Deauthorize marketing vendor
How to remove Klaviyofrom your domain's SPF and DKIM
Klaviyo (e-commerce marketing automation) publishes a per-account SPF include, two DKIM CNAMEs, and a bounce-handling subdomain CNAME. Common to inherit when buying a Shopify store with prior marketing setup.
When you'd want to do this
- Migrated e-commerce stack and the new platform handles email natively.
- Closed a Shopify store but kept the underlying domain.
- Marketing team consolidated to a single ESP and Klaviyo lost the bake-off.
- Klaviyo trial expired or was never adopted past the setup phase.
What Klaviyo adds to your DNS
You need to remove every record below for the de-authorization to be complete. Removing only the SPF include: but leaving DKIM keys published is still a partial authorization - the vendor can sign mail as your domain even without SPF alignment if the recipient has a permissive DMARC policy.
| Type | Host | Look for |
|---|---|---|
| TXT | apex (example.com) | include:_spf.klaviyo.com The Klaviyo SPF include. Remove the include: token from your v=spf1 record. |
| CNAME | kl1._domainkey.example.com | dkim.<account>.klaviyo.com First Klaviyo DKIM selector CNAME. Account-specific target. |
| CNAME | kl2._domainkey.example.com | dkim2.<account>.klaviyo.com Second Klaviyo DKIM CNAME for key rotation. |
| CNAME | em.example.com or e.example.com (bounce subdomain) | bounce.<account>.klaviyo.com Bounce-handling subdomain. Set during Klaviyo dedicated-sending-domain setup. |
Step-by-step
- Stop sending through Klaviyo first. Check every app, webhook, and automation that hits the vendor's API or SMTP. Pause those before touching DNS - if you flip the DNS first you'll just spend a week chasing bounces from a vendor that's still wired up on your application side.
- Remove the DKIM record(s) at the hosts listed above. Removing DKIM first means any mail still queued from Klaviyo fails alignment, which is the safer failure mode - the receiver quarantines or rejects rather than silently delivering signed-as-you mail from a vendor you no longer control.
- Remove the SPF include. Open your SPF TXT record at the apex. Look for the exact
include:entry shown above. Remove the entire token (including theinclude:prefix). Leave the rest of the record untouched. Verify the byte-count of the record is now under 450. - Remove the CNAMEs, if any. CNAMEs for tracking domains and return-paths are dead weight once the vendor is gone; some DNS UIs surface them as "orphan records" later if you forget.
- Wait for propagation. 1-4 hours for most providers. The old SPF entry stays cached at receivers for the TTL you published (often 5 min - 1 hour).
Verify it's gone
Run a vendor-consolidation report on your domain. Klaviyoshould be gone from the vendor list. If it's still showing under SPF or DKIM, the DNS edit either didn't save or hasn't propagated yet - re-check in 30 minutes.
You can also do a manual spot-check with dig TXT example.com (replace with your domain). The output should no longer show the Klaviyo include.
What you'll lose
Klaviyo flows (welcome series, abandoned-cart, post-purchase follow-ups) stop sending as your domain. They'll either pause in Klaviyo or send from a Klaviyo-owned domain, which goes to spam on most ESPs.
Klaviyo's analytics + segmentation continue working with historical data, but the platform stops being able to talk to your customers.
Common gotchas
Klaviyo selectors vary by account vintage. Older accounts used k1._domainkey and k2._domainkey (same prefix as Mailchimp - confusing). Newer ones use kl1/kl2. Check the actual CNAME target - any CNAME pointing at a host with klaviyo.com in it is theirs.
Shopify integration.If Klaviyo was installed via the Shopify app store, the DNS records were added by the integration. You still need to remove them manually in your DNS provider - uninstalling the Shopify app doesn't touch DNS.
Just want to rotate keys instead?
If you're keeping Klaviyo but want to rotate credentials (a stronger move than just changing the API key - it forces all old DKIM signatures invalid), do it from the vendor side first: Klaviyo console →
While you're here: audit the rest
The median domain we've analyzed has 6 vendors authorized in DNS and 3 of them can send mail as you. If you just removed one, see who else is on the list.
Run a vendor-consolidation report →