudFlare started flattening CNAMEs by default as of March 31, 2014. You can read their blog post about it here.

So, you have to go back to CloudFlare’s DNS page and scroll down to the bottom portion where it says CNAME Flattening. It should look like the image below:

CloudFlare CNAME Flattening options - If you are on CloudFlare Pro or above, you will see a CNAME Flattening section with a drop-down menu on the right. Source: CloudFlare

Skip this step if you are already on CloudFlare Pro (or above): If you are already a CloudFlare Pro or above user, you can skip 5a and go directly to 5b.

If you are like me, you didn’t see any options there. If you are a CloudFlare free user then you don’t have CNAME controls like the other plans do (tricky, huh?).

Missing CloudFlare CNAME Flattening options - If you are missing the drop-down to change your CNAME options, it's because you are on the free plan. Source: CloudFlare

I did not find a workaround for bypassing this on the free tier, so here is my recommendation: sign up for a CloudFlare Pro account ($20/month) and downgrade after you have completed MailChimp’s verification.

MailChimp’s verification seems to stick even after you downgrade (and revert back to CNAME flattening).


5a. Free users only - sign up for CloudFlare Pro and downgrade later because you only have to authenticate the domain once

Now, as a free user you don’t have any CNAME options at your disposal. So, you need to go through the steps to sign up for a Pro account.

Click on the pricing page and select GET PRO from the options table to start the checkout process. If you are already logged in to CloudFlare and are redirected back to the “Overview” page, scroll down to the bottom under Subscription and click on the blue “Change Plan” button on the right.

CloudFlare pricing options - CloudFlare plans start at $20/month and go up to more than $5,000.00 per month for the enterprise version. Source: CloudFlare pricing

Changing your CloudFlare plan from the overview page - Scroll down to the bottom of the overview page and find the blue button to change your plan. Source: CloudFlare

Go through the three steps of the checkout process and get back to your DNS page.

CloudFlare checkout process - Follow the standard and easy-to-use checkout process to upgrade from a free plan to a Pro plan - or above. Source: CloudFlare

Now that you are a CloudFlare Pro user, you can head back to the DNS page and scroll down to the bottom CNAME Flattening portion.


5b. Change your CloudFlare DNS settings to “Do not flatten CNAMEs”

Now, from the CNAME options drop-down, select “Do not flatten” as your option. The changes save automatically so there is nothing else you need to do.

Disable CNAME flattening in CloudFlare - Select "do not flatten" from the drop-down menu in order to disable this functionality. Source: CloudFlare


Step 6: Confirm proper settings

Before moving forward, let’s confirm that you have done everything correctly. Below is the checklist you should go through to ensure that you are ready for MailChimp to run its authentication.

  • 1. CNAME record with gray cloud
  • 2. TXT record (NOT SPF) with SPF value
  • 3. CNAME flattening is disabled

If you have confirmed that everything is correct, head back over to MailChimp’s domain authentication page and click “Authenticate Domain.”

If you entered everything correctly, clicking the button should close the popup and you should see a green checkmark next to the “Authentication” list item.

Confirmation of your newly authenticated domain - You will see a green checkmark next to the "authentication" list items if you did it correctly. Source: MailChimp

If this worked for you, then skip to step 7 for the last item.


Troubleshooting: You may have to wait between 5 to 60 minutes for the DNS changes to propagate

This was a problem for me, so you may need to wait some time. I conducted several experiments to see how long it takes to authenticate after changing the CloudFlare settings to the right ones.

DNS propagation with the right settings took between 5 - 60 minutes after doing several tests.

So, if it didn’t work initially just grab a coffee or call your mother to pass the time. After time has passed, try it again and it should work.

Important note: If you are impatient like me and tried to change the settings on CloudFlare back and forth (over and over again), it will just take longer. You are better off trying the solution with the wait time.


Step 7: Flatten CNAME again

Great, you have authenticated your domain name! But don’t leave just yet, we have to do some security-housekeeping first. Keep in mind that CloudFlare has default and recommended security settings for a reason: to keep your website safe.

