Your Shopify store sends order confirmations, shipping updates, and password resets to customers every day. If those emails land in spam, your customers miss them and your revenue suffers. Email authentication via SPF, DKIM, and DMARC DNS records is what keeps your transactional emails in the inbox. This guide walks you through the setup in plain English, no developer required.

When a customer buys from your Shopify store, they expect an order confirmation within seconds. When they do not see it, they check spam folders, resubmit orders, and contact support. The root cause of most Shopify email deliverability failures is missing or incorrect email authentication on the sending domain.

Shopify handles authentication automatically for emails sent from .myshopify.com addresses. But if you use a custom domain like yourstorename.com, or if you send through third-party email apps, you need to configure your own DNS records. That means adding SPF, DKIM, and DMARC records to your domain registrar.

The good news: you do not need to understand what each acronym stands for to set them up correctly. This article gives you the exact records to add, where to add them, and how to verify they work.

Table of Contents

What Email Authentication Actually Does for Your Shopify Store

Email authentication is a set of DNS records that tells receiving email servers your domain is authorized to send email. Without these records, Gmail, Outlook, and Yahoo have no way to verify that emails claiming to come from your store actually came from you.

When authentication fails, your transactional emails go to spam or get rejected. Studies show that 15-20% of marketing and transactional emails fail to deliver due to authentication issues. For a store doing 50 orders per day, that is 10 missing order confirmations every single day.

Gmail and Yahoo both tightened their requirements in 2024. Bulk senders now need DMARC records in place or risk having their emails blocked. This is not optional anymore.

The Three Records You Need: SPF, DKIM, and DMARC

SPF (Sender Policy Framework) is the simplest record. It lists which mail servers are allowed to send email for your domain. Think of it as a guest list. If a server is not on the list, receiving servers treat the email as suspicious.

For Shopify stores, your SPF record tells receiving servers that Shopify’s servers are allowed to send email on your behalf. Without it, Gmail has no confirmation that Shopify is an authorized sender for your domain.

DKIM (DomainKeys Identified Mail) adds a digital signature to every email. This signature is a cryptographic key stored in your DNS records. When an email arrives, the receiving server looks up the DKIM record and verifies the signature was generated with your private key. If it matches, the email is legitimate. If it does not, the email was tampered with or spoofed.

Shopify generates DKIM keys for your store automatically when you set up your custom domain. You just need to add the DKIM DNS record to your registrar.

DMARC (Domain-based Message Authentication, Reporting and Conformance) is the policy layer. It tells receiving servers what to do when an email fails SPF or DKIM checks. Your options are: do nothing (none), quarantine to spam (quarantine), or reject the email outright (reject). DMARC also gives you a reporting email address so you can see when authentication fails.

For most Shopify store owners, a DMARC policy of “none” is the right starting point while you test. Once you confirm everything works, you can tighten it to “quarantine” or “reject.”

Step 1: Find Your DNS Settings

Before you add any records, you need to know where to add them. Your DNS settings live at your domain registrar, not in Shopify.

Common registrars and how to find their DNS settings:

GoDaddy: Sign in, select your domain, click “DNS” under “Settings”
Namecheap: Sign in, go to Dashboard, click “Manage” next to your domain, select “Advanced DNS”
Google Domains: Sign in, select your domain, click “DNS”
Cloudflare: Sign in, select your domain, click the DNS tab
Shopify Domains: If you bought your domain through Shopify, go to Online Store > Domains > DNS Settings

If you do not know who your registrar is, search for “whois [yourdomain.com]” to find out.

Step 2: Add Your SPF Record

Your SPF record is a single TXT record that lists authorized sending servers for your domain.

For Shopify, the standard SPF record is:

v=spf1 include:shops.shopify.com ~all

This tells receiving servers: “Email sent from servers listed in shops.shopify.com is authorized. Everything else: use soft fail (mark as suspicious but do not block).”

If you use a third-party email service like KIRIM.EMAIL alongside Shopify, your SPF record needs to include both. For example:

v=spf1 include:shops.shopify.com include:sendgrid.net ~all

The key rule: you can only have ONE SPF record per domain. Adding a second one breaks both. If you already have an SPF record, merge the includes instead of adding a new record.

To add the record in your registrar:

In your DNS settings, click “Add Record”
Select type “TXT”
In the Host/Name field, enter “@” or leave blank (depends on registrar)
In the Value/Points To field, paste your SPF string
Save the record

Propagation takes 5 minutes to 48 hours. Most registrars update within 15 minutes.

Step 3: Add Your DKIM Record

Shopify generates a unique DKIM key for your domain. You find it in your Shopify admin.

In Shopify, go to Settings > Domains > Custom Domains. Click your domain name, then look for the DKIM record. Shopify shows you the host name and the DKIM value to paste.

