PowerDMARC

Setup DMARC, DKIM, SPF for Shopify

Setup-DMARC,-DKIM,-SPF-for-Shopify

Email protection and authentication is a trending topic in 2024, with Google and Yahoo rolling out their new email sender requirements. These requirements highlight the need to immediately adopt protocols like DMARC, SPF, and DKIM to authorize email senders, reduce spam, and prevent phishing attacks.

According to Verizon’s 2023 DBIR, phishing contributes to one of the 3 primary ways in which attackers access organizations. This further highlights the importance of anti-phishing measures like DMARC.

Following these recent developments and email policy changes, major email service providers (ESPs) including Shopify, have been pushing for DMARC adoption among current users. So here is an easy step-by-step guide on how you can achieve DMARC Shopify compliance.  

Configure Shopify DMARC Record

To configure DMARC for Shopify, you need to create a TXT (text) record for DMARC. This record, when published on your Domain Name System activates the protocol. DMARC will then start aligning your outgoing messages and taking action against them based on authenticity, and the policy determined by you.

Why Do You Need to Set Up DMARC for Shopify?

Domain-based Message Authentication, Reporting and Conformance, or DMARC, is the holy grail of email authentication. It allows you to take action against fraudulent emails sent from your domain. DMARC can be configured with a strict policy like “reject” to minimize spoofing and phishing attacks, and can also help you monitor your sending sources from your inbox. 

A Shopify DMARC record makes sure your emails are authenticated against either SPF or DKIM (or both) before they reach your clients. In case an attacker tries to dupe your domain and send malicious messages, you can stop these messages from getting delivered.

Setting up Shopify DMARC configuration will help you:

  1. Continue sending emails from your Shopify domain 
  2. Comply with Google and Yahoo’s email sender requirements 
  3. Improve your email deliverability 
  4. Minimize phishing attacks and domain spoofing 

Furthermore, PowerDMARC has a DMARC XML reader tool that will help you monitor your Shopify sending sources and email activities easily with human-readable DMARC reports!

Setting up DMARC Shopify in 4 Steps

To configure your shopify DMARC record:

1. Sign up for free on the PowerDMARC portal 

2. Create your TXT record for Shopify DMARC using our DMARC generator tool

3. Copy the generated Shopify DMARC record

4. Login to your DNS management console 

5. Add a TXT record by following the instructions provided by the tool:

After you save your record, it may take some time for your DNS to process the new changes. Once done, you will have set up Shopify DMARC authentication successfully for your domain!

Setting up Shopify SPF Record 

Sender Policy Framework or SPF, is an email authentication protocol that is your domain’s very own authorized IP directory. During an SPF check receiving mail transfer agents look up your email’s IP address or domain name in your SPF record. If a match is found, the email is considered legitimate. This ensures that only authorized senders can send emails on your organization’s behalf. 

To configure Shopify SPF record:

1. Sign up for free on the PowerDMARC portal 

2. Create your Shopify SPF record using our SPF record generator tool 

3. On the tool interface, make sure you enter shops.shopify.com in under “Authorize domains or 3rd party services that send emails on behalf of this domain”

4. Click on “Generate SPF record” to create your Shopify SPF configuration

5. Copy the generated Shopify SPF record. Given below is an example of what it may look like:

6. Login to your DNS management console. If you don’t have access to your DNS administration portal, you will need to contact your DNS hosting provider for this step.

7. Create a new TXT record in your DNS and paste the record (v=spf1 include:shops.shopify.com -all)

8. Save changes to configure SPF for Shopify 

How to Verify Domain on Shopify?

Before you move on to authenticating your domain with DKIM, you should verify the ownership of your sender email address. According to Shopify’s email account verification document, these ‌are the steps to do it: 

1. Login to your Shopify admin account

2. Click on your store name and account picture > Manage account > Send verification email

Note: You may not be able to see the “send verification email” prompt if your email is already verified.

3. You need to follow the instructions provided in the verification email to complete the verification process for your email address

You can verify your address on an Iphone or Android device as well by simply opening the Shopify app on your mobile device. You can then click on “Account drawer” and enter your username and sender address. The rest of the process remains the same. 

Configuring Shopify DKIM Record 

DomainKeys Identified Mail (DKIM) can be used to authenticate your emails and prevent man-in-the-middle attacks. You can think of DKIM as a seal on an envelope that can only be opened by the intended recipient. DKIM adds a unique code or digital signature to your outgoing emails, that can be checked by the receiver to ensure the email was not tampered with before reaching their inbox. 

Shopify email setup guide mentions the following prerequisites to consider before you configure your Shopify DKIM record:

  1. Make sure you have access to your DNS management console 
  2. Make sure you know your sender email address 

To configure shopify DKIM records, you need to extract CNAME records from Shopify email settings. To do so, follow these steps:

1. Login to your Shopify account as the admin

2. Navigate to the “Sender email” section under Notifications 

3. Enter your sender email and verify your ownership. In case you didn’t receive the verification email, you‌ can resend the verification. 

4. You can now click on “authenticate your domain” which automatically verifies your email address 

5. This will generate 4 CNAME records. You need to follow on-page instructions to configure these records in your DNS and setup Shopify DKIM record

6. Save your record and wait for up to 24 hours to allow your DNS to propagate the changes

Check and Validate Domain Authentication Status on Shopify

You need to check whether your shopify sending domain is authenticated properly against DMARC, SPF and DKIM.

1. Login to your Shopify store  

2. Go to Settings and Click on Notifications

3. Check under Sender Email to see a green tick that says “Domain successfully authenticated”

4. If you find this message, it confirms that your Shopify SPF and DKIM implementations are successful 

5. You can take it one step further by checking your Shopify DMARC record using our DMARC checker tool

Prevent Phishing Attacks While Authorizing Sending Sources

Source alignment is an important step in email authentication. It ensures that when you run your emails through authentication checkpoints like SPF, DKIM, and DMARC, the checkpoint doesn’t detect your legitimate sources as fraudulent. The negative impact of not aligning your sending sources might be reduced email deliverability and increased bounce and spam rates.

By configuring these protocols correctly for email vendors like Shopify, you can make sure your Shopify emails successfully pass authentication checks. On the flip side, this will also prevent phishing, spoofing, and other email-based cyberattacks – which is a win-win for everyone! To continue configuring your sources, explore more here.

DMARC Shopify FAQs 

What happens if DMARC for Shopify is not set up?

If you don’t implement DMARC for Shopify domains, you will be at a higher risk of getting blocked by Gmail and Yahoo inboxes. 

How to add DNS records on Shopify?

According to Shopify’s documentation, you can edit your DNS settings on Shopify only if you have a Shopify-managed domain. Else, you need to add a custom domain to edit your Shopify DNS settings. 

Can I set up DMARC, DKIM and SPF manually?

If you are technologically sound with a deep understanding of authentication protocols, you can set them up manually. However, configuration doesn’t stop at deployment. To make sure DMARC, SPF and DKIM function correctly, you need a third-party vendor like PowerDMARC. It saves the time, effort and manual cost involved in monitoring your configurations. 

Our Content Review and Fact-Checking Process

This article has been written by a cybersecurity expert, with verifiable references to official Shopify documents.

Exit mobile version