Has anyone using Google Apps for email successfully turned on DKIM Authentication in the Google Apps Admin panel and had everything go smoothly? Shopify in their documentation says their service is not compatible with DKIM but as far as I can tell you should be able to use DKIM auth as long as you dont have a DMARC policy of p=reject.
Can anyone shed some light?
It's Daniel from the Guru Support team here at Shopify :) Thanks for reaching out!
I'd have to advice against turning on the DKIM Authentication purely on the recommendation of our developers, we simply do not support it.
If you don't have a DMARC policy of 'p=reject', and use say for example “p=none” policy. It means that the Domain Owner is not asking the Receiver to take action if a DMARC check fails. This policy allows the domain owner to receive reports about messages using their domain even if they haven’t deployed SPF/DKIM, so that they could for example determine if their domain is being abused by phishers.
There would be no change in how their messages are treated; however they would now have some visibility into what mail is being sent under the domain’s name.
I found https://dmarc.org/wiki/FAQ very informative when researching this here Jason, I hope that helps! As always, feel free to reach out if you have any further questions :)
I know this is an old thread, but wanted to add my thoughts on this.
The Shopify documentation says not to use DKIM because Shopify does not support it. In my mind that is wrong and a misunderstanding of what DKIM is and does. Shopify might not support it, but that doesn't mean you can't use it to sign emails sent through Gmail or other third party services that support it.
DMARC is another issue entirely, but in theory, so long as you are including Shopify's SPF record then there shouldn't be an issue in general. If you have a p=none policy, it won't have any impact anyway. You can even use a p=reject policy because to get a DMARC pass only requires SPF or DKIM to pass, not both. But since Shopify does not support DKIM, it does mean there is no backup mechanism, so it is riskier.
What needs to happen is for Shopify to support custom DKIM signing for notification emails. In this day and age when businesses should really be using DMARC – and with a strict policy at that – third party services like Shopify need to have this ability.
I entirely agree with Sebastian, Shopify is using outmoded (10+ year old) email security practices with SPF, which puts them at serious risk of having email rejected or flagged as spam when sent to customer email inboxes...
Would be ideal to move to sending mail from their own Shopify domain, while at the same time updating their security practices to give Shopify store owners the option to properly setup DMARC - and more safely send "From:" their own domain if they choose to.
If they don't get on top of things now there will be biiig problems down the track...
Absolutely. To think SPF only is acceptable in 2016 (nearly 2017) is ridiculous. If they can't or won't implement custom DKIM signing, then allow customers to use their own SMTP server. Custom DKIM signing would be better of course.
There would appear to be a lack of understanding of the technologies from Shopify. However I would imagine this is just down to whoever writes the articles, because Shopify's own mail is well setup.
That said, it does say to me that Shopify don't listen. I told them about the misunderstanding of DKIM in this article (where it tells people you must turn it off on your domain...) a few months back, but nothing has changed.
@shopify - please respond to this chain. We need a fix on this ASAP. It is starting to seriously impact our business in a negative way.
You dont allow us to customize / send our own notifications for specific events, so you MUST figure this out so we can be confidant that customers are actually receiving them from you.
Agreed. The impression I get is that Shopify think offering SPF authentication is sufficient. It's not. It's 2017 and email authentication is more important than ever. More and more businesses are using DMARC, and this is a real barrier. Although an SPF pass is enough to pass DMARC, it's risky to implement a strict policy with one of the sources only SPF authenticating, since in most cases this will break if the message gets forwarded, and the message would then be rejected.
Sort it out Shopify. Either give us the ability to send notifications using an SMTP relay instead of Shopify's servers, or allow us to disable Shopify notifications so we can use webhooks and a third party app to send notifications.
I have checked your domain and you have Shopify's SPF record in place. This is all you can do in terms of authenticating notifications sent by Shopify. DKIM is not an option, but absolutely should be.
Out of interest, who is your email provider? You don't have their SPF record included. Perhaps you have DKIM in place for this, but SPF is still good to have as a backup.
We use mailchimp currently. I'm just learning about DKIM and SPF today. Our open rates have been suffering lately, and I'm trying to figure out why. The email verification site that I went to said I have SPF and DKIM, but not DMARC.
I don't even understand how I'm supposed to set up the SPF using shopify.