All things Shopify and commerce
I'd appreciate it if someone at Shopify would respond to this. And please be candid: If I should hire an expert to help me w/DMARC, say so. Don't act like this is no big deal if it's actually a big deal. My Shopify e-commerce site and my related Mailchimp newsletter (both use the same domain to do sends) are my future. If I get this DMARC stuff wrong, it could mean years of work down the drain.
Here are my concerns:
I received an email from Shopify on 12/22/23 saying I need to "add a DMARC record" by 2/1/24 in order to satisfy Google and Yahoo. My fear is that this is not as simple as it sounds.
The Shopify email links to this post on Shopify.
The Shopify post, in turn, links to this Google post.
The information in the Google post is complex. Here are some excerpts from the Google post [bracketed comments are mine]:
"You can receive many DMARC reports every day. [Google say hundreds or even thousands, depending on how may you send. I send 20K+ per day.]. We recommend you create a dedicated mailbox to receive and manage DMARC reports."
"You might use a third-party service [like Shopify, Mailchimp, and/or others] to send mail. Messages sent from third-party email providers for your domain might not pass SPF or DKIM checks. Messages that don't pass these checks are subject to the action defined in your DMARC policy. They could be sent to spam, or rejected. To help ensure messages sent by third-party providers are authenticated, contact your third-party provider to make sure DKIM is correctly set up and make sure the provider’s envelope sender domain matches your domain. Add the IP address of the provider’s sending mail servers to the SPF record for your domain."
And then there are the actual instructions from Google for setting up a DMARC record, which (again) are complicated. Here is a sample DMARC record:
v=DMARC1; p=reject; rua=mailto:postmaster@solarmora.com, mailto:dmarc@solarmora.com; pct=100; adkim=s; aspf=s.
There's a separate Google post on what each piece of that record means -- plus advice to "phase-in" your DMARC rollout per a separate Google tutorial.
My concern here is that the Shopify email kinda sounds like this is simple...just add DMARC. But it does not sound simple to me. It sounds like a very big deal.
That said, I called GoDaddy (my domain host)...and after putting me on hold for a while, they came back and said, "Done." I was like, "What? What did you do?" I looked at the code they added to my DNS. It looks nothing like the sample DMARC record in bullet #4, above.
So now I'm wondering:
FYI: My newsletter is my livelihood. I don't think I'm overthinking it. I think my concerns are legit -- and I think other Shopify customers may be concerned as well.
For Shopify, the required DKIM and SPF records are part of the 4 CNAME records we provide as part of your authentication step. More information on setting this up is available for you here: https://help.shopify.com/en/manual/intro-to-shopify/initial-setup/setup-your-email#authenticate
@juenology Shopify said the deadline was Feb 1, but (just another in the long list of bad surprises from Shopify) they replaced our domain authenticated "from" address today, Jan 24, instead of sticking to the the Feb 1 deadline they've been telling us and everybody. So now we're scrambling to add DMARC (which can't be done before 48+ hours verifying DKIM and SPF...).
Another unsurprising bad surprise from Shopify: support pages on this are lacking, to say the least, and chatting with "support" is only fruitless and frustrating.
Can someone from Shopify confirm that this is what we need to include in SPF record in order to be able to send emails from our already authenticated domain in shopify as well as thru GoogleWorkspace?
v=spf1 include:_spf.google.com include:shops.shopify.com ~all
https://community.shopify.com/c/announcements/google-and-yahoo-new-email-deliverability-requirements...
What if I don’t use a third party email host? I have had my website on Shopify for 3 years now and have always used Shopify email without any issues. Now that this change has been implemented, my sender email address is just a bunch of numbers? And it now goes into the spam folder, which I thought this change was to prevent emails going into spam. So now it is worse than ever before! Can someone guide this computer illiterate?
just follow this guide - https://www.youtube.com/watch?v=g9tR4ONgqgg
I appreciate your response but I still don’t see how this helps me since I don’t use a third party email host?
