Re: DMARC is complicated...or is it just me?

Is DMARC record really as simple as it sounds?

LitnutsMO
Excursionist
14 0 15

I'd appreciate it if someone at Shopify would respond to this. And please be candid: If I should hire an expert to help me w/DMARC, say so. Don't act like this is no big deal if it's actually a big deal. My Shopify e-commerce site and my related Mailchimp newsletter (both use the same domain to do sends) are my future. If I get this DMARC stuff wrong, it could mean years of work down the drain.

 

Here are my concerns: 

 

I received an email from Shopify on 12/22/23 saying I need to "add a DMARC record" by 2/1/24 in order to satisfy Google and Yahoo. My fear is that this is not as simple as it sounds.

 

The Shopify email links to this post on Shopify.

 

The Shopify post, in turn, links to this Google post.

 

The information in the Google post is complex. Here are some excerpts from the Google post [bracketed comments are mine]: 

  1. "Configure DKIM and SPF before configuring DMARC. If you don't set up SPF and DKIM before enabling DMARC, messages sent from your domain will probably have delivery issues." [The Shopify post says nothing about DKIM and SPF.]
  2. "You can receive many DMARC reports every day. [Google say hundreds or even thousands, depending on how may you send. I send 20K+ per day.]. We recommend you create a dedicated mailbox to receive and manage DMARC reports."

  3. "You might use a third-party service [like Shopify, Mailchimp, and/or others] to send mail. Messages sent from third-party email providers for your domain might not pass SPF or DKIM checks. Messages that don't pass these checks are subject to the action defined in your DMARC policy. They could be sent to spam, or rejected. To help ensure messages sent by third-party providers are authenticated, contact your third-party provider to make sure DKIM is correctly set up and make sure the provider’s envelope sender domain matches your domain. Add the IP address of the provider’s sending mail servers to the SPF record for your domain." 

  4. And then there are the actual instructions from Google for setting up a DMARC record, which (again) are complicated. Here is a sample DMARC record:

v=DMARC1; p=reject; rua=mailto:postmaster@solarmora.com, mailto:dmarc@solarmora.com; pct=100; adkim=s; aspf=s.

 

There's a separate Google post on what each piece of that record means -- plus advice to "phase-in" your DMARC rollout per a separate Google tutorial.

 

My concern here is that the Shopify email kinda sounds like this is simple...just add DMARC. But it does not sound simple to me. It sounds like a very big deal. 

 

That said, I called GoDaddy (my domain host)...and after putting me on hold for a while, they came back and said, "Done." I was like, "What? What did you do?" I looked at the code they added to my DNS. It looks nothing like the sample DMARC record in bullet #4, above.

 

So now I'm wondering:

  1. Do I trust GoDaddy when they say I'm "good to go"?
  2. Will these changes have any impact on the newsletter sends I do via Mailchimp, which is the core of my business?
  3. Should I hire an expert? (Search for DMARC consultants...there are TONS of them...and most charge a monthly fee.)
  4. Did Shopify make this sound overly simplistic in their email, or am I just way overthinking this?

FYI: My newsletter is my livelihood. I don't think I'm overthinking it. I think my concerns are legit -- and I think other Shopify customers may be concerned as well. 

Replies 90 (90)
SGM411
Excursionist
29 0 19

@juenology Shopify said the deadline was Feb 1, but (just another in the long list of bad surprises from Shopify) they replaced our domain authenticated "from" address today, Jan 24, instead of sticking to the the Feb 1 deadline they've been telling us and everybody.  So now we're scrambling to add DMARC (which can't be done before 48+ hours verifying DKIM and SPF...). 

Another unsurprising bad surprise from Shopify: support pages on this are lacking, to say the least, and chatting with "support" is only fruitless and frustrating.

Can someone from Shopify confirm that this is what we need to include in SPF record in order to be able to send emails from our already authenticated domain in shopify as well as thru GoogleWorkspace?

v=spf1 include:_spf.google.com include:shops.shopify.com ~all

https://community.shopify.com/c/announcements/google-and-yahoo-new-email-deliverability-requirements...

