DMARC Guide for Shopify Customers
Google and Yahoo began enforcing DMARC requirements February 2024. We have resources to help you prepare for DMARC and other sender requirements to ensure your email delivery won’t be disrupted.
How to meet the DMARC mandate with Shopify
Before you begin: You need to either access your Shopify admin dashboard or your DNS hosting provider’s management console to make these changes, which will be adding Text (TXT) files.
- Create a no-cost trial account if you haven’t already.
- Create or retrieve your DMARC record. If you are an existing dmarcian customer or just started a trial, this information is available within your account under step two of the Quick Guide “Add DMARC Record.” We’ve also sent you an email with this same information on the day of sign up. Search your inbox for emails that came from support@dmarcian.com. And here’s more information on how to publish a DMARC record.
- When adding the DMARC record to your DNS, it looks something like this:
NOTE: In some cases you will enter _dmarc for the host/target name; in other instances, it will be _dmarc <domain name>. With Shopify, it will be _dmarc in most cases.
After data has populated in your dmarcian account, which can take a day or two, it’s time to get your sources into DMARC alignment. As you can see below, DMARC alignment is a vital configuration step and means that the From header (the email domain you see when you send email) needs to match (called alignment in DMARC) the SPF domain and the DKIM domain in those records.
To achieve this alignment, you need to set up SPF and/or DKIM to use your domain when sending emails on your behalf. Messages can pass DMARC alignment in one of two ways:
- Your messages pass DKIM, using the same domain as your message From: header; this is the d= value within email headers.
- Your messages pass SPF, using the same domain as your message From: header. This is the Return-Path value within email headers. This header value is sometimes referred to as the “bounce domain,” “envelope-from” or “MailFrom.”
Of these two options, DKIM tends to be an easier and more reliable method as it survives forwarding. Much like Google and Yahoo postmasters have promoted, dmarcian also recommends a DKIM-first approach. However, a valid SPF record must be present.
You can use the Source Configuration Guide links (see below) next to each source in our platform’s Source Viewer to find instructions on how to create and add SPF and DKIM records.
Once your DMARC record is successfully added and your sources are in compliance, you have met the DMARC portion of the Yahoo/Google requirements.
A guide to help you get started and reach DMARC compliance with our DMARC Management Platform.
What if I don’t do anything?
In announcing the change, Shopify says that “if you take no action by February 1, we will rewrite your sender email to store@shopifyemail.com to meet the minimum requirements outlined by Google and Yahoo, so you can continue sending emails to your customers without interruption.” You can learn more from Shopify here.
Why DMARC now?
There are few mechanisms that prohibit bad actors from sending an email pretending to be you. DMARC is the main control for fighting domain abuse. It’s a free and open technical specification that authenticates emails with SPF and DKIM. By publishing a DMARC record in your domain’s DNS, you can fight business email compromise, phishing and spoofing.
DMARC, SPF and DKIM aren’t newcomers to the email authentication scene—they’ve been around for over a decade and have grown to become a best practice. Email is involved in more than 90% of all network attacks; without DMARC, it can be hard to tell if an email is real or fake. Because of the increased email abuse, senders and receivers like Google and Yahoo have to reinforce their defenses with the DMARC control.
How is DMARC going to help?
Increased DMARC adoption, which is what Google and Yahoo are promoting, will help ensure that email can continue to be a trusted mode of communication. Adopting DMARC for your domain will improve the trustworthiness of your email, and it will also contribute to the network effort as more and more domain owners accomplish DMARC adoption.
For large enterprises, DMARC has been a cornerstone of email security and brand reputation for a decade. Now, Google and Yahoo are compelling senders of all sizes to reap the benefits of DMARC. In a way, Google and Yahoo are pushing you to help them, so that in turn, they can trust your email and provide more reliable delivery.
How can dmarcian help?
With a team of email security experts, a network of helpful partners, and a mission of making email and the internet more trustworthy through domain security, we’re here to help assess an organization’s domain catalog and implement and manage DMARC for the long haul.
Are you a small- or medium-sized business that needs help with your DMARC project? MSPs and MSSPs powered by dmarcian are an optimal solution.
The following are no-cost dmarcian resources to help you understand and deploy DMARC:
- Knowledge Base – A blog designed to educate and advocate for DMARC.
- Tools – Our full suite of free tools to assist people deploying DMARC.
- Videos – Our popular video series on all things DMARC.
Ask questions and provide feedback to other Shopify customers deploying DMARC.