I’d appreciate it if someone at Shopify would respond to this. And please be candid: If I should hire an expert to help me w/DMARC, say so. Don’t act like this is no big deal if it’s actually a big deal. My Shopify e-commerce site and my related Mailchimp newsletter (both use the same domain to do sends) are my future. If I get this DMARC stuff wrong, it could mean years of work down the drain.
Here are my concerns:
I received an email from Shopify on 12/22/23 saying I need to “add a DMARC record” by 2/1/24 in order to satisfy Google and Yahoo. My fear is that this is not as simple as it sounds.
The Shopify post, in turn, links to this Google post.
The information in the Google post is complex. Here are some excerpts from the Google post [bracketed comments are mine]:
“Configure DKIM and SPF before configuring DMARC. If you don’t set up SPF and DKIM before enabling DMARC, messages sent from your domain will probably have delivery issues.” [The Shopify post says nothing about DKIM and SPF.]
“You can receive many DMARC reports every day. [Google say hundreds or even thousands, depending on how may you send. I send 20K+ per day.]. We recommend you create a dedicated mailbox to receive and manage DMARC reports.”
“You might use a third-party service [like Shopify, Mailchimp, and/or others] to send mail. Messages sent from third-party email providers for your domain might not pass SPF or DKIM checks. Messages that don’t pass these checks are subject to the action defined in your DMARC policy. They could be sent to spam, or rejected. To help ensure messages sent by third-party providers are authenticated, contact your third-party provider to make sure DKIM is correctly set up and make sure the provider’s envelope sender domain matches your domain. Add the IP address of the provider’s sending mail servers to the SPF record for your domain.”
And then there are the actual instructions from Google for setting up a DMARC record, which (again) are complicated. Here is a sample DMARC record:
There’s a separate Google post on what each piece of that record means – plus advice to “phase-in” your DMARC rollout per a separate Google tutorial.
My concern here is that the Shopify email kinda sounds like this is simple…just add DMARC. But it does not sound simple to me. It sounds like a very big deal.
That said, I called GoDaddy (my domain host)…and after putting me on hold for a while, they came back and said, “Done.” I was like, “What? What did you do?” I looked at the code they added to my DNS. It looks nothing like the sample DMARC record in bullet #4, above.
So now I’m wondering:
Do I trust GoDaddy when they say I’m “good to go”?
Will these changes have any impact on the newsletter sends I do via Mailchimp, which is the core of my business?
Should I hire an expert? (Search for DMARC consultants…there are TONS of them…and most charge a monthly fee.)
Did Shopify make this sound overly simplistic in their email, or am I just way overthinking this?
FYI: My newsletter is my livelihood. I don’t think I’m overthinking it. I think my concerns are legit – and I think other Shopify customers may be concerned as well.
It’s actually a lot simpler than they’ve made it out to be.
Once you’re on the DNS records page on GoDaddy, you simply add a ‘TXT’ record with the following details:
Name of TXT record = _dmarc.YOURDOMAINGOESHERE.com Value of TXT record = v=DMARC1; p=none; rua=mailto:YOUR@EMAILGOES.HERE
My site is ‘stephensworld.ca’ and my email is ‘support@stephensworld.ca’ … so mine ended up looking like this:
Name of TXT record = _dmarc.stephensworld.ca (on GoDaddy, you don’t have to put the period or anything after it - see my screenshot below) Value of TXT record = v=DMARC1; p=none; rua=mailto:support@stephensworld.ca
Then once you’ve added it, you go to https://dmarcian.com/dmarc-inspector/ (the website that Shopify recommended in their email/blog/post to check if it’s working) > type in your domain (without any “https://”) and then click “inspect the domain”.
Adding a DMARC is a very simple process for your ISP - might take them 5-10 secs to do so. We received the same email - Directnic hosts our website. So I sent them an email and they added it to our DNS files. Ours looks like this “v=DMARC1; p=quarantine; pct=100”
The type is a TXT and the name is _dmarc
I’m assuming you can login to godaddy and click on your DNS settings for your website. You should see a TXT type with DMARC in your DNS settings that they have added. If you see DMARC anywhere in your DNS then you are good.
Like I stated this is a very simple thing for your ISP to add. Your head is spinning since you have no idea what the DNS settings mean for your website so you are assuming the worse.
Thanks very much for the response. I appreciate the input. But please see my reply to EBeeLuv. As for your DMARC record, I’m curious as to why you set p=none (instead of quarantine or reject) and why you did not include anything for pct. Not necessary?
Thanks very much for the reply. I appreciate it. I really do. But for the record, I am actually fairly familiar with DNS settings.
What has my head spinning is things like this bit of instruction from the Google page that Shopify linked to:
“When you start using DMARC, we recommend a policy with enforcement set to none. As you learn how messages from your domain are authenticated by receiving servers, update your policy. Over time, change the receiver policy to quarantine, and finally to reject.”
It looks like you went straight to “quarantine.”
And then there’s this (also from Google):
Quarantine a small percentage of messages to start. After monitoring DMARC reports for at least a week with no adverse results, update your policy to quarantine , and add the pct tag to apply the policy to a small percent of your mail. For example: Add a policy that applies to 5% of messages and has enforcement set to quarantine.
v=DMARC1; p=quarantine; pct=5. If DMARC is working as expected, update your policy so the DMARC record policy is set to reject for 100% of messages.
It looks like you went straight to quarantining 100% of rejected messages vs phasing in per Google’s instructions. Maybe that’s fine…I don’t know.
Finally, it looks like you opted not to include an “rua” instruction in your DMARC record, which means you won’t receive any DMARC reports via email, right? Was that a conscious decision? I’m asking because Google says to include one. Maybe it’s not necessary. I don’t know. That’s part of what I’m trying to understand.