Mattisse99
Tourist
10 0 3

What if I don’t use a third party email host? I have had my website on Shopify for 3 years now and have always used Shopify email without any issues. Now that this change has been implemented, my sender email address is just a bunch of numbers? And it now goes into the spam folder, which I thought this change was to prevent emails going into spam. So now it is worse than ever before! Can someone guide this computer illiterate?

onescales
Shopify Partner
58 2 11

just follow this guide - https://www.youtube.com/watch?v=g9tR4ONgqgg

OneScales.com Teaches Shopify and Solves Ecommerce Problems for Free. We Also Share Insight about E-commerce, Web, Tech, AI, Analytics, SEO, PPC, Marketing and More.
Mattisse99
Tourist
10 0 3

I appreciate your response but I still don’t see how this helps me since I don’t use a third party email host?

juenology
Shopify Staff
28 1 13

@Mattisse99 can you describe your current setup with email? The reason for the change is that we've had to modify our sending practices so that all of our senders comply with the new Gmail requirements. What would be helpful for me to be able to troubleshoot your setup would be:

  1. Is the domain for your Sender email hosted with a 3rd party (i.e. GoDaddy, etc.)? 
  2. If your domain is hosted on a 3rd party provider, were you able to setup the required 4 CNAME records we provided you?
  3. If your domain is hosted on a 3rd party provider, does it have a DMARC policy?

If your answer to all 3 questions above is yes, please reach out to support as your shop may be experiencing a unique technical error and my team will be able to investigate this for you.

Mattisse99
Tourist
10 0 3

Thank you for your response.

My domain was purchased and is maintained by Shopify, so my answers to your 2nd and 3rd question is no.

what I have been able to do is change the domain name to include info@ for the forwarding email, which has removed the numbers for my sender email address and it is now info@thebagmakersworkshop.com

I am hoping this will work and I don’t need to do anything else. The hard part is, all the emails that will go out to my customers will now go in their spam folder. I tested this today, sending myself an email and it went to my spam folder. Once I added the new email address to my contacts, it came to my inbox when I sent a second test email,.

 

marvic
Explorer
63 4 16

That's a great start to the year. We're based in Australia and today is the first time I received an email from Shopify about this! Leaving us 2 weeks to figure this mess out. Half of the links in their info email can't be found and end up on the generic shopify help center page. And they make it sound SO COMPLICATED. Like, what are we paying them for?! Don't the have resources to put one off their staff to it to make an easy to follow video that we can tag along??!!! To me it looks like they don't know how to set it up themselves.

juenology
Shopify Staff
28 1 13

Hi Outofdarkness! If you purchased your domain through Shopify, you should not have received an email about needing to make any changes since we will be handling all the required changes on your behalf before Gmail and Yahoo's February 1, 2024 deadline. Please let us know if this is not the case.

onescales
Shopify Partner
58 2 11

Make sure to verify yourself. 

We made a tutorial at https://www.youtube.com/watch?v=g9tR4ONgqgg

Once you follow all steps at miute 9:57 you will see how to verify yourself. (note there is another verification on dmarc earlier in the video)

OneScales.com Teaches Shopify and Solves Ecommerce Problems for Free. We Also Share Insight about E-commerce, Web, Tech, AI, Analytics, SEO, PPC, Marketing and More.
VandalBee
Excursionist
11 0 3

In my case everything is setup and verified that is working correctly, mails are getting through, verification shows correct. However, In the reports I get spf fail entries. Tracing the IPs from the request, they all point to mailer.shopify.com. I wasn't sure if I need to update my domain spf record to add that url. Shopify support was useless - they didn't even knew the difference between dmarc and spf. My email was setup via godaddy and microsoft, so in the spf record I only had the microsoft server entry. Do you kno if I should add the "mailer.shopify.com"? Shopify suggested to add shops.shopify.com, but that did not fix the spf fail in the reports.

 

<row>
<source_ip>149.72.122.254</source_ip>
<count>1</count>
<policy_evaluated>
<disposition>none</disposition>
<dkim>pass</dkim>
<spf>fail</spf>
</policy_evaluated>
</row>


149.72.122.254 points to o33.mailer.shopify.com

SGM411
Excursionist
29 0 19

commenting to try to boost this -- about to face the same issue

shopify, are you listening at all? support pages and support staff are woefully inadequate (again)...not to mention that you didn't even stick to the Feb 1 deadline you told us but instead stopped sending shopify emails from our already-authenticated domain on Jan 24

juenology
Shopify Staff
28 1 13

Hi SGM411, thank you for reaching out. Do you have a DMARC policy in place yet? If you've authenticated and have a DMARC policy in place, you should have not experienced any changes to how your emails are being sent out. None of our merchants should be experiencing emails not being sent from our platform under any circumstance. I can look into your shop specifically if you can share the `Primary for Online Store` domain listed under /settings/domains.