The record type is TXT. The format looks something like:

Host/Name: shopify._domainkey.yourstorename.com
Value: v=DKIM1; k=rsa; p=YOUR-UNIQUE-KEY

Copy both values exactly as shown. In your registrar DNS settings:

Add a new TXT record
Host/Name: paste the shopify._domainkey.yourstorename.com part
Value/Points To: paste the full DKIM value from Shopify
Save

Step 4: Add Your DMARC Record

DMARC is the record that ties everything together. It tells receiving servers how to handle emails that fail authentication.

The basic DMARC record for a Shopify store is:

v=DMARC1; p=none; rua=mailto:[email protected]

Breaking this down:

v=DMARC1 version, always this value
p=none policy for failed emails: do nothing (softest, good for testing)
rua=mailto:... email address to receive aggregate DMARC reports

To add this:

Add a new TXT record in your DNS settings
Host/Name: _dmarc.yourstorename.com
Value: v=DMARC1; p=none; rua=mailto:[email protected]
Save

Use an email address you check regularly for the rua report address. You will receive XML reports showing which emails passed or failed authentication.

Step 5: Verify Your Authentication Is Working

Do not wait for a customer complaint to find out your emails are in spam. Test immediately after DNS propagation.

The fastest verification method is to send a test email to mail-tester.com. The service gives you a score out of 10 and a detailed breakdown of SPF, DKIM, and DMARC status for your sending domain.

Send a test email to the address shown on mail-tester.com, then check your score. A score of 8 or above means your authentication is working. Below 8 means something is missing or misconfigured.

Another option: use Gmail’s Postmaster Tools (free, requires a Google account). Add your domain and wait 24-48 hours for data. Postmaster Tools shows you spam rates, authentication rates, and specific errors.

You can also check your raw email headers by sending a test to a free email account on Gmail or Outlook and looking for “Authentication-Results” in the email header. This tells you exactly what each provider sees.

Common Problems After Setup

DNS records are not propagating. If you added the records but tests still show no authentication, wait 48 hours. DNS propagation is not instant. If after 48 hours you still see issues, double-check the record values for typos. A single missing character breaks the entire record.

You have multiple SPF records. This is a common mistake when store owners add Shopify authentication alongside an existing setup. If you have two SPF TXT records on the same domain, receiving servers reject both. Merge them into one record with all includes.

DMARC reports show failures but emails are arriving. If your DMARC policy is “none,” failing emails still arrive in inboxes. This is normal. The failures mean something in your sending setup is not aligned with your DNS records. Check whether you are sending from multiple platforms that need to be included in your SPF record.

Shopify says authentication is configured but emails still go to spam. Authentication is necessary but not sufficient. Email content, sending volume patterns, and recipient engagement also affect inbox placement. Authentication gets you through the door. Good content keeps you there.

Once your authentication records are live, the next step is making sure every email address on your list is real. Invalid addresses bounce, and bounces damage your sender reputation before you even get started. The KIRIM.EMAIL email validation API checks whether an email address exists and can receive messages before you send to it. This protects your deliverability from day one.

FAQ

Q: What is the difference between SPF, DKIM, and DMARC?

SPF authorizes which servers can send email for your domain by listing them in a DNS record. DKIM adds a cryptographic signature to every email that proves it came from your domain and was not altered in transit. DMARC is the policy layer that tells receiving servers what to do when an email fails one or both of those checks, and it sends you reports on authentication results.

Q: Do I need email authentication if I use Shopify’s default email system?

If you send exclusively from Shopify’s default .myshopify.com addresses and do not use any third-party email tools, Shopify handles authentication for you. However, if you use a custom domain or send marketing emails through apps like Klaviyo, Mailchimp, or KIRIM.EMAIL, you need to configure SPF, DKIM, and DMARC records yourself for that custom domain.

Q: How do I access my DNS settings to add authentication records?

Your DNS settings are at your domain registrar, not in Shopify. Sign in to wherever you bought your domain (GoDaddy, Namecheap, Google Domains, Cloudflare, or your hosting provider). Look for a DNS, Nameservers, or Advanced Settings section. If you bought your domain through Shopify, find DNS settings inside Shopify Admin under Settings > Domains.

Q: How long does it take for DNS changes to propagate?

Most DNS changes propagate within 15 minutes to 2 hours. In rare cases, it can take up to 48 hours. If you are testing immediately after adding records and they do not show up, wait an hour and try again. Do not make changes multiple times in rapid succession this can cause conflicts.

Q: What happens if I skip email authentication for my Shopify store?

Without authentication, Gmail, Outlook, and Yahoo treat your emails as unverified. Unauthenticated emails go to spam at significantly higher rates. In 2024, both Gmail and Yahoo started requiring DMARC for bulk senders. If you are running a Shopify store with a custom domain and sending more than a handful of emails per day, skipping authentication means your transactional emails are unreliable.

Q: Can I set up email authentication without a developer?

Yes. Adding SPF, DKIM, and DMARC records requires no coding knowledge. You need to be able to log in to your domain registrar and copy-paste values from Shopify into DNS fields. The process takes 10-30 minutes. If you can fill out a form in Shopify admin, you can add DNS records.