All in all, I’m still where I was at the outset: Maybe this is no big deal. But if you dig into the Google instructions that Shopify linked to, it doesn’t sound so simple.
I was wondering the same thing and found this. Here’s a good explanation as to why you don’t want to initially set to reject and what the pct means. [DMARC Percentage Tag (PCT)](DMARC Percentage Tag
So my understanding is that you don’t want to initially set it to p=reject but you eventually want to get there.
Hi Stephen, Again…thank you very much for your reply. I understand what you did and why you did it. My fear (more for my biz than for yours) is that what you have done and suggested for me is the bare minimum. Maybe that’s fine…maybe not. I don’t know.
I really wish somebody who works for Shopify would join this conversation and clarify.
What you did: You found p=none if Jacqui’s post, so you did that. Then you found an example in the Google post that did not include a pct record, so you didn’t include a pct record.
But if you dig deeper into the Google instructions (see the “Define your DMARC record” and “Tutorial: Recommended DMARC rollout” links in the right sidebar of the Google help doc), Google includes examples with pct records, and also gives pretty detailed advice on how to phase in elements of your DMARC record over time…with “p” going from none to quarantine to reject over time, and “pct” going from zero to a higher percent and eventually to 100% over time.
I really wish someone who works for Shopify (Jacqui, are you there?) would get involved in this conversation. If not, I’m probably going to fork over some dough for a DMARC consultant to make sure I get this right.
As suggested by the google post, i have started with p=none and will continue to monitor and then eventually get to p=reject. At the end of the day you do not want spam being sent from your domain as this is bad business.
I am using a free DMARC service called “EasyDMARC” which provides analysis of the DMARC reports. Worth checking out as the DMARC reports are not easy to read
I also called Go Daddy and they were clueless as to what DMARC was all about. I even had to forward the Shopify email to them, they really were no help at all so I’ve ended up doing nothing and coming here in the hope of trying to work this out… and failing Let’s just hope there is a way out of this before the Feb 1st!
If I was you I might consider changing domain providers. We’ve used directnic for years and the folks there are fabulous. You can simply transfer your website over to them and only takes a small amount of time and quick to do. They will add the DMARC for you and also you are able to tweak and add pretty much whatever you want to your DNS settings. https://directnic.com/ You can reach out to them via live chat and ask them how to transfer your godaddy url to them. I would personally run from godaddy and go with an actual provider that specializes in domains.
Have you gotten to the point where you have actually received ‘useable’ info regarding your original topic?
Reading the responses, I don’t see a solid answer.
My issue is deciphering the reports I get in my email and evolving to a ‘reject’ policy. Nothing with Shopify is easily explained. Too many ‘cooks in the kitchen’ with developers if you ask me.
I’m going to try the free easydmarc site to see if that sheds any light on all these reports and how to deal with the info they provide.
As most Shopify things…I spend way to much time on things like this instead of moving our business forward.
Just wondering how you are dealing with reports as you get them and how you might be ‘moving’ forward
I regard the info I have rec’d as “helpful,” but I don’t feel anyone has provided a definitive answer. People are telling me what they did and what worked for them, which is all well and good (and appreciated). But like I said…no definitive answer. And I find it disappointing that Shopify hasn’t provided any clarification or further guidance.
I have yet to decide how to move forward. My likely plan is this:
Contact Mailchimp. I need to make sure this is not an issue with them. (I have not rec’d anything from MC, and I’m told by a MC consultant that this is not an issue with MC because I’m “authenticated” with MC. But I am authenticated with Shopify as well, yet Shopify advised taking action.) Since I use the same domain to send newsletters from MC and from Shopify, I want to make sure I am in good shape with both service providers.
Undo what GoDaddy did. They created a DNS record that they said would address the issue. But when I go to https://dmarcian.com/dmarc-inspector/, it still says there is no DMARC record for my domain.
Create DNS DMARC record myself, following the Google instructions (including to phase it in per Google – and including setting up a dedicated mailbox to receive DMARC reports).
If it proves too much for me to handle on my own, I will hire a DMARC consultant.
Firstly, this is not Shopify that is implementing this change, it is Gmail (& yahoo). Shopify have provided enough information for most people to be able to follow and implement, the same way that you would have had to have added an SPF record for your domain and also possibly a DKIM. MailChimp may eventually also implement the same requirements.
Many companies around the world now require these extra checks in order to combat SPAM and Phishing, this is only the start, there are more things that may be implemented in the future to further tighten the security.
My first suggestion to you would be to try EasyDMARC as i have posted before. from there you can actually see what is in the reports as they are XML format and you will not be able to read them yourself.
If EasyDMARC is not enough then i would suggest you consult an IT specialist.
EasyDMARC looks like a good option. Thanks. I also found this list of DMARC service providers (including EasyDMARC) on G2: https://www.g2.com/categories/dmarc
I’m lost and shopify is NO help with this! I purchased my domain through shopify they just keep directing me to dmarcian- they keep telling me to go back to the domain host and i’m gettin dizzy! then I just chatted with shopify and they said i’m all good there are no issues but when I check on that dmarcian site it still says I need to add dmarc! i’m going nuts any help would be appreciated
Hi. Yes…the lack of help/clarity is frustrating. For what it’s worth, I ended up doing things myself (see my post from 01-06-2024 05:02 PM, above). I just followed the Google instructions, including phasing in. I got a positive result from https://dmarcian.com/dmarc-inspector/ and other free DMARC inspection services, and started getting DMARC reports. The DMARC reports are not easy to read, but I skimmed the first one and didn’t see any red flags. But again, if it starts to feel like more than I can handle, I will hire one of these DMARC consultants: https://www.g2.com/categories/dmarc
Let’s just hope there is a way out of this before the Feb 1st!