SGM411
Excursionist
29 0 19

- Jan 23: our customers getting confirmation emails from ourname@ourdomain.com 
- starting Jan 24 (we made zero changes on our end): our customers getting confirmation emails from store@shopifyemail.com 
- so much for telling us Feb 1 was the deadline when y'all actually flipped the switch without telling us or giving us any warning on Jan 24...

chatting with support is a total waste of time

can't find anywhere published on shopify support pages where shopify admits they only support 1024 DKIM

can't even get a straight answer on shopify SFP record...what is it?

p.s. advising folks that either SPF or DKIM is irresponsible and it also doesn't follow any of the outside-source support links that shopify's support pages link to

juenology
Shopify Staff
28 1 13

Thanks for responding. Can you confirm that:

  1. You've setup the requested authentication records (the 4 CNAME records)
  2. That there is a DMARC policy that passes verification checks (i.e. check your DMARC record using a free tool) on yourdomain.com 

One of those 4 CNAME records we ask you to input will create a subdomain such as mailer123.yourdomain.com and we manage the SPF record on that so it passes the DMARC policy you set for yourdomain.com. So no additional SPF record needs to be setup or managed for yourdomain.com unless your other email providers (i.e. Klayvio, Google Workspace, etc.) require that you do. 

SGM411
Excursionist
29 0 19

1. Yes, authentication was already successful and in place prior to shopify "flipping the switch" on Jan 24 instead of Feb 1 like they had told us (see our prior messages about how shopify started sending from store@shopifyemail.com  on Jan 24 even though we had our own email in place w/successful authentication and it had been working perfectly up until Jan 24...when shopify pulled the rug out from under us with zero notice...shopify had been telling us feb 1 was the deadline but apparently y'all did it on Jan 24 as another "surprise" update without telling us, your paying customers, and leaving us over a barrel...still haven't gotten any explanation let alone apology and especially recompense for this...totaly fail, shopify...total fail

2. we've got everything in place to deploy our DMARC  ***EXCEPT***   for shopify's spf record -- can't get a straight answer form support and even shopify's comments here in community are contradicting and misleading. Is shopify's SPF record mailer.shopify.com or spf.constantcontact.com or both...and/or additional IP addresses? We're guessing y'all are still guessing...telling folks one thing and then when that doesn't work or doesn't work completely, adding more (but in the meantime, leaving customers in lurch yet again while we search for answers). Super disappointed in shopify's support pages and support staff chat on all this -- definitely shows shopify not ready and using customers as guinea pigs (yet again). Will you answer our question about SPF and also update your support pages with this info?

juenology
Shopify Staff
28 1 13

Thanks for the update. As previously mentioned to address your question about SPF:

 

One of those 4 CNAME records we ask you to input will create a subdomain such as mailer123.yourdomain.com and we manage the SPF record on that so it passes the DMARC policy you set for yourdomain.com. So no additional SPF record needs to be setup or managed for yourdomain.com unless your other email providers (i.e. Klayvio, Google Workspace, etc.) require that you do. 

 

Meaning since you've successfully authenticated through us, you have the correct SPF record needed to deploy your DMARC. So to clarify, there is no Shopify SPF record since we created a unique subdomain on your domain and manage the SPF record for that subdomain.

 

Hope this helps.

juenology
Shopify Staff
28 1 13

Hi! For your emails to pass your DMARC policy, only SPF or DKIM needs to pass. Having said that, we should be passing both. On initial read, it looks like this may possibly be an issue with with the reporting you're receiving, but I'd want to rule that out and I am happy to troubleshoot this with you. If you've setup our authentication records, the SPF check should be on a unique subdomain of your domain (will look something like mailerxyz.yourdomain.com) that we've created and managed, that should be counting towards passing your DMARC policy. 

Can you let me know which mail provider you are using to send yourself test emails (i.e. are you sending test emails to a Gmail account? Outlook account?)? Asking so that I can walk you through examining the live email headers to see if they are passing or failing your DMARC policy.

VandalBee
Excursionist
11 0 3

"For your emails to pass your DMARC policy, only SPF or DKIM needs to pass"

Not entirely true. If the dkim/spf sre set to strict.