Q: How do I know if my authentication is working correctly?

Send a test email to mail-tester.com and check your score. A score of 8 or above means authentication is passing. You can also send a test to a Gmail address, then view the email’s raw headers. Look for “Authentication-Results” it will show SPF pass/fail, DKIM pass/fail, and DMARC results.

Q: What DMARC policy should I start with?

Start with p=none while you verify everything works. This means receiving servers take no action on failed emails, but you still receive DMARC reports showing what is failing. Once you confirm all your sending sources are covered by your SPF and DKIM records, you can tighten the policy to p=quarantine to send suspicious emails to spam, or p=reject to block them entirely.

Hasbi Putra is Head of Marketing at KIRIM.EMAIL, email delivery infrastructure for businesses and developers worldwide. KIRIM.EMAIL sends over 11 million emails per day from servers built for reliability and deliverability.

Cookie	Duration	Description
_clck	1 year	This cookie is installed by Microsoft Clarity to store information of how visitors use a website and help in creating an analytics report of how the website is doing. The data collected including the number of visitors, the source where they have come from, and the pages visited in an anonymous form.
_clsk	1 day	This cookie is installed by Microsoft Clarity to store information of how visitors use a website and help in creating an analytics report of how the website is doing. The data collected including the number of visitors, the source where they have come from, and the pages visited in an anonymous form.
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session, and campaign data and also keeps track of site usage for the site’s analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_1XXMKZNQDW	2 years	This cookie is installed by Google Analytics.
_gat_gtag_UA_85032185_1	1 minute	Set by Google to distinguish users.
_gat_gtag_UA_85032185_9	1 minute	Set by Google to distinguish users.
_gat_UA-85032185-1	1 minute	A variation of the _gat cookie set by Google Analytics and Google Tag Manager to allow website owners to track visitor behavior and measure site performance. The pattern element in the name contains the unique identity number of the account or website it relates to.
_gcl_au	3 months	Provided by Google Tag Manager to experiment with advertisement efficiency of websites using their services.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website’s performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
_hjAbsoluteSessionInProgress	30 minutes	Hotjar sets this cookie to detect the first pageview session of a user. This is a True/False flag set by the cookie.
_hjFirstSeen	30 minutes	Hotjar sets this cookie to identify a new user’s first session. It stores a true/false value, indicating whether it was the first time Hotjar saw this user.
_hjid	1 year	This Hotjar cookie is set when the customer first lands on a page using the Hotjar script.
_hjid	never	This is a Hotjar cookie that is set when the customer first lands on a page using the Hotjar script.
_hjIncludedInPageviewSample	2 minutes	Hotjar sets this cookie to know whether a user is included in the data sampling defined by the site’s pageview limit.
CLID	1 year	This cookie is installed by Microsoft Clarity and stores information about how visitors use the website. The cookie contributes to the creation of an analysis report which shows how the website performs. The data collection includes numbers of visitors, where they visit the website from, and pages visited on the website.
SM	session	This cookie is installed by Microsoft Clarity.
SRM_B	1 year 24 days	This cookie is installed by Microsoft Bing.

Cookie	Duration	Description
_fbp	3 months	This cookie is set by Facebook to display advertisements when either on Facebook or on a digital platform powered by Facebook advertising, after visiting the website.
ANONCHK	10 minutes	The ANONCHK cookie, set by Bing, is used to store a user’s session ID and also verify the clicks from ads on the Bing search engine. The cookie helps in reporting and personalization as well.
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
MUID	1 year 24 days	Bing sets this cookie to recognize unique web browsers visiting Microsoft sites. This cookie is used for advertising, site analytics, and other operations.
NID	6 months	NID cookie, set by Google, is used for advertising purposes; to limit the number of times the user sees an ad, to mute unwanted ads, and to measure the effectiveness of ads.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user’s browser supports cookies.

How to Set Up Email Authentication for Your Shopify Store: SPF, DKIM, and DMARC in 30 Minutes

What Email Authentication Actually Does for Your Shopify Store

The Three Records You Need: SPF, DKIM, and DMARC

Step 1: Find Your DNS Settings

Step 2: Add Your SPF Record

Step 3: Add Your DKIM Record

Step 4: Add Your DMARC Record

Step 5: Verify Your Authentication Is Working

Common Problems After Setup

FAQ

Related

Leave a Comment Cancel Reply

MAIN MENU

SECURITY & PRIVACY

SOLUTIONS

RESOURCES

COMPARE

HEADQUARTERS

CONTACT US

GIVE US A REVIEW

What Email Authentication Actually Does for Your Shopify Store

The Three Records You Need: SPF, DKIM, and DMARC

Step 1: Find Your DNS Settings

Step 2: Add Your SPF Record

Step 3: Add Your DKIM Record

Step 4: Add Your DMARC Record

Step 5: Verify Your Authentication Is Working

Common Problems After Setup

FAQ

Related

Leave a Comment Cancel Reply

Let us know your cookie preferences!