Deauthorize marketing vendor
How to remove Constant Contactfrom your domain's SPF and DKIM
Constant Contact publishes authentication via an SPF include + two CNAMEs that resolve into DKIM keys + an optional click-tracking subdomain. Removing all four takes around 10 minutes in your DNS provider's console. Most operators only spot the SPF include in their /vendor-consolidation report and miss the tracking subdomain - this guide covers both.
When you'd want to do this
- Migrated to a different marketing-email platform (Mailchimp, HubSpot, Klaviyo) but never removed the Constant Contact DNS.
- Bought a business / domain that came with Constant Contact pre-configured by the seller.
- Cancelled the subscription but the DNS records were left behind, leaving the apex authorising a vendor with no active account.
- Consolidating to one marketing-email vendor to reduce per-vendor compromise surface.
What Constant Contact adds to your DNS
You need to remove every record below for the de-authorization to be complete. Removing only the SPF include: but leaving DKIM keys published is still a partial authorization - the vendor can sign mail as your domain even without SPF alignment if the recipient has a permissive DMARC policy.
| Type | Host | Look for |
|---|---|---|
| TXT | apex (example.com) | include:spf.constantcontact.com The SPF include. Remove just this token from your existing v=spf1 record; leave the rest of the record alone. |
| CNAME | cc-<token>._domainkey.example.com | cc-<token>.dkim.constantcontact.com Constant Contact DKIM selector. The token is account-specific (a short hex string). Delete the whole record. |
| CNAME | cc-<token>2._domainkey.example.com | cc-<token>2.dkim.constantcontact.com Second DKIM selector for key rotation. Same account-specific token. Delete the whole record. |
| CNAME | click.example.com (or mail.example.com) | pages.ctctcdn.com (or constantcontactpages.com) Click-tracking subdomain. Mail still sends without this, but you should remove it - it is dead infrastructure once the SPF + DKIM are gone, and the CNAME continues to point at Constant Contact servers. |
Step-by-step
- Stop sending through Constant Contact first. Check every app, webhook, and automation that hits the vendor's API or SMTP. Pause those before touching DNS - if you flip the DNS first you'll just spend a week chasing bounces from a vendor that's still wired up on your application side.
- Remove the DKIM record(s) at the hosts listed above. Removing DKIM first means any mail still queued from Constant Contact fails alignment, which is the safer failure mode - the receiver quarantines or rejects rather than silently delivering signed-as-you mail from a vendor you no longer control.
- Remove the SPF include. Open your SPF TXT record at the apex. Look for the exact
include:entry shown above. Remove the entire token (including theinclude:prefix). Leave the rest of the record untouched. Verify the byte-count of the record is now under 450. - Remove the CNAMEs, if any. CNAMEs for tracking domains and return-paths are dead weight once the vendor is gone; some DNS UIs surface them as "orphan records" later if you forget.
- Wait for propagation. 1-4 hours for most providers. The old SPF entry stays cached at receivers for the TTL you published (often 5 min - 1 hour).
Verify it's gone
Run a vendor-consolidation report on your domain. Constant Contactshould be gone from the vendor list. If it's still showing under SPF or DKIM, the DNS edit either didn't save or hasn't propagated yet - re-check in 30 minutes.
You can also do a manual spot-check with dig TXT example.com (replace with your domain). The output should no longer show the Constant Contact include.
What you'll lose
Anything still going through Constant Contact starts failing DMARC alignment after the DNS records are gone. Gmail and Yahoo (which enforce DMARC strictly for bulk senders) will quarantine or reject those campaigns.
The Constant Contact account itself stays open - if you change your mind, re-publish the DNS and traffic resumes. Stop the subscription separately in Constant Contact billing settings if you do not plan to come back.
Common gotchas
Find every list that sends through Constant Contact first. Newsletter lists, automated welcome sequences, transactional campaigns. The Constant Contact dashboard lists them under Contacts -> Lists. Confirm nothing important sends from there before removing DNS.
Constant Contact also publishes a return-path subdomain for bounce handling on some accounts (typically bounce.example.com or return.example.com). Check your DNS for any subdomain CNAME pointing at ctctcdn.com or constantcontact.com and remove those too - leftover bounce CNAMEs route delivery-failure mail back through Constant Contact infrastructure even after the SPF / DKIM are gone.
Long-tail historical campaigns. Archived campaigns may still have unsubscribe links pointing at Constant Contact tracking subdomains. Those will 404 after the CNAME is removed. Acceptable for most operators (the campaigns are old), but worth noting before flipping DNS if you have compliance retention obligations.
Just want to rotate keys instead?
If you're keeping Constant Contact but want to rotate credentials (a stronger move than just changing the API key - it forces all old DKIM signatures invalid), do it from the vendor side first: Constant Contact console →
While you're here: audit the rest
The median domain we've analyzed has 6 vendors authorized in DNS and 3 of them can send mail as you. If you just removed one, see who else is on the list.
Run a vendor-consolidation report →