 

my dmarc is

_dmacr: v=DMARC1;p=none;sp=none;pct=100;rua=mailto:<my shop email>;ruf=mailto:<my shop email>;ri=86400;aspf=s;adkim=s;fo=1

 

My domain is hosted in godaddy and the email is setup via them in Microsoft. I have all the required related entries in the DNS.

I'm able to send test mails from shopify to my personal gmail account via the portal.

Examining the received mail I see all is passing, dkim, spf, dmarc.

VandalBee_0-1706558364052.png

 


I have a CNAME that is auto set from shopify to 
Name: mailer1ud
Value: <some random numbers>.p112.email.myshopify.com

Im also able to send mails directly from my email hosted in Microsoft, for which the report shows correct pass of the spf

<row>
<source_ip>2a01:111:f400:7e88::61a</source_ip>
<count>1</count>
<policy_evaluated>
<disposition>none</disposition>
<dkim>pass</dkim>
<spf>pass</spf>
</policy_evaluated>
</row>
 
The issue looks like that the spf fails in the report for
<row>
<source_ip>149.72.122.254</source_ip>
<count>1</count>
<policy_evaluated>
<disposition>none</disposition>
<dkim>pass</dkim>
<spf>fail</spf>
</policy_evaluated>
</row>


149.72.122.254 points to o33.mailer.shopify.com

 

So yesterday I added the `mailer.shopify.com` to the spf record to check if that would fix it.

v=spf1 include:secureserver.net include:mailer.shopify.com -all

 

 

juenology
Shopify Staff
28 1 13

Thank you for sharing this. Glad to see that in your tests that everything seems to be passing when you check the headers. Mailbox providers check the SPF record against the Return-Path domain, not the sending IP. However, if it's important for you that the reports are showing a pass (will not have any impact to your actual email deliverability), you may be able to achieve that by added include:sendgrid.net (instead of include:mailer.shopify.com). Let me know if that works!

VandalBee
Excursionist
11 0 3

Both sendgrid.net and mailer.shopify.com have the same spf records.

I'm surprised that the support did not know anything about what is the correct spf record. They even suggested to remove the entire record, which is wrong and could cause issues.

 

VandalBee_0-1706566554015.png

VandalBee_1-1706566592475.png

 

onescales
Shopify Partner
58 2 11

are you sure that you verified the records in shopify. coming from mailer shopify is usually a sign that dns was not setup and that domain was not authenticated?

OneScales.com Teaches Shopify and Solves Ecommerce Problems for Free. We Also Share Insight about E-commerce, Web, Tech, AI, Analytics, SEO, PPC, Marketing and More.
VandalBee
Excursionist
11 0 3

The domain ins authenticated. I see this in my shopify Notification settings under my shop's email.

VandalBee_1-1706576732884.png


Also I'm able to send test emails from shopify to my gmail and the mail has the below. The send is shown correctly as my shop eimal.


VandalBee_0-1706576696133.png

 

onescales
Shopify Partner
58 2 11

yes that looks good. instead of a test email, if you go to website and reset password do you also get it sent from mailer shopify? also, can you double check that your from email address in shopify settings -> notifications -> from is the same domain as what you worked on for dns?

OneScales.com Teaches Shopify and Solves Ecommerce Problems for Free. We Also Share Insight about E-commerce, Web, Tech, AI, Analytics, SEO, PPC, Marketing and More.
VandalBee
Excursionist
11 0 3

I went through customers section in the notifications and sent emails to my test emails and they are from the correct sender email that is shown in the settings -> notifications -> Sender email.

It is still puzzling why the spf report records show fail, but the spf in the actual email shows success.

 

onescales
Shopify Partner
58 2 11

the main site emails are what is important. if ONLY you get mailer shopify from the "test" notifications preview emails, then you should be good.

OneScales.com Teaches Shopify and Solves Ecommerce Problems for Free. We Also Share Insight about E-commerce, Web, Tech, AI, Analytics, SEO, PPC, Marketing and More.
VandalBee
Excursionist
11 0 3

Unfortunately, there is no way to verify from the report which is the target mail nor the send details.

VandalBee
Excursionist
11 0 3

Looks like adding the `mailer.shopify.com` to the spf did not work. The spf verification still fails for the mailer.shopify.com sender in the <row> section.

However, the spf in the auth section pass.

