Is DMARC record really as simple as it sounds?

Urgent requirement: merchants must publish a DMARC record by Feb 1, 2024 to satisfy Google/Yahoo. DMARC (policy telling receivers how to handle unauthenticated mail) relies on SPF (authorized sending servers) and DKIM (cryptographic signature) being set first.

Experiences diverge:

• Some added a simple TXT record (_dmarc.domain) with p=none and an rua address, verified via tools (dmarcian). Others set p=quarantine immediately.
• Several report DMARC passing but SPF/DKIM failing for some senders (e.g., Mailchimp/Klaviyo/Microsoft 365/Shopify mailer). One user “fixed” SPF checks by adding include:shops.shopify.com, though this conflicted with later guidance.

Latest guidance from Shopify: ensure the 4 CNAME “authenticate” records are added; this creates a mailer subdomain (e.g., mailer123.yourdomain.com) whose SPF Shopify manages, so no extra SPF changes are needed for Shopify on your root domain. You still must configure SPF/DKIM for other providers (Google Workspace, Klaviyo, Mailchimp, etc.).

Recommended approach:

• Start with p=none + rua to collect reports; analyze via tools (EasyDMARC/dmarcian), then phase to quarantine/reject.
• Create a dedicated reports mailbox.

Open issues: ongoing SPF fails tied to mailer.shopify.com, DNS host support confusion, Klaviyo subdomain/CNAME conflicts, and how to interpret reports. No final resolution; several users still seeking expert help.