@Mattisse99 can you describe your current setup with email? The reason for the change is that we've had to modify our sending practices so that all of our senders comply with the new Gmail requirements. What would be helpful for me to be able to troubleshoot your setup would be:
If your answer to all 3 questions above is yes, please reach out to support as your shop may be experiencing a unique technical error and my team will be able to investigate this for you.
Thank you for your response.
My domain was purchased and is maintained by Shopify, so my answers to your 2nd and 3rd question is no.
what I have been able to do is change the domain name to include info@ for the forwarding email, which has removed the numbers for my sender email address and it is now info@thebagmakersworkshop.com
I am hoping this will work and I don’t need to do anything else. The hard part is, all the emails that will go out to my customers will now go in their spam folder. I tested this today, sending myself an email and it went to my spam folder. Once I added the new email address to my contacts, it came to my inbox when I sent a second test email,.
That's a great start to the year. We're based in Australia and today is the first time I received an email from Shopify about this! Leaving us 2 weeks to figure this mess out. Half of the links in their info email can't be found and end up on the generic shopify help center page. And they make it sound SO COMPLICATED. Like, what are we paying them for?! Don't the have resources to put one off their staff to it to make an easy to follow video that we can tag along??!!! To me it looks like they don't know how to set it up themselves.
Hi Outofdarkness! If you purchased your domain through Shopify, you should not have received an email about needing to make any changes since we will be handling all the required changes on your behalf before Gmail and Yahoo's February 1, 2024 deadline. Please let us know if this is not the case.
Make sure to verify yourself.
We made a tutorial at https://www.youtube.com/watch?v=g9tR4ONgqgg
Once you follow all steps at miute 9:57 you will see how to verify yourself. (note there is another verification on dmarc earlier in the video)
In my case everything is setup and verified that is working correctly, mails are getting through, verification shows correct. However, In the reports I get spf fail entries. Tracing the IPs from the request, they all point to mailer.shopify.com. I wasn't sure if I need to update my domain spf record to add that url. Shopify support was useless - they didn't even knew the difference between dmarc and spf. My email was setup via godaddy and microsoft, so in the spf record I only had the microsoft server entry. Do you kno if I should add the "mailer.shopify.com"? Shopify suggested to add shops.shopify.com, but that did not fix the spf fail in the reports.
149.72.122.254 points to o33.mailer.shopify.com
commenting to try to boost this -- about to face the same issue
shopify, are you listening at all? support pages and support staff are woefully inadequate (again)...not to mention that you didn't even stick to the Feb 1 deadline you told us but instead stopped sending shopify emails from our already-authenticated domain on Jan 24
Hi SGM411, thank you for reaching out. Do you have a DMARC policy in place yet? If you've authenticated and have a DMARC policy in place, you should have not experienced any changes to how your emails are being sent out. None of our merchants should be experiencing emails not being sent from our platform under any circumstance. I can look into your shop specifically if you can share the `Primary for Online Store` domain listed under /settings/domains.
- Jan 23: our customers getting confirmation emails from ourname@ourdomain.com
- starting Jan 24 (we made zero changes on our end): our customers getting confirmation emails from store@shopifyemail.com
- so much for telling us Feb 1 was the deadline when y'all actually flipped the switch without telling us or giving us any warning on Jan 24...
chatting with support is a total waste of time
can't find anywhere published on shopify support pages where shopify admits they only support 1024 DKIM
can't even get a straight answer on shopify SFP record...what is it?
p.s. advising folks that either SPF or DKIM is irresponsible and it also doesn't follow any of the outside-source support links that shopify's support pages link to
Thanks for responding. Can you confirm that:
One of those 4 CNAME records we ask you to input will create a subdomain such as mailer123.yourdomain.com and we manage the SPF record on that so it passes the DMARC policy you set for yourdomain.com. So no additional SPF record needs to be setup or managed for yourdomain.com unless your other email providers (i.e. Klayvio, Google Workspace, etc.) require that you do.