 

These is an email sent to a customer from shopify on order complete event

 

@juenology 

  <record>
    <row>
      <source_ip>149.72.49.200</source_ip>
      <count>1</count>
      <policy_evaluated>
        <disposition>none</disposition>
        <dkim>pass</dkim>
        <spf>fail</spf>
      </policy_evaluated>
    </row>
    <identifiers>
      <header_from><mydomain name omitted>.com</header_from>
    </identifiers>
    <auth_results>
      <dkim>
        <domain><mydomain name omitted>.com</domain>
        <result>pass</result>
        <selector>1ud</selector>
      </dkim>
      <dkim>
        <domain>sendgrid.info</domain>
        <result>pass</result>
        <selector>smtpapi</selector>
      </dkim>
      <spf>
        <domain>mailer1ud.<mydomain name omitted>.com</domain>
        <result>pass</result>
      </spf>
    </auth_results>
  </record>

 
This is a one send directly from my mail that is hosted in MS, where the spf pass in both the row and auth sections.

  <record>
    <row>
      <source_ip>2a01:111:f403:2412::600</source_ip>
      <count>1</count>
      <policy_evaluated>
        <disposition>none</disposition>
        <dkim>pass</dkim>
        <spf>pass</spf>
      </policy_evaluated>
    </row>
    <identifiers>
      <header_from><domain name omitted>.com</header_from>
    </identifiers>
    <auth_results>
      <dkim>
        <domain><domain name omitted>.com</domain>
        <result>pass</result>
        <selector>selector1</selector>
      </dkim>
      <spf>
        <domain><domain name omitted>.com</domain>
        <result>pass</result>
      </spf>
    </auth_results>
  </record>

 

VandalBee
Excursionist
11 0 3

I have this in my DNS in the domain - CNAME mailer1ud, value <some random numbers>.p112.email.myshopify.com

and the mail has @mailer1ud.<mydomain name>.com when I do show original.

VandalBee
Excursionist
11 0 3

found the sender of the mail to be

Received: from o11.mailer.shopify.com (o11.mailer.shopify.com. [149.72.235.154])

So I think its safe to say the mailer.shopify.com should be in the spf record

VandalBee
Excursionist
11 0 3

@juenology @onescales I figured out the issue.

The spf policy in DMARC record is set to strict - aspf=s. Thus the identifier header and the spf domain should match for the spf policy to pass.

 

Looking at the DMARC records, my identifier is <mydomain>.com, while the spf domain is mailer1ud.<mydomain>.com. Thus the failure of the spf policy.

In my DNS records, I have a CNAME mailer1ud with value <some random numbers>.p112.email.myshopify.com, that is automatically created by shopify when the domain was linked and auth to the shop. I suspect this is what is causing the spf domain to show as mailer1ud.<mydomain>.com.
I'm not sure how to fix that, unless I change the spf policy in the DMARC to relaxed.
 
<identifiers>
<header_from><mydomain>.com</header_from>
</identifiers>
 
<spf>
<domain>mailer1ud.<mydomain>.com</domain>
</spf>

 

References:

amazon web services - Why does spf fail in DMARC report from Google? - Server Fault

ASPF DMARC Tag (mxtoolbox.com)

VandalBee
Excursionist
11 0 3

@juenology is there a way for the MailFrom Domain to match the Header From Domain?

Coz all mails sent from shopify have the 
MailFrom Domain: mailer1ud.<mydomain>.com

Header From Domain:<mydomain>.com

 

Meaning we can't use aspf=s, but only aspf=r in the DMACR record.


I spent 3h with the GoDaddy support and they say its not possible on their end. Took them 2h to understand the issue. Support is getting rly bad these days.

 

Imo, all these things needs to be documented by shopify, instead of everyone figuring it out their own.

juenology
Shopify Staff
28 1 13

Thanks for the update on your aspf=s policy setting. Unfortunately with our current infrastructure there is no way for us to set the MailFrom to match the Header From, so you will need to relax that DMARC setting for branded emails to be deployed from Shopify.

