Email Authentication for Shopify Stores: SPF, DKIM, DMARC

Introduction

Shopify stores send critical transactional emails (order confirmations, shipping notifications) and marketing emails to customers. Proper email authentication ensures these emails reach inboxes instead of spam folders.

This guide covers complete email authentication for Shopify stores, including integrations with popular email marketing platforms.

What you'll configure:

• Shopify transactional email authentication
• Marketing platform integration (Klaviyo, Mailchimp)
• Complete DMARC protection
• Multi-sender authentication

Time required: 45-60 minutes

Understanding Shopify Email Architecture

Shopify stores typically send emails from multiple sources:

1. Shopify transactional emails: Order confirmations, shipping notifications
2. Marketing platform: Klaviyo, Mailchimp, Omnisend
3. Support system: Zendesk, Gorgias, Help Scout
4. Business email: Gmail, Microsoft 365

All must be properly authenticated to avoid spam folder placement.

Prerequisites

• ✅ Shopify store with custom domain
• ✅ DNS management access for your domain
• ✅ Access to marketing platform settings (if used)

Step 1: Configure Shopify Sender Email

1.1: Set Custom Sender Email

1. Go to Shopify Admin

   • Settings → Notifications

2. Configure Sender Email

   • Scroll to "Sender email"
   • Set to: store@yourdomain.com or orders@yourdomain.com
   • NOT: noreply@shopify.com

Important: Using a custom sender email from your domain is required for proper DMARC alignment.

1.2: Verify Domain

Shopify may require domain verification:

• Add verification TXT record to DNS
• Follow Shopify's verification instructions

Step 2: Configure SPF for Shopify

2.1: Shopify SPF Include

Add TXT record at DNS provider:

For Shopify only:

v=spf1 include:shops.shopify.com ~all

For Shopify + marketing platform:

v=spf1 include:shops.shopify.com include:spf.klaviyo.com include:servers.mcsv.net ~all

Record details:

• Name: @ or yourdomain.com
• Type: TXT
• Value: SPF record above

2.2: Common Shopify Email Stack SPF

Shopify + Klaviyo:

v=spf1 include:shops.shopify.com include:spf.klaviyo.com ~all

Shopify + Mailchimp:

v=spf1 include:shops.shopify.com include:servers.mcsv.net ~all

Shopify + Omnisend:

v=spf1 include:shops.shopify.com include:spf.omnisend.com ~all

Shopify + Klaviyo + Google Workspace:

v=spf1 include:shops.shopify.com include:spf.klaviyo.com include:_spf.google.com ~all

2.3: Verify SPF

Check SPF Record →

Important: Monitor DNS lookup count—must be ≤10 lookups.

Step 3: Configure DKIM

3.1: Shopify DKIM

Important limitation: Shopify does NOT support custom DKIM for transactional emails sent via shops.shopify.com.

Workaround options:

Option 1: Use Shopify's DKIM (default)

• Shopify signs emails with their DKIM
• Alignment may be relaxed or fail
• Less control

Option 2: Use email service provider for all emails

• Route all emails through Klaviyo/Mailchimp
• Full DKIM control
• More complex setup

Option 3: Accept SPF-only authentication

• Shopify emails authenticated via SPF only
• Marketing emails use DKIM
• Combined DMARC still works

3.2: Configure Marketing Platform DKIM

For Klaviyo:

1. Go to Klaviyo Settings → Domains & Addresses
2. Add your domain
3. Copy DKIM DNS records (3 CNAME records)
4. Add to DNS:

   k1._domainkey → dkim.klaviyo.com
   k2._domainkey → dkim2.klaviyo.com  
   k3._domainkey → dkim3.klaviyo.com

5. Verify in Klaviyo

For Mailchimp:

1. Go to Mailchimp → Website → Domains
2. Add domain and verify
3. Enable "Authenticate your domain"
4. Add DKIM DNS records provided
5. Verify

For Omnisend:

1. Settings → Brand → Email Authentication
2. Add domain
3. Copy DNS records
4. Add to DNS and verify

3.3: Verify DKIM

DKIM Checker →

Test selectors: k1, default, mailchimp

Step 4: Implement DMARC

4.1: Create DMARC Record

Start with monitoring:

Add TXT record:

• Name: _dmarc
• Type: TXT
• Value:

  v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

4.2: Monitor DMARC Reports

Review reports for 2-4 weeks to identify all email sources:

• Shopify transactional emails
• Marketing platform
• Support system
• Any other services

4.3: Progressive Enforcement

After monitoring phase:

Quarantine:

v=DMARC1; p=quarantine; pct=100; rua=mailto:dmarc@yourdomain.com; adkim=r; aspf=r

Reject (full protection):

v=DMARC1; p=reject; pct=100; rua=mailto:dmarc@yourdomain.com; adkim=r; aspf=r

Important for Shopify:

• Use adkim=r (relaxed DKIM alignment)
• Use aspf=r (relaxed SPF alignment)
• This accommodates Shopify's email infrastructure

4.4: Verify DMARC

DMARC Checker →

Step 5: Configure Marketing Integrations

Klaviyo Configuration

Complete setup:

1. Add domain in Klaviyo

   • Settings → Domains & Addresses
   • Add domain
   • Verify ownership

2. Configure DNS

   • Add DKIM CNAME records (k1, k2, k3)
   • Add SPF include
   • Verify in Klaviyo

3. Set sender address

   • Use: hello@yourdomain.com
   • NOT: Generic Klaviyo address

4. Test

   • Send test campaign
   • Verify DKIM signature
   • Check deliverability

Mailchimp Configuration

Complete setup:

1. Authenticate domain

   • Website → Domains
   • Add and verify domain

2. Enable authentication

   • Click "Authenticate"
   • Add DNS records
   • Verify

3. Configure sender

   • Use verified domain address
   • Enable DKIM signing

Omnisend Configuration

1. Settings → Brand

   • Add sending domain
   • Complete verification

2. Email Authentication

   • Add DNS records
   • Verify SPF and DKIM

Step 6: Testing and Monitoring

6.1: Test Shopify Transactional Emails

1. Place test order

   • Use test mode
   • Check order confirmation email

2. View email headers

   • Forward to Gmail
   • Show original
   • Verify authentication

Expected results:

spf=pass smtp.mailfrom=shops.shopify.com
dmarc=pass (alignment may vary)

6.2: Test Marketing Emails

1. Send test campaign from Klaviyo/Mailchimp
2. Check headers
   • spf=pass
   • dkim=pass
   • dmarc=pass

6.3: Monitor Deliverability

Weekly checks:

• Email open rates (target: >20%)
• Spam complaint rate (target: <0.1%)
• Bounce rate (target: <2%)
• DMARC pass rate (target: >95%)

6.4: Complete Domain Audit

Run Domain Score →

Checks:

• SPF configuration
• DKIM for all senders
• DMARC policy
• Blacklist status

Common Shopify Email Issues

Issue: Shopify emails going to spam

Causes:

• No SPF record
• Using default Shopify sender
• Missing DMARC

Solution:

1. Add SPF with include:shops.shopify.com
2. Set custom sender email from your domain
3. Implement DMARC with relaxed alignment

Issue: Marketing emails authenticated but Shopify emails fail

Causes:

• Shopify not in SPF
• DMARC alignment too strict

Solution:

• Verify SPF includes shops.shopify.com
• Use relaxed DMARC alignment: adkim=r; aspf=r

Issue: Too many DNS lookups in SPF

Causes:

• Multiple marketing platforms
• Too many include: statements

Solution:

• Consolidate to one primary marketing platform
• Use SPF flattening
• Remove unused services
• Check lookup count →

Best Practices for Shopify Stores

Email Hygiene

✅ Clean email list regularly

• Remove bounces immediately
• Delete inactive subscribers (no engagement 6+ months)
• Use double opt-in

✅ Segment your list

• Active customers
• Abandoned carts
• Browsers vs buyers

✅ Monitor engagement

• Track opens, clicks
• Remove consistently non-engaged users
• A/B test subject lines

Compliance

✅ Include unsubscribe link

• Prominent in every marketing email
• One-click unsubscribe (required by Gmail/Yahoo)

✅ Honor opt-outs immediately

• Process within 48 hours (legal requirement)
• Better: instant processing

✅ Physical address

• Include in email footer
• Required by CAN-SPAM Act

Deliverability Optimization

✅ Warm up new domain

• Start with small volume
• Gradually increase over 2-4 weeks
• Send to engaged subscribers first

✅ Maintain consistent sending

• Regular schedule
• Avoid huge volume spikes
• Gradual growth

✅ Monitor reputation

• Google Postmaster Tools
• DMARC reports
• Bounce and complaint rates

Timeline for Complete Setup

Week 1:

• Configure Shopify sender email
• Set up SPF record
• Configure DKIM for marketing platform
• Create DMARC monitoring record

Week 2-5:

• Monitor DMARC reports
• Identify all email sources
• Fix authentication issues
• Test thoroughly

Week 6-8:

• Move to p=quarantine
• Monitor for issues
• Verify deliverability

Week 9+:

• Move to p=reject
• Ongoing monitoring
• Maintain email hygiene

The Bottom Line

Shopify email authentication requires:

1. SPF: Include shops.shopify.com + marketing platforms
2. DKIM: Configure in marketing platform (Shopify limitation exists)
3. DMARC: Use relaxed alignment, progressive enforcement
4. Testing: Verify both transactional and marketing emails

Key Shopify considerations:

• Set custom sender email from your domain
• Use relaxed DMARC alignment
• Configure authentication for all email sources
• Regular monitoring and list hygiene

Next Steps

Audit your Shopify store's email security:

1. Check SPF →
2. Verify DKIM →
3. Test DMARC →
4. Complete audit →

Need automated DMARC monitoring?

Shopify stores send high volumes of email—manual report review is time-consuming. Get:

• Automated report parsing
• Visual dashboards
• Deliverability alerts
• Policy recommendations

Start free trial →

---

Related Articles:

• SPF, DKIM, and DMARC: The Complete Guide
• Why Your Emails Are Going to Spam
• Gmail & Yahoo 2024 Email Requirements