1. Yes, authentication was already successful and in place prior to shopify "flipping the switch" on Jan 24 instead of Feb 1 like they had told us (see our prior messages about how shopify started sending from store@shopifyemail.com on Jan 24 even though we had our own email in place w/successful authentication and it had been working perfectly up until Jan 24...when shopify pulled the rug out from under us with zero notice...shopify had been telling us feb 1 was the deadline but apparently y'all did it on Jan 24 as another "surprise" update without telling us, your paying customers, and leaving us over a barrel...still haven't gotten any explanation let alone apology and especially recompense for this...totaly fail, shopify...total fail
2. we've got everything in place to deploy our DMARC ***EXCEPT*** for shopify's spf record -- can't get a straight answer form support and even shopify's comments here in community are contradicting and misleading. Is shopify's SPF record mailer.shopify.com or spf.constantcontact.com or both...and/or additional IP addresses? We're guessing y'all are still guessing...telling folks one thing and then when that doesn't work or doesn't work completely, adding more (but in the meantime, leaving customers in lurch yet again while we search for answers). Super disappointed in shopify's support pages and support staff chat on all this -- definitely shows shopify not ready and using customers as guinea pigs (yet again). Will you answer our question about SPF and also update your support pages with this info?
Thanks for the update. As previously mentioned to address your question about SPF:
One of those 4 CNAME records we ask you to input will create a subdomain such as mailer123.yourdomain.com and we manage the SPF record on that so it passes the DMARC policy you set for yourdomain.com. So no additional SPF record needs to be setup or managed for yourdomain.com unless your other email providers (i.e. Klayvio, Google Workspace, etc.) require that you do.
Meaning since you've successfully authenticated through us, you have the correct SPF record needed to deploy your DMARC. So to clarify, there is no Shopify SPF record since we created a unique subdomain on your domain and manage the SPF record for that subdomain.
Hope this helps.
Hi! For your emails to pass your DMARC policy, only SPF or DKIM needs to pass. Having said that, we should be passing both. On initial read, it looks like this may possibly be an issue with with the reporting you're receiving, but I'd want to rule that out and I am happy to troubleshoot this with you. If you've setup our authentication records, the SPF check should be on a unique subdomain of your domain (will look something like mailerxyz.yourdomain.com) that we've created and managed, that should be counting towards passing your DMARC policy.
Can you let me know which mail provider you are using to send yourself test emails (i.e. are you sending test emails to a Gmail account? Outlook account?)? Asking so that I can walk you through examining the live email headers to see if they are passing or failing your DMARC policy.
"For your emails to pass your DMARC policy, only SPF or DKIM needs to pass"
Not entirely true. If the dkim/spf sre set to strict.
my dmarc is
_dmacr: v=DMARC1;p=none;sp=none;pct=100;rua=mailto:<my shop email>;ruf=mailto:<my shop email>;ri=86400;aspf=s;adkim=s;fo=1
My domain is hosted in godaddy and the email is setup via them in Microsoft. I have all the required related entries in the DNS.
I'm able to send test mails from shopify to my personal gmail account via the portal.
Examining the received mail I see all is passing, dkim, spf, dmarc.
I have a CNAME that is auto set from shopify to
Name: mailer1ud
Value: <some random numbers>.p112.email.myshopify.com
Im also able to send mails directly from my email hosted in Microsoft, for which the report shows correct pass of the spf
149.72.122.254 points to o33.mailer.shopify.com
So yesterday I added the `mailer.shopify.com` to the spf record to check if that would fix it.
v=spf1 include:secureserver.net include:mailer.shopify.com -all
Thank you for sharing this. Glad to see that in your tests that everything seems to be passing when you check the headers. Mailbox providers check the SPF record against the Return-Path domain, not the sending IP. However, if it's important for you that the reports are showing a pass (will not have any impact to your actual email deliverability), you may be able to achieve that by added include:sendgrid.net (instead of include:mailer.shopify.com). Let me know if that works!
Both sendgrid.net and mailer.shopify.com have the same spf records.
I'm surprised that the support did not know anything about what is the correct spf record. They even suggested to remove the entire record, which is wrong and could cause issues.
are you sure that you verified the records in shopify. coming from mailer shopify is usually a sign that dns was not setup and that domain was not authenticated?
