How-to · Vendor de-authorization
Remove an email vendor from your domain
Step-by-step DNS edits for the email vendors most teams accumulate over time. Each guide covers the SPF include, DKIM selectors, and any CNAMEs the vendor publishes so the de-authorization is complete - not just half-removed.
Not sure which vendors you have? Run a vendor-consolidation report on your domain first - it lists every third party authorized across SPF, DKIM, MX, and DMARC, with a blast-radius rating per vendor.
Need a one-page reference?
The de-authorization cheatsheet lists every vendor below in a single table - SPF include, DKIM selectors, tracking CNAMEs, and the one gotcha per vendor that bites operators mid-cutover. Open it in another tab while you edit DNS.
- Transactional
How to remove SendGrid
Remove the sendgrid.net SPF include + DKIM selectors + tracking CNAMEs.
- Transactional
How to remove Mailgun
Remove the mailgun.org SPF include + the per-domain DKIM key + tracking subdomain.
- Marketing
How to remove Mailchimp (+ Mandrill)
Remove the servers.mcsv.net SPF include + k1/k2/k3 DKIM selectors. Mandrill (transactional) has a separate authorization.
- Marketing
How to remove HubSpot
Remove the hubspotemail.net SPF include + the hs1-/hs2- DKIM selectors + tracking subdomain CNAMEs.
- Marketing
How to remove Klaviyo
Remove the _spf.klaviyo.com SPF include + DKIM selector + bounce-handling subdomain.
- Transactional
How to remove Amazon SES
Remove the amazonses.com SPF include + the per-domain DKIM CNAMEs.
- Transactional
How to remove Postmark
Remove the spf.mtasv.net (or postmarkapp.com) SPF include + selector + DKIM record.
- Marketing
How to remove Marketo (Adobe)
Remove the mktomail.com SPF include + the per-instance DKIM + bounce subdomain.
- Transactional
How to remove Zendesk
Remove the zendesk1/zendesk2 DKIM CNAMEs + the support.* subdomain CNAME pointing at Zendesk.
- Marketing
How to remove Salesforce Email (incl. Pardot, Marketing Cloud)
Remove the salesforce.com / pardot / exacttarget SPF includes + per-org DKIM selectors.
- Marketing
How to remove Constant Contact
Remove the spf.constantcontact.com SPF include + the cc-<token>* DKIM CNAMEs + the click subdomain.
- Marketing
How to remove Brevo (formerly Sendinblue)
Remove the spf.brevo.com (+ legacy spf.sendinblue.com) SPF include + the mail._domainkey DKIM TXT + the tracking subdomain.
- Marketing
How to remove ConvertKit (Kit)
Remove the _spf.kit.com (+ legacy _spf.convertkit.com) SPF include + the per-account ck1 / ck2 DKIM CNAMEs + the sending-subdomain CNAME.
- Marketing
How to remove Iterable
Remove the mail.iterable.com (or _spf.iterable.com) SPF include + the per-tenant iter1 / iter2 DKIM CNAMEs + the click-tracking + bounce subdomains.
- Marketing
How to remove Customer.io
Remove the _spf.customer.io SPF include + the cio1 / cio2 DKIM CNAMEs + the tracking + return-path subdomains. Deauthorises BOTH marketing + transactional paths.
Don't see your vendor?
We start with the vendors that show up in the most domains in our spoofability index crawl. If you need a guide for one we haven't covered, the general pattern is the same: remove the SPF include:, remove the DKIM selectors, remove any tracking / bounce CNAMEs. The vendor's own docs almost always list the exact records they ask you to publish - reverse those.