SM62
Visitor
1 0 0

It is complicated and I had my IT guy do it for that very reason. First we couldn't send out any emails, he fixed that issue and now we are receiving duplicate sales emails. This is a BIG DEAL and when it results in issues, all of us "non tech" people feel very frustrated. So I agree, SHOPIFY, admit this is a bigger deal and then help everyone with it! Good luck LitnutsMO. I hope you have a smoother experience.

ianks88
Visitor
1 0 0

I just got DMARC set up on our Namecheap domain. It was a straightforward process:

 

1. Login to the main dashboard

2. Click the Manage button next to the domain

3. Click on the Advanced DNS tab

4. At the bottom of the records list, click on + Add new record

5. From the popup, scroll down and select TXT Record

6. Fill in the new form on the right with these exact files

  • Host:

 

_dmarc​

 

  • Value

 

v=DMARC1; p=none;​

 

  • Leave Automatic selected for the TTL

7. Click on the

 

From there, you can verify that things are working properly by sending a test email from the Shopify admin. In Gmail, you can click <> Show original on the email, and you should see something like this, confirming that it all works: 

ianks88_1-1705801603267.png

 

 

 

MarcoMatty
Shopify Partner
19 1 5

I have a really basic question regarding this 
if the record is
Name of TXT record = _dmarc.YOURDOMAINGOESHERE.com
Value of TXT record = v=DMARC1; p=none; rua=mailto:YOUR@EMAILGOES.HERE

Do we need to repeat it for every email used on the domain?

TanakaMaruta
Visitor
1 0 0

I had to be the one to say it... but chatgpt helped me out when ALL other customer service reps either didn't know what they were talking about or simply couldn't be bothered.

  1. Tell chatgbt you need to setup SPF,DKIM,DMARC
  2. Tell it your domain 
  3. Tell it your domain provider 
  4. Create a new mainbox for dmarc reports ie. reports@(yourdomain.com)
  5. Generally chatgbt would have explained eveyrything at this point and your good to go.

Check to make sure all it workign with 

Dmarc - https://dmarcian.com/dmarc-inspector/

Dkim - https://dmarcian.com/dkim-inspector/

SPF - https://dmarcian.com/spf-survey/ 

 

Considering how worrying this is so close to the 1st of Feb... very very weak effort from shopify interms of support. 

 

Also if your using klayivo make sure to follow their setup instructions ; https://academy.klaviyo.com/2024-new-sender-requirements-checklist/1817230 

 

Thanks & hope this helps

 

Mikay
Tourist
7 0 3

I was able to set up our primary domain, but does anyone know if we need to do anything with the subdomain?

For example, our primary domain is xyz@company.com for our DTC store, and we have wholesale.xyz@company.com for B2B store. We are using Klaviyo for both stores. For the subdomain, I'm having an issue with the verification on Klaviyo. When I try to add a CNAME Record, this error shows up: "Unique signature error, a record with this value already exists and Name must be unique for non MX records" - I've already added the same value and Name when I set up for our primary domain, so that's causing an issue. I've reached out to Klaviyo and they escalated my case to the Deliverability and Compliance specialist team. (I'm honestly surprised that they didn't have an answer for this...) I haven't heard back from them yet 😞

onescales
Shopify Partner
58 2 11

do you mean the email wholesale@xyz.company.com?

also because you have a subdomain, make sure that your add to your dmarc the sp= to specify rules for subdomains

OneScales.com Teaches Shopify and Solves Ecommerce Problems for Free. We Also Share Insight about E-commerce, Web, Tech, AI, Analytics, SEO, PPC, Marketing and More.
juenology
Shopify Staff
28 1 13

For DMARC, subdomains will inherit the DMARC policy for the primary domain if no sp= values are specified. So no action is required unless you'd like different DMARC settings for your subdomains.

TVNEnterprises
Shopify Partner
6 0 1

Our agency EcomBack has created an easy step-by-step guide to creating and verifying DMARC and SFP records for Shopify and integration with Klaviyo as well as tips on making email content accessible https://www.ecomback.com/blogs/easy-steps-to-enhance-email-security-with-spf-dmarc-and-dkim-records

donnamac
Trailblazer
265 5 214

Great News for GoDaddy email customers.  They will backout the Microsoft security upgrade.

Just call the help line; 480-505-8877.  Press '1' for help on recent Microsoft email change.

I had to wait 30 minutes, but it is worth it!  

Once I got help, it took about another 30 minutes for them to do the changes.

 

End result is they back out the Microsoft upgrade.  

They have to change DNS records, and there are many.  

For each record they change they send a security code you need to provide, so be patient.   I needed to provide ~8 codes.

 

But...our email account is reverted back to before this change.  No more ProofPoint!!!

It can take up to 24 hours to roll out these changes, but definitely worth it.

Microsoft is aware how upset users are about it.   

 

I would think most email providers might offer this...so worth making an inquiry.