So, you should go back to your CloudFlare DNS page and do the following two items:

  • Click the orange cloud next to your newly created CNAME entry to flow the traffic through CloudFlare and not the IP address
  • Flatten CNAMEs again by selecting it from the CNAME drop-down

Note that doing this will not break the authentication from MailChimp. This may change in the future, but as of this writing it works.

Now, you have the option to downgrade to CloudFlare free again, and I believe that they will only pro-rate your charges for a day out of the month (not sure though). However, I strongly recommend any person serious about their website to use CloudFlare Pro.

Here are some good reasons to keep it:

  • Page rules: You get an upgrade from 3 to 20 twenty page rules. These are really handy for quick 301s and other settings. Cache bypass is great while projects are in development mode for example.
  • Web application firewall: This is great for security.
  • Image optimization with Polish: This is a nice speed feature.
  • Faster support: Median two-hour support reply as opposed to 13 hours.
  • And more…

You can compare the features here, but I strongly recommend sticking with the Pro plan.

So, you are now done with the guide. When you blast your next email campaign your recipients will surely see a beautiful “from” value:

MailChimp email with an authenticated domain name - Once your domain name is authenticated, Gmail will show YOU as the from address, not MailChimp's default server.


Help me improve this guide

If you liked this guide, consider helping me improve it by leaving a comment at the bottom. If there was a mistake or something didn’t work correctly, let me know as well so that I can update this guide for other people to use.

If you liked this post and would like other useful ones, please consider signing up for my email newsletter and .

Happy emailing!



TechnologyCNAMEguidehow-todomain authenticationemailCloudFlareMailChimpDKIMDNS records


John Rivers Mar. 20, 2017 10:21 PM
Thanks for posting

Comment options

Report comment
Yoram Nov. 5, 2017 7:35 AM
I followed your guide, but the "no not flatten CNAME" trick does not work. CloudFlare does not accept this CNAME.... They have probably closed this loophole.

Comment options

Report comment
Boban Dedovic Nov. 21, 2017 8:18 PM
Yoram, thanks for commenting. Sorry to hear it didn't work. I am planning on updating the guide this weekend. Thanks!

Comment options

Report comment
Jessica Nov. 7, 2017 7:57 AM
Great guide. I am having the following error though when entering the DKIM record: DNS Validation Error (Code: 1004): Invalid proxied mode. Record cannot be proxied (Code: 9041). The only way I was able to surpass this error was to turn off the orange cloud, BEFORE adding the record. With that, you can't turn it back on as per the guide instructions to "Click the orange cloud next to your newly created CNAME entry to flow the traffic through CloudFlare and not the IP address" because there is no cloud to click. I was able to verify through Mail Chimp, but not sure how this will affect things.

Comment options

Report comment
Boban Dedovic Nov. 21, 2017 8:21 PM
Jessica, thanks for reading the guide commenting with a workaround for that. I think CloudFlare made an update that tried to close this loophole. I am going to explore your solution and update the guide if it works. If it does, I would like to give you credit for it. Just drop me your Twitter or website in the contact form if you would like credits for the update. Thanks again, Happy Thanksgiving.

Comment options

Report comment
Kelley Nov. 17, 2017 7:25 PM
Thanks, you were a huge help. I found I had to click the orange cloud to turn it gray before I added the record, else I got an error message. Also, the CNAME flattening box in the free account now says that they only flatten the CNAME at the root of the domain. Whatever that means, I was able to authenticate my domain without doing anything further.

Comment options

Report comment
Boban Dedovic Nov. 21, 2017 8:23 PM
Kelley, thanks for commenting. I'm glad you got it figured out. A few people commented that turning the cloud gray temporarily worked. Glad you got it figured out, I will update my guide accordingly. Thanks.

Comment options

Report comment
Ricardo Nov. 21, 2017 3:18 PM
Thanks for great post.
Have a question:
After verify domain (with mail ) and authenticate (with cname and dkim dns records) everything works well but have a problem. The MailChimp should only allow sending through the but allows from any address from domain I can change from to and MailChimp not check and mail is sent and correct. The domain was validated by ... Is there a way to solve this? only happens to me?

