Shopify expanding into email marketing with new "Shopify Email"

Highlighted
Excursionist
23 0 8

So I just read this: https://news.shopify.com/introducing-shopify-email and see that at least part of the reason why Shopify and Mailchimp broke up was because Shopify was planning to roll out their own email marketing platform.  This seems like a cool idea, and I'm surprised Shopify hasn't done it sooner. 

 

The wide-release is still a couple of months out and details are scarce, but I have huge concerns about this new email marketing platform they want to compete with the likes of Mailchimp.

 

Shopify has made its business around competitive pricing and rich features, but they have what could be accurately best described as a lackadaisical interest in email security. For 7 years Shopify has essentially forced their customers to choose - either implement STANDARD email authentication policies (SPF, DKIM, & DMARC) that help secure all our business email & improve all-around deliverability rates, OR make sure our online stores on Shopify's platform can successfully perform a most basic function (send customers email). 

 

Shopify Manual: https://help.shopify.com/en/manual/intro-to-shopify/initial-setup/setup-business-settings

See the ironical header Customer Email Best Practices:

If you're using an email address that's associated with a custom domain, then check your domain settings or contact your domain provider to make sure that it isn't using DomainKeys Identified Mail (DKIM) validation (which Shopify does not support). Otherwise you might receive Mail Delivery System errors . . . 

Also, Shopify Customer Support in VARIOUS Shopify Community Forum threads suggesting removal of DKIM keys will solve their mail failure woes :

It's Daniel from the Guru Support team here at Shopify :) Thanks for reaching out!

I'd have to advice against turning on the DKIM Authentication purely on the recommendation of our developers, we simply do not support it.

As explained in our documentation we don't support DKIM and as yet, we have no update on any changes to that decision - now, that's not to say it won't change in the future, but at the moment there is no word from our developers that this option is on the cards.  There is no workaround as such.

I'd also check to see if your domain hosts are using DomainKeys Identified Mail (DKIM) validation for email, which Shopify does not support.

I would recommend deleting the DKIM TXT record, as we do not support DKIM at this time. . . . Can you try deleting the DKIM record and trying again?

I'm afraid that if your email provider is using DKIM, then there is no fix for this as Shopify does not support DKIM. . . . As an alternative, perhaps you may like to use another email host, such as . . .

Reach out to GoDaddy's support directly to ensure that they are not using DomainKey Identified Mail (DKIM) validation (which Shopify does not support).

 

I have yet to see anyone from Shopify explain WHY Shopify doesn't support DKIM authentication, or explain WHAT DKIM keys are to the confused customers who ask about email failures.

 

Instead, trusting customers turn to Shopify asking "why is my Shopify store-generated domain email failing?" and Shopify just tells them to remove / disable DKIM keys in their DNS settings and that will fix their problems - which suggests to the customer that whatever this DKIM thing is must not be too important if Shopify doesn't support it and recommends we disable it.

 

I've seen ESPs [Email Service Providers] trying to troubleshoot their customer complaints re: Shopify store-generated email failures -

From EPSs trying to help their customers with Shopify mail failures:

Similarly, please inform Shopify support to configure a valid DKIM for your domain to ensure all emails sent from Shopify are signed with a DKIM signature. Once done, please do monitor the status and write to us for any queries. . . .

and of course, YEARS of complaints (2012 - present day) from Shopify customers who KNOW BETTER than to reduce security on business email:

Shopify is using outmoded (10+ year old) email security practices with SPF, which puts them at serious risk of having email rejected or flagged as spam when sent to customer email inboxes...

To think SPF only is acceptable in 2016 (nearly 2017) is ridiculous. If they can't or won't implement custom DKIM signing, then allow customers to use their own SMTP server. Custom DKIM signing would be better of course. 

The impression I get is that Shopify thinks offering SPF authentication is sufficient. It's not. It's 2017 and email authentication is more important than ever. More and more businesses are using DMARC, and this is a real barrier. Although an SPF pass is enough to pass DMARC, it's risky to implement a strict policy with one of the sources only SPF authenticating, since in most cases this will break if the message gets forwarded, and the message would then be rejected.  Sort it out Shopify. 

Proper SPF and DKIM support must be fixed promptly. If we can't use DMARC to authenticate emails *In Late 2018*, then we'll just migrate all our client sites to BigCommerce. [...]We're deploying DMARC on all client domains in 2019 to employ BIMI for increased customer trust. If Shopify won't allow this to happen easily, we're migrating tenants beginning this January. This is unacceptable after so many years.

DKIM became an Internet Standard in 2011 - https://tools.ietf.org/html/rfc6376. It's now the end of 2019.  It's completely irresponsible for Shopify Support to recommend to their customers (many of which probably have no idea what DKIM is!) to remove it because Shopify doesn't support it. [...] Mimecast's latest quarterly report found a 269 percent increase in BEC [business email compromise] attacks compared to the previous three months, showing the huge spike in such assaults. [...] Shopify should be doing everything possible to not only support all methods of authentication and security but also encourage their customers to use them.

Shopify doesn't support DKIM and, if I understood correctly, that I have to remove DKIM records from the DNS. Is this correct? If yes, won't removing the current DKIM records affect email deliverability when I send emails from that domain using my email client/Fastmail? Of course I want to be able to send emails without any problems and have Shopify also send emails without problems from my domain. Thanks in advance.
[Edit: No customer support response to this very valid question.]

 

Store owners are still being told that there aren't any plans to implement DKIM into Shopify, so if Shopify Email does support email authentication (full DMARC alignment), it better roll out for our stores at the same time. Otherwise, store customers will be outraged that a new (pay-for) service supports something we've been waiting literal YEARS to have implemented.

 

If Shopify Email doesn't support email authentication (full DMARC alignment) right out of the gate, we aren't going anywhere near it, and frankly neither should anyone else.   

1 Like
Excursionist
23 0 8

Oh, I forgot:

 

they [Shopify Developers] have been asked for this protocol [DKIM support] previously - so they are aware it would be very welcomed by merchants, so any voices that get added to the feedback on this feature request can only be a good thing!
~ Shopify Support

 

"I LOVE looking unprofessional and embarrassed when my paid Shopify-hosted store email gets delivered to my customers' SPAM folders!"

"I prefer 10-year-old standards that cyber experts refer to as the bare minimum and inadequate to help secure my domain email and protect my business reputation!"

~ No One, Ever

 

Send a quick email to: Support@Shopify.com to remind them that it's almost 2020 and we're still waiting for the last decade's email security standards. They don't read forum requests.

0 Likes