How to Set Up SPF, DKIM and DMARC for Shopify (2026)

Shopify is a hosted commerce platform that sends transactional and marketing email on behalf of merchant domains — order confirmations, shipping updates, and notifications all carry your From address. Without SPF, DKIM, and DMARC in place those messages are unauthenticated and increasingly likely to be filtered or rejected by Gmail, Yahoo, and Microsoft. Follow this guide and you'll have all three records published and verifiably passing.

Before you begin

• DNS write access to the zone for the domain you use as your Shopify store's sender address (typically managed in Cloudflare, Route 53, GoDaddy, or your registrar's DNS panel).
• Admin access to your Shopify store (the account owner role or a staff account with Domains and Notifications permissions).
• A mailbox you can read raw headers from — a Gmail or Yahoo address works well for verification in Step 5.
• A clear picture of every other service sending mail from your domain (e.g. Klaviyo, Mailchimp, your helpdesk). You will need to include all of them in SPF.

Step 1: Identify what's sending from Shopify

Shopify sends email through its own infrastructure for transactional messages (order confirmations, shipping notifications, password resets) and, if you use Shopify Email, for marketing campaigns. Depending on your store configuration, these may originate from different sending pools. Before you write a single DNS record, log into your Shopify admin and check Settings → Notifications to see which email address is used as the sender, and check Settings → Domains for any custom sender domain configuration Shopify has prompted you to complete. If you use a third-party email marketing app (Klaviyo, Omnisend, Mailchimp, etc.), those services send independently and must be accounted for in your SPF record separately — Shopify's SPF include covers only Shopify's own sending infrastructure.

Step 2: Add the SPF include

Shopify's sending infrastructure is authorized via an SPF include mechanism. The exact include string Shopify requires is documented in the Domains section of your Shopify admin and in Shopify's Help Center DNS setup article — retrieve it from there rather than relying on any value printed here, as Shopify periodically updates its sending infrastructure.

The general form of your SPF record should follow this pattern:

; BEFORE — existing SPF record with no Shopify authorization
your-domain.com.  TXT  "v=spf1 include:_spf.google.com ~all"

; AFTER — Shopify sending infrastructure added
your-domain.com.  TXT  "v=spf1 include:_spf.google.com include:<shopify-spf-include> ~all"

Replace include:<shopify-spf-include> with the exact value from Shopify's documentation. If your domain already has an SPF record, do not publish a second TXT record — merge all includes into a single v=spf1 … ~all string. Multiple SPF records on the same name cause a permerror that fails authentication entirely.

SPF 10-lookup limit warning: SPF allows a maximum of 10 DNS-resolving mechanisms (include, a, mx, ptr, exists) before receivers return a permerror. Shopify plus a handful of other SaaS tools (CRM, helpdesk, marketing platform) can push you over this limit quickly. If you are close to the limit, DMARC Busta's SPF Auto-Repair feature is designed to manage this through automated delegation, eliminating lookup-chain depth as a failure mode.

Step 3: Enable DKIM in Shopify

Shopify supports custom DKIM signing for stores on a custom domain. The general workflow is:

1. In your Shopify admin, go to Settings → Domains.
2. Select the custom domain you want to authenticate and look for an email authentication or DNS verification prompt. Shopify may label this section differently depending on your plan and region — refer to the current Shopify Help Center for the exact screen name if the path below has changed.
3. Shopify will display one or more DNS records — typically a CNAME or TXT record — that you must publish to prove domain ownership and enable DKIM signing. Copy these values exactly as presented in the admin console.
4. Publish the record(s) at your DNS provider. The canonical form for a DKIM public-key TXT record is:

; General DKIM TXT record form
selector._domainkey.your-domain.com.  TXT  "v=DKIM1; k=rsa; p=<public-key-string>"

Where selector is the value Shopify specifies (retrieve from the admin console — do not guess), and <public-key-string> is the base64-encoded public key Shopify generates for your store. If Shopify provides a CNAME record instead of a TXT record, publish it as a CNAME — Shopify then controls key rotation automatically without further DNS changes from you.

After publishing, return to Settings → Domains in Shopify and use the verification button (if present) to confirm Shopify can resolve your DNS records. DNS propagation can take up to 48 hours, though most resolvers pick up new records within an hour.

Step 4: Publish your DMARC record

DMARC is published as a TXT record on the _dmarc subdomain of your sender domain. Start with p=none — this instructs receivers to take no action on failing mail while still sending you forensic and aggregate reports. Do not jump to p=quarantine or p=reject until you have reviewed at least 14 days of reporting data and confirmed that all legitimate sending sources are authenticating correctly.

