Google apps + DKIM + shopify

Highlighted
Highlighted
Shopify Partner
4 0 8

Proper SPF and DKIM support must be fixed promptly. If we can't use DMARC to authenticate emails *In Late 2018*, then we'll just migrate all our client sites to BigCommerce. We're a trusted advisor and our clients will jump when we say jump.

We're deploying DMARC on all client domains in 2019 to employ BIMI for increased customer trust. If Shopify won't allow this to happen easily, we're migrating tenants beginning this January. This is unacceptable after so many years.

You won't support headless deployments, you don't work properly with WordPress, you won't work decoupled for advanced front ends... Come on Shopify. Keep up with the times or we're hiring somebody else ASAP. 

4 Likes
Highlighted
New Member
1 0 1

Bump.  Shopify, get it together.  We'll be moving our sites away to another provider on March 1, 2019 if we dont havev DKIM support by then.

1 Like
Highlighted
Excursionist
21 0 16

Pretty sure you’re going to be moving then, I can’t see them ever implementing this to be honest. It was a good step that they sorted all their other mailstreams out, but they need to support customer DKIM for customers. I’m just not sure they ‘get it’.

1 Like
Highlighted
New Member
2 0 0

I have had a chat with Shopify Support and this is what I received as a response:

So from what we are gathering, you should be okay to use the DKIM and I do agree with the documention could possibly be misunderstood. I am going to follow through to ensure that the documentation is updated to be more clear and if I find out any other info, I'll be sure to follow up with you via email.

I also have a question regarding the SPF settings. According to https://help.shopify.com/en/manual/intro-to-shopify/initial-setup/setup-business-settings#customer-e... this is the correct SPF record for Shopify: v=spf1 include:shops.shopify.com ~all

However, if I check the SPF settings (e.g. via https://toolbox.googleapps.com/apps/checkmx/) there are no IPs returned for the SPF records of shops.shopify.com. Looks like Shopify doens't keep their own SPF records updated. Or am I missing something?

0 Likes
Highlighted
New Member
2 0 0

Regarding DKIM: I have talked to Shopify Support and they came back with the following advice which supports what Sebastian is saying:

So from what we are gathering, you should be okay to use the DKIM and I do agree with the documention could possibly be misunderstood. I am going to follow through to ensure that the documentation is updated to be more clear and if I find out any other info, I'll be sure to follow up with you via email.

I also have a question regarding the SPF record. According to https://help.shopify.com/en/manual/intro-to-shopify/initial-setup/setup-business-settings#customer-e... this is the correct SPF record to use: v=spf1 include:shops.shopify.com ~all

However, if I check the SPF settings (e.g. via https://toolbox.googleapps.com/apps/checkmx/) no are IPs are returned for the SPF records of shops.shopify.com. Looks like Shopify doens't keep their own SPF records updated. Or am I missing something?

 

0 Likes
Highlighted
Excursionist
24 0 24

DKIM became an Internet Standard in 2011 - https://tools.ietf.org/html/rfc6376. It's now the end of 2019.  It's completely irresponsible for Shopify Support to recommend to their customers (many of which probably have no idea what DKIM is!) to remove it because Shopify doesn't support it. 

 

Why email attacks should be your number one security concern (https://www.techradar.com/news/why-email-attacks-should-be-your-number-one-security-concern):

Mimecast's latest quarterly report found a 269 percent increase in BEC [business email compromise] attacks compared to the previous three months, showing the huge spike in such assaults.

However BEC attacks are not the only method cybercriminals have been successfully leveraging to target organisations. Mimecast's findings collated 28,783,892 spam emails, 28,808 malware attachments and 28,726 dangerous files types throughout the quarter, all of which were missed by current security protection tools and delivered to users’ inboxes.

This was equivalent to an overall false negative rate of 11 percent of inspected emails, highlighting the urgent need for companies to up their email security immediately.

The real issue is that there are tens of thousands email-borne threats successfully able to bypass the email security systems that organisations’ have in place, effectively leaving them vulnerable and putting a lot of pressure on their employees to discern malicious emails,” said Joshua Douglas, vice president of threat intelligence at Mimecast. 

Instead, as one of the top three biggest e-commerce platforms in the world, Shopify should be doing everything possible to not only support all methods of authentication and security but also encourage their customers to use them. It only adds an extra layer of protection for Shopify's subscribers, as well as our customers who shop with us.

0 Likes
Highlighted
Excursionist
24 0 24

Follow-up: I reached out to Shopify regarding this issue and received this reply:

 

As explained in our documentation we don't support DKIM and as yet, we have no update on any changes to that decision - now, that's not to say it won't change in the future, but at the moment there is no word from our developers that this option is on the cards.

There is no workaround as such - you can really only work with the information provided inour informationfromthis documenton working with emails and best practice. As you can find in this link, we encourage the use of an SPF record, which will help ensure the legitimacy and deliverability of emails sent.

Whilst I realise this is not an ideal response, I have forwarded your request onto our development team - they have been asked for this protocol previously - so they are aware it would be very welcomed by merchants, so any voices that get added to the feedback on this feature request can only be a good thing!

Obviously if this is a future function we are able to support, this would be enabled across the platform, but as things stand at the moment, you would be best to look at using an alternative email option as DKIM is not supported.

 

So basically after all these years, they still have no plans to offer DKIM Support. If you want it, you need to send feedback to Support@Shopify.com to demand they stop telling us to lower our standards to meet their paltry level of email security.

3 Likes
Highlighted
New Member
1 0 0

It's 2020 and I Found a solution! A bad solution!

 

... you can send emails from shopify.com. They are DKIM signed and the spf is set.

 

I don't think it's possible to tell DMARC that shopify.com's signature is okay with you. That means it's almost trivial for shopify to support the feature... just change header.d to our domain and tell us to add this to our domain:

 
mail._domainkey.shopify.com. 2489 IN TXT "v=DKIM1; g=*; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC6FVv1tmxOilnHUpvqpf4jlVcidUZL9A9NmMvzBifAtmn8QxlfvyrI8aQ+5T7eQVJGWeL/9stWhKhKZbXLkH6GIudAbe2u8e3cSpfHZN5kvDqiDL7w6Kj+aWOEQX6w0Prt6lWdgz9W8vdD7TCfXH3BrROh05qX0YP3yVwYXRqpIQIDAQAB"
0 Likes
Highlighted
New Member
1 0 0

Hey, is this solution working well with you. After i have added DKIM of zoho and mailchimp, shopify email are ending up in spam.

0 Likes