The domain ins authenticated. I see this in my shopify Notification settings under my shop's email.
Also I'm able to send test emails from shopify to my gmail and the mail has the below. The send is shown correctly as my shop eimal.
yes that looks good. instead of a test email, if you go to website and reset password do you also get it sent from mailer shopify? also, can you double check that your from email address in shopify settings -> notifications -> from is the same domain as what you worked on for dns?
I went through customers section in the notifications and sent emails to my test emails and they are from the correct sender email that is shown in the settings -> notifications -> Sender email.
It is still puzzling why the spf report records show fail, but the spf in the actual email shows success.
the main site emails are what is important. if ONLY you get mailer shopify from the "test" notifications preview emails, then you should be good.
Unfortunately, there is no way to verify from the report which is the target mail nor the send details.
Looks like adding the `mailer.shopify.com` to the spf did not work. The spf verification still fails for the mailer.shopify.com sender in the <row> section.
However, the spf in the auth section pass.
These is an email sent to a customer from shopify on order complete event
<record>
<row>
<source_ip>149.72.49.200</source_ip>
<count>1</count>
<policy_evaluated>
<disposition>none</disposition>
<dkim>pass</dkim>
<spf>fail</spf>
</policy_evaluated>
</row>
<identifiers>
<header_from><mydomain name omitted>.com</header_from>
</identifiers>
<auth_results>
<dkim>
<domain><mydomain name omitted>.com</domain>
<result>pass</result>
<selector>1ud</selector>
</dkim>
<dkim>
<domain>sendgrid.info</domain>
<result>pass</result>
<selector>smtpapi</selector>
</dkim>
<spf>
<domain>mailer1ud.<mydomain name omitted>.com</domain>
<result>pass</result>
</spf>
</auth_results>
</record>
This is a one send directly from my mail that is hosted in MS, where the spf pass in both the row and auth sections.
<record>
<row>
<source_ip>2a01:111:f403:2412::600</source_ip>
<count>1</count>
<policy_evaluated>
<disposition>none</disposition>
<dkim>pass</dkim>
<spf>pass</spf>
</policy_evaluated>
</row>
<identifiers>
<header_from><domain name omitted>.com</header_from>
</identifiers>
<auth_results>
<dkim>
<domain><domain name omitted>.com</domain>
<result>pass</result>
<selector>selector1</selector>
</dkim>
<spf>
<domain><domain name omitted>.com</domain>
<result>pass</result>
</spf>
</auth_results>
</record>
I have this in my DNS in the domain - CNAME mailer1ud, value <some random numbers>.p112.email.myshopify.com
and the mail has @mailer1ud.<mydomain name>.com when I do show original.
found the sender of the mail to be
Received: from o11.mailer.shopify.com (o11.mailer.shopify.com. [149.72.235.154])
So I think its safe to say the mailer.shopify.com should be in the spf record
@juenology @onescales I figured out the issue.
The spf policy in DMARC record is set to strict - aspf=s. Thus the identifier header and the spf domain should match for the spf policy to pass.
Looking at the DMARC records, my identifier is <mydomain>.com, while the spf domain is mailer1ud.<mydomain>.com. Thus the failure of the spf policy.
References:
amazon web services - Why does spf fail in DMARC report from Google? - Server Fault
@juenology is there a way for the MailFrom Domain to match the Header From Domain?
Coz all mails sent from shopify have the
MailFrom Domain: mailer1ud.<mydomain>.com
Header From Domain:<mydomain>.com
Meaning we can't use aspf=s, but only aspf=r in the DMACR record.
I spent 3h with the GoDaddy support and they say its not possible on their end. Took them 2h to understand the issue. Support is getting rly bad these days.
Imo, all these things needs to be documented by shopify, instead of everyone figuring it out their own.
Thanks for the update on your aspf=s policy setting. Unfortunately with our current infrastructure there is no way for us to set the MailFrom to match the Header From, so you will need to relax that DMARC setting for branded emails to be deployed from Shopify.
