Google apps + DKIM + shopify

Jason_Gordon1
Tourist
12 0 3

Has anyone using Google Apps for email successfully turned on DKIM Authentication in the  Google Apps Admin panel and had everything go smoothly?  Shopify in their documentation says their service is not compatible with DKIM but as far as I can tell you should be able to use DKIM auth as long as you dont have a DMARC policy of p=reject.

Can anyone shed some light?

Thanks

Jason

Replies 47 (47)
Cookies
Excursionist
19 0 30

@Sebastian_Young thanks for your efforts with this. I have one shop that is fine right now, yet I have other shops where this is still broken.

Sebastian_Young
Pathfinder
88 4 33

Hi @Cookies, I have asked what the issue was and will see if I get a meaningful reply!

Sebastian_Young
Pathfinder
88 4 33

Hi @Cookies, I had a response. I was told the issue was that they made a configuration change for BFCM to alleviate the load on the servers that consequently affected stores with DKIM setup. This is now been sorted so in theory all your stores should be working again.

Sebastian_Young
Pathfinder
88 4 33

I noticed through our DMARC reporting that a small number of messages were still being signed by shopify.com. I contacted support again and it turns out these are account invitations, password resets, etc. These types of notifications are on a different infrastructure that hasn't been migrated to support custom DKIM yet. Support said that it will be migrated, but they couldn't provide a date. I tested this myself by sending test notifications and indeed it seems to be the case. I just thought I'd mention it on this thread in case anyone else wonders. So it's SPF authentication only for these messages for the time being, but given the small number, it's not a major issue, even with a reject DMARC policy.

rcvwines
New Member
2 0 0

This is still busted. I was able to escalate it pretty far today. It sounded like they were finally going to investigate it once I showed them how easy it was to spoof email from their customers domains with missing DKIM and DMARC TXT records. 

Sebastian_Young
Pathfinder
88 4 33

Hi @rcvwines, what issues are you seeing? Could you provide some further information?

SageAdvice
New Member
1 0 0

We're having issues with this now too.

We're getting DMARC reports that say pass for both SPF and DKIM but I just heard from someone their order confirmation email ended up in spam and they have a gmail address.

Not totally sure if this is correct but it seems Shopify does not send all mail from their own mail domain, some of it goes out via sendgrid.

My understanding then is if Shopify is doing this then we need SPF and DKIM for both Shopify and sendgrid.

I will say we went the extra step and added entries for the known sendgrid servers (sendgrid.info) to our SPF records.  Reason for this was Shopify SPF chain did not include any Sendgrid server addresses.

Not to be overly harsh but Shopify chat support seems to be clueless when you bring up the words SPF, DKIM, and DMARC.  As an educated individual I expect to be able to have an intelligent conversation about a technical topic with support for a technical system they are supposed to be supporting, just saying.

Sebastian_Young
Pathfinder
88 4 33

Hi @SageAdvice,

I would suggest sending yourself one of the email templates as a test and reviewing the SPF/DKIM information. Chances are it's just ended up in spam for an unrelated reason and all is good on this front.

My understanding of how the 'new' setup works is that the old SPF record, shops.shopify.com, is redundant once you've authenticated your domain. The new infrastructure is built around SendGrid. When you send yourself a test email from Shopify, you should notice that the return-path is something like mailerx1y.yourdomain.com (not yourdomain.com anymore, so the shops.shopify.com must be redundant). If you do an SPF lookup for this mailerx1y.yourdomain.com, you'll see that the SPF record is:

v=spf1 include:sendgrid.net ~all

So I would say all is good with Shopify's setup. Yes, their support won't have a clue, but I guess this is quite technical.