; Minimum viable DMARC record — monitoring mode
_dmarc.your-domain.com.  TXT  "v=DMARC1; p=none; rua=mailto:dmarc-rua@dmarcbusta.pro; ri=86400"

Once you have reviewed reports and confirmed all sources are passing, progress the policy in stages:

; Stage 2 — quarantine 10% of failing mail (sample)
_dmarc.your-domain.com.  TXT  "v=DMARC1; p=quarantine; pct=10; rua=mailto:dmarc-rua@dmarcbusta.pro"

; Stage 3 — reject all failing mail (enforcement)
_dmarc.your-domain.com.  TXT  "v=DMARC1; p=reject; rua=mailto:dmarc-rua@dmarcbusta.pro"

Step 5: Verify it works

Before sending a test email, confirm your DMARC record actually published. Use our free DMARC Checker to look up _dmarc.your-domain.com and verify the record is live, has the correct policy (p=none, quarantine, or reject), and is configured for aggregate reporting. While you are there, run the SPF Checker against your domain to make sure the SPF lookup tree is clean — once both records check out, the live email test below will give you the final confirmation.

After DNS has propagated (allow at least 30–60 minutes after publishing), send a test transaction from your Shopify store to a Gmail or Yahoo mailbox you control — for example, trigger a test order confirmation or use Shopify's notification preview if available.

1. Open the received message in Gmail. Click the three-dot menu → Show original.
2. In the raw header view, look for the Authentication-Results header near the top of the message.
3. Confirm all three mechanisms show pass:

Authentication-Results: mx.google.com;
  spf=pass (google.com: domain of sender@your-domain.com designates x.x.x.x as permitted sender)
       smtp.mailfrom=sender@your-domain.com;
  dkim=pass header.i=@your-domain.com header.s=<selector>;
  dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=your-domain.com

• spf=pass — the sending IP is listed in your SPF record.
• dkim=pass — the message signature verified against the public key in DNS.
• dmarc=pass — at least one of SPF or DKIM aligned with the From: header domain, satisfying the DMARC policy.

If any result shows fail or neutral, compare the smtp.mailfrom domain (SPF) and header.i domain (DKIM) against your From: domain. Misalignment is the most common cause of dmarc=fail even when SPF and DKIM individually pass.

Common errors with Shopify

• Duplicate SPF records. If your DNS zone already had an SPF record before Shopify setup and you added a second one, receivers return a permerror. Merge all include mechanisms into a single TXT record on the bare domain.
• DKIM CNAME not resolving. Shopify may issue CNAME-based DKIM records. If you published a TXT record with the key material instead of a CNAME, or if your DNS provider flattened the CNAME, DKIM will fail. Verify the record type matches what Shopify instructed.
• DKIM public key broken across multiple strings. Some DNS providers split long TXT records into 255-character chunks automatically. If your DNS provider does this incorrectly — inserting spaces rather than concatenating strings — the DKIM key will not parse. Verify the record resolves correctly with dig TXT selector._domainkey.your-domain.com.
• From address domain mismatch. Shopify notifications may default to a @shops.myshopify.com address unless you have explicitly configured a custom sender domain. If the From domain is myshopify.com, your domain-level DMARC policy provides no protection — configure a custom sender domain first.
• Third-party apps breaking SPF lookup count. Stores using multiple email apps (reviews, loyalty, helpdesk) each add SPF includes. The combined lookup chain can exceed 10, causing permerror. Audit your full sending ecosystem and consolidate where possible.

How DMARC Busta helps

The steps above are a one-time manual configuration — but DMARC enforcement is an ongoing process. New sending sources appear when you install a new Shopify app. SPF lookup chains drift over time as vendors update their infrastructure. DMARC aggregate reports require parsing before they're actionable. DMARC Busta is designed to manage this operational overhead at scale, with Autopilot mode handling policy progression based on live reporting data, SPF Auto-Repair maintaining valid lookup chains through automated delegation, and managed DMARC reporting surfacing authentication failures without requiring you to parse XML. The platform is designed to manage 10,000+ domains, making it suited for both individual store owners and MSPs managing authentication across a merchant portfolio.

If you're setting up authentication for multiple Shopify stores — or managing email authentication across a broader client base — DMARC Busta's multi-domain dashboard is designed to centralise record management, aggregate reporting, and policy enforcement in a single interface, removing the need to repeat the steps above manually for each domain.

Start your free trial and put your email authentication on autopilot.