Comment options

Report comment
Boban Dedovic Nov. 21, 2017 8:31 PM
Ricardo, thanks for commenting. It seems like you are saying that you verified the domain successfully (congrats!) but are concerned about the fact that different emails 'hello' vs 'ceo'(at) work without further authentication.

If I understand you correctly, then I would say that this is how MailChimp works and there is no further authentication required. This process only verifies the domain name (the @mydomain portion).

This means that any email address within the domain will work without further authentication.

I can tell you, however, that MailChimp does have some limitations on role-based emails—but I think those only apply to lists, not outgoing emails. You can read more about that here:

Hope this helps, thanks!

Comment options

Report comment
Ricardo Nov. 22, 2017 12:10 AM
Yes, that's right. in my opinion it is a major security flaw and I do not understand how mailchimp can work this way. after putting the dns registrations anyone in the xxx domain can create an account in mailchimp and check your mail and send with any other email account of that domain.

Comment options

Report comment
Boban Dedovic Feb. 1, 2018 1:43 PM
If you are unhappy with what they provide, I recommend checking out Constant Contact. It’s a good alternative.

Comment options

Report comment
Giuseppe Ciranna Nov. 23, 2017 11:07 AM
Thanks Boban, you really saved the day.

Comment options

Report comment
Boban Dedovic Feb. 1, 2018 1:43 PM
Thank you!

Comment options

Report comment
Richard Jan. 16, 2018 2:37 AM

Thank you for this guide, just follow and it's work ;-)

However i have the same issue than Jessica with DKIM record: DNS Validation Error (Code: 1004): Invalid proxied mode. Record cannot be proxied (Code: 9041)

I was able to confirm the domain with mailchimp

Comment options

Report comment
Piet Lesage Jan. 19, 2018 10:22 AM
Hi Boban,

Thanks for the guide. I encounter a problem at step 4.a. When I try adding the CNAME record, CloudFlare throws an error for the k1._domainkey.yourdomain value “invalid hostname: use ”@“ to represent the root domain”. Any suggestions as to what’s going on?

Comment options

Report comment
Jason Jun. 5, 2018 11:25 AM
I'm having the same issue as Piet

Comment options

Report comment
Dave Feb. 1, 2018 10:24 AM
Hi Boban, I just wanted to say thank you for such a comprehensive guide. It was super-useful to follow along and get everything set up. Thanks!

Comment options

Report comment
Boban Dedovic Feb. 1, 2018 1:45 PM
Dave, no problem—I’m glad it worked for you.

Comment options

Report comment
Jaemin Mar. 8, 2018 11:07 AM
Thanks so much for this guide!

I can confirm what others have said - Cloudflare now forces you to turn off the orange cloud BEFORE you enter the record.

However, I was still able to verify without any problem after that (and without having to flatten CNAMES or get a Cloudflare Pro account).

Just curious, but is it dangerous for me to leave the CNAME and TXT records without a gray cloud now? (There's no option to turn it orange again). Should I delete those records now that Mailchimp has authenticated me, or is it safe to leave them as is?

Comment options

Report comment
Randy Apr. 21, 2018 10:54 AM
First of all, a BIG thank you to Boban for taking the time to clearly list out all the steps for this process, very much appreciated.

I also want to thank Jaemin & confirm that I was able to skip step 5 (upgrading to pro & flattening CNAMES) by following the steps above (change cloud from orange to grey before saving the CNAME record).

I was able to successfully verify the authentication on MailChimp immediately, although the fact that I did this on Saturday early afternoon EST, (low web traffic) may be the reason that I did not have to wait 5+ minutes.

Comment options

Report comment

Add comment

Join the conversation, but please make sure to show respect to others. Read the comment policy before posting.

Comment policy

Before posting a comment, please make sure to read the following rules.

  • No cussing
  • No hate speech or otherwise abusive behavior towards others
  • No spam or offensive material (like pornography)
  • Don't add links to malicious websites
  • You are responsible for what you write and agree to hold harmless in the case of any damages that result from your comments
  • You grant a royalty-free (and irrevocable) license to post, re-use and distribute your comments in any format (worldwide)

Comments may be removed without notice at the moderator's discretion.

Share this page

Share this page


Blog categories