How to Set Up DMARC for Shopify Stores

Your Shopify store sends emails your customers rely on — order confirmations, shipping updates, refund notifications, and password resets. If those emails fail authentication and land in spam, customers lose trust and your support inbox fills up with "where is my order?" messages.

DMARC protects your store's domain from spoofing and helps ensure your transactional emails reach the inbox. For a broader look at email authentication across online stores, see our DMARC for e-commerce guide. This article covers how Shopify handles email sending, how to add DMARC to your domain, and what to do if you use other platforms like Klaviyo or Mailchimp alongside Shopify.

How Shopify Sends Email

Shopify sends transactional emails on your behalf using its own mail servers. These include order confirmations, shipping notifications, abandoned cart reminders (if you use Shopify's built-in feature), and account-related emails like password resets and customer invitations.

When these emails go out, the "From" address shows your store's email address (like orders@yourstore.com), but the actual sending infrastructure is Shopify's. This distinction matters for DMARC because authentication checks look at both the visible "From" address and the behind-the-scenes envelope sender.

Shopify's Sender Authentication

Shopify introduced sender authentication to help store owners align their email with modern authentication standards. In your Shopify admin, you can authenticate your domain under Settings > Notifications > Sender email. Shopify will provide DNS records — typically CNAME records for DKIM — that you need to add at your domain's DNS provider.

Once authenticated, Shopify signs your transactional emails with DKIM using your domain. This is the key to passing DMARC alignment.

Prerequisites Before Adding DMARC

Before creating your DMARC record, confirm the following:

Shopify sender authentication is complete. Check Settings > Notifications in your Shopify admin. Your sending domain should show as verified. If you see a prompt to authenticate, follow the steps to add the required DNS records.

SPF covers all your sending sources. Shopify's transactional emails rely primarily on DKIM for DMARC alignment. But you likely have other services sending email as your domain — your business email provider (Google Workspace, Microsoft 365), and possibly a marketing platform. All of them need to be in your SPF record. Build one at spfcreator.com.

DKIM is enabled for other email services. If you use Google Workspace, Klaviyo, Mailchimp, or any other platform that sends as your domain, enable DKIM signing for each one. You can generate DKIM records at dkimcreator.com.

The Recommended DMARC Record for Shopify Stores

Start with a monitoring-only policy to collect data before enforcing anything:

v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; pct=100;

Replace the email address with one you monitor. This record tells receiving servers to send you reports about every email using your domain without blocking or quarantining anything.

Starting with p=none is especially important for ecommerce because you likely have multiple services sending email as your domain, and you need to verify they are all passing authentication before you tighten the policy.

Adding the DMARC Record to Your DNS

Where you add the DMARC record depends on where your domain's DNS is hosted. If you bought your domain through Shopify, you manage DNS in Shopify's admin. If your domain is registered elsewhere (GoDaddy, Namecheap, Cloudflare, etc.), you add the record there.

If Your Domain Is on Shopify

If Your Domain Is on an External Registrar

Log in to your registrar's DNS management (GoDaddy, Namecheap, Cloudflare, etc.) and add a TXT record with the name _dmarc and your DMARC record string as the value. For registrar-specific instructions, see our guides for GoDaddy, Namecheap, or Cloudflare.

Shopify Plus Klaviyo or Mailchimp Setups

Many Shopify stores use a dedicated email marketing platform alongside Shopify. This is where DMARC configuration gets a bit more involved, because you now have multiple services sending email as your domain.

Shopify Plus Klaviyo

If you use Klaviyo for email marketing, you need to authenticate your sending domain in Klaviyo as well. Klaviyo requires you to add DNS records for both SPF and DKIM. In your Klaviyo account, go to Settings > Domains and follow the authentication steps. Make sure the CNAME records for DKIM are published and verified.

Your SPF record should include both Shopify's and Klaviyo's authorized servers. A combined SPF record might look like:

v=spf1 include:_spf.google.com include:_spf.klaviyo.com ~all

Adjust based on your actual sending sources. The key is that every platform sending as your domain needs to be accounted for.

Shopify Plus Mailchimp

Similarly, if you use Mailchimp, authenticate your domain in Mailchimp under Settings > Domains. Mailchimp provides CNAME records for DKIM that need to be added to your DNS. Once authenticated, Mailchimp signs your marketing emails with your domain's DKIM key.

Why Multi-Platform Matters for DMARC

With multiple senders, a single misconfigured platform can cause DMARC failures. Before moving past p=none, your DMARC reports need to show passing results from every service: Shopify (transactional), your marketing platform (campaigns), and your business email provider (day-to-day email). If any one of them is failing, fix it before enforcing.

Protecting Customer Trust

For ecommerce stores, email authentication is directly tied to revenue. Phishing emails that impersonate your store can steal customer credentials, payment information, and damage your brand. A DMARC record at p=reject tells the world that any email failing authentication is not from you and should be discarded.

Beyond security, authenticated emails are more likely to reach the inbox. Major mailbox providers like Google and Yahoo factor authentication into their spam filtering. Stores with proper DMARC, SPF, and DKIM records see better inbox placement for their order confirmations, shipping updates, and marketing campaigns.

Moving to Enforcement

After two to three weeks of monitoring at p=none, review your DMARC reports. Make sure every sending source passes either SPF or DKIM alignment. Then follow this progression:

Phase 1: Change to p=quarantine; pct=25;. A quarter of failing messages go to spam. Monitor for a week.

Phase 2: Increase to pct=100. All failing messages are quarantined. Watch for customer complaints about missing emails.

Phase 3: Move to p=reject. Failing messages are blocked entirely. This is the strongest protection and the goal for every ecommerce store. If you are unsure whether to start with quarantine or jump straight to reject, our comparison of DMARC quarantine vs reject explains the trade-offs for store owners.

For a detailed breakdown of each policy, see our DMARC policy levels guide.

Monitor Your DMARC Record

You've created your DMARC record — now make sure it keeps working. The Email Deliverability Suite watches your SPF, DKIM, DMARC, and MX records daily and alerts you when something breaks.