Deauthorize marketing vendor
How to remove Mailchimp (+ Mandrill)from your domain's SPF and DKIM
Mailchimp publishes marketing-mail authentication, and its sibling Mandrill (rebranded as Mailchimp Transactional) publishes a separate set for transactional. Removing one doesn't remove the other - they share an account but use different DNS entries.
When you'd want to do this
- Moved to a different marketing platform (HubSpot, Klaviyo, ActiveCampaign) but never removed the Mailchimp DNS.
- Mailchimp was set up for a campaign run by a contractor who has since left.
- Switching all transactional + marketing to a single platform.
- Mailchimp marketing was deprecated internally but the DNS receipts stayed - common after a 'we'll do it ourselves' moment that never followed through.
What Mailchimp (+ Mandrill) adds to your DNS
You need to remove every record below for the de-authorization to be complete. Removing only the SPF include: but leaving DKIM keys published is still a partial authorization - the vendor can sign mail as your domain even without SPF alignment if the recipient has a permissive DMARC policy.
| Type | Host | Look for |
|---|---|---|
| TXT | apex (example.com) | include:servers.mcsv.net The Mailchimp marketing SPF include. Remove the include: token from your v=spf1 record. |
| TXT | k1._domainkey.example.com | v=DKIM1; k=rsa; p=... (Mailchimp key) Mailchimp marketing DKIM. The k1 selector is the standard one for free / paid Mailchimp accounts. |
| TXT | k2._domainkey.example.com / k3._domainkey.example.com | v=DKIM1; k=rsa; p=... Rotated Mailchimp keys. Older accounts may have one or both; remove all that exist. |
| TXT | apex | include:spf.mandrillapp.com Mandrill (transactional) SPF include. Separate from the marketing SPF; remove this only if you are also dropping transactional. |
| TXT | mandrill._domainkey.example.com | v=DKIM1; k=rsa; p=... (Mandrill) Mandrill DKIM. Remove if dropping transactional. |
Step-by-step
- Stop sending through Mailchimp (+ Mandrill) first. Check every app, webhook, and automation that hits the vendor's API or SMTP. Pause those before touching DNS - if you flip the DNS first you'll just spend a week chasing bounces from a vendor that's still wired up on your application side.
- Remove the DKIM record(s) at the hosts listed above. Removing DKIM first means any mail still queued from Mailchimp (+ Mandrill) fails alignment, which is the safer failure mode - the receiver quarantines or rejects rather than silently delivering signed-as-you mail from a vendor you no longer control.
- Remove the SPF include. Open your SPF TXT record at the apex. Look for the exact
include:entry shown above. Remove the entire token (including theinclude:prefix). Leave the rest of the record untouched. Verify the byte-count of the record is now under 450. - Remove the CNAMEs, if any. CNAMEs for tracking domains and return-paths are dead weight once the vendor is gone; some DNS UIs surface them as "orphan records" later if you forget.
- Wait for propagation. 1-4 hours for most providers. The old SPF entry stays cached at receivers for the TTL you published (often 5 min - 1 hour).
Verify it's gone
Run a vendor-consolidation report on your domain. Mailchimp (+ Mandrill)should be gone from the vendor list. If it's still showing under SPF or DKIM, the DNS edit either didn't save or hasn't propagated yet - re-check in 30 minutes.
You can also do a manual spot-check with dig TXT example.com (replace with your domain). The output should no longer show the Mailchimp (+ Mandrill) include.
What you'll lose
Mailchimp campaigns sent after the DNS change will fail DMARC alignment - they'll either show as "via mailchimpapp.com" in the recipient's inbox or get sent straight to spam. Open / click tracking via Mailchimp's subdomain links keeps working until you also remove any tracking CNAMEs (see gotchas).
If you keep Mandrill but remove Mailchimp marketing, your transactional emails continue to flow (different account tier, different DNS entries).
Common gotchas
Mailchimp vs Mandrill is the gotcha most teams hit."Mailchimp" usually means the marketing platform; "Mandrill" is the transactional one (now sold as Mailchimp Transactional). They're separate accounts with separate DNS. Vendor-consolidation reports show them as distinct entries for this reason - removing one doesn't remove the other.
Click-tracking CNAMEs.If you set up "Mailchimp domain authentication", you may have a CNAME under cm._domainkey or a tracking subdomain pointing at mailchimp.com. Search DNS for any CNAME with mcsv.net or mailchimp.com in the value.
Just want to rotate keys instead?
If you're keeping Mailchimp (+ Mandrill) but want to rotate credentials (a stronger move than just changing the API key - it forces all old DKIM signatures invalid), do it from the vendor side first: Mailchimp (+ Mandrill) console →
While you're here: audit the rest
The median domain we've analyzed has 6 vendors authorized in DNS and 3 of them can send mail as you. If you just removed one, see who else is on the list.
Run a vendor-consolidation report →