It is complicated and I had my IT guy do it for that very reason. First we couldn't send out any emails, he fixed that issue and now we are receiving duplicate sales emails. This is a BIG DEAL and when it results in issues, all of us "non tech" people feel very frustrated. So I agree, SHOPIFY, admit this is a bigger deal and then help everyone with it! Good luck LitnutsMO. I hope you have a smoother experience.
I just got DMARC set up on our Namecheap domain. It was a straightforward process:
1. Login to the main dashboard
2. Click the Manage button next to the domain
3. Click on the Advanced DNS tab
4. At the bottom of the records list, click on + Add new record
5. From the popup, scroll down and select TXT Record
6. Fill in the new form on the right with these exact files
_dmarc
v=DMARC1; p=none;
7. Click on the ✅
From there, you can verify that things are working properly by sending a test email from the Shopify admin. In Gmail, you can click <> Show original on the email, and you should see something like this, confirming that it all works:
I have a really basic question regarding this
if the record is
Name of TXT record = _dmarc.YOURDOMAINGOESHERE.com
Value of TXT record = v=DMARC1; p=none; rua=mailto:YOUR@EMAILGOES.HERE
Do we need to repeat it for every email used on the domain?
I had to be the one to say it... but chatgpt helped me out when ALL other customer service reps either didn't know what they were talking about or simply couldn't be bothered.
Check to make sure all it workign with
Dmarc - https://dmarcian.com/dmarc-inspector/
Dkim - https://dmarcian.com/dkim-inspector/
SPF - https://dmarcian.com/spf-survey/
Considering how worrying this is so close to the 1st of Feb... very very weak effort from shopify interms of support.
Also if your using klayivo make sure to follow their setup instructions ; https://academy.klaviyo.com/2024-new-sender-requirements-checklist/1817230
Thanks & hope this helps
I was able to set up our primary domain, but does anyone know if we need to do anything with the subdomain?
For example, our primary domain is xyz@company.com for our DTC store, and we have wholesale.xyz@company.com for B2B store. We are using Klaviyo for both stores. For the subdomain, I'm having an issue with the verification on Klaviyo. When I try to add a CNAME Record, this error shows up: "Unique signature error, a record with this value already exists and Name must be unique for non MX records" - I've already added the same value and Name when I set up for our primary domain, so that's causing an issue. I've reached out to Klaviyo and they escalated my case to the Deliverability and Compliance specialist team. (I'm honestly surprised that they didn't have an answer for this...) I haven't heard back from them yet 😞
do you mean the email wholesale@xyz.company.com?
also because you have a subdomain, make sure that your add to your dmarc the sp= to specify rules for subdomains
For DMARC, subdomains will inherit the DMARC policy for the primary domain if no sp= values are specified. So no action is required unless you'd like different DMARC settings for your subdomains.
Our agency EcomBack has created an easy step-by-step guide to creating and verifying DMARC and SFP records for Shopify and integration with Klaviyo as well as tips on making email content accessible https://www.ecomback.com/blogs/easy-steps-to-enhance-email-security-with-spf-dmarc-and-dkim-records
Great News for GoDaddy email customers. They will backout the Microsoft security upgrade.
Just call the help line; 480-505-8877. Press '1' for help on recent Microsoft email change.
I had to wait 30 minutes, but it is worth it!
Once I got help, it took about another 30 minutes for them to do the changes.
End result is they back out the Microsoft upgrade.
They have to change DNS records, and there are many.
For each record they change they send a security code you need to provide, so be patient. I needed to provide ~8 codes.
But...our email account is reverted back to before this change. No more ProofPoint!!!
It can take up to 24 hours to roll out these changes, but definitely worth it.
Microsoft is aware how upset users are about it.
I would think most email providers might offer this...so worth making an inquiry.
The year-end shopping spree is around the corner! Is your online store ready for the ...
By JasonH Nov 10, 2024We recently spoke with Zopi developers @Zopi about how dropshipping businesses can enha...
By JasonH Oct 23, 2024A big shout out to all of the merchants who participated in our AMA with 2H Media: Holi...
By Jacqui Oct 21, 2024