Is DMARC record really as simple as it sounds?

Shopify Discussion
,

Topic summary

Urgent requirement: merchants must publish a DMARC record by Feb 1, 2024 to satisfy Google/Yahoo. DMARC (policy telling receivers how to handle unauthenticated mail) relies on SPF (authorized sending servers) and DKIM (cryptographic signature) being set first.

Experiences diverge:

  • Some added a simple TXT record (_dmarc.domain) with p=none and an rua address, verified via tools (dmarcian). Others set p=quarantine immediately.
  • Several report DMARC passing but SPF/DKIM failing for some senders (e.g., Mailchimp/Klaviyo/Microsoft 365/Shopify mailer). One user “fixed” SPF checks by adding include:shops.shopify.com, though this conflicted with later guidance.

Latest guidance from Shopify: ensure the 4 CNAME “authenticate” records are added; this creates a mailer subdomain (e.g., mailer123.yourdomain.com) whose SPF Shopify manages, so no extra SPF changes are needed for Shopify on your root domain. You still must configure SPF/DKIM for other providers (Google Workspace, Klaviyo, Mailchimp, etc.).

Recommended approach:

  • Start with p=none + rua to collect reports; analyze via tools (EasyDMARC/dmarcian), then phase to quarantine/reject.
  • Create a dedicated reports mailbox.

Open issues: ongoing SPF fails tied to mailer.shopify.com, DNS host support confusion, Klaviyo subdomain/CNAME conflicts, and how to interpret reports. No final resolution; several users still seeking expert help.

Summarized with AI on December 20. AI used: gpt-5.
61

Hi! For your emails to pass your DMARC policy, only SPF or DKIM needs to pass. Having said that, we should be passing both. On initial read, it looks like this may possibly be an issue with with the reporting you’re receiving, but I’d want to rule that out and I am happy to troubleshoot this with you. If you’ve setup our authentication records, the SPF check should be on a unique subdomain of your domain (will look something like mailer_xyz.yourdomain_.com) that we’ve created and managed, that should be counting towards passing your DMARC policy.

Can you let me know which mail provider you are using to send yourself test emails (i.e. are you sending test emails to a Gmail account? Outlook account?)? Asking so that I can walk you through examining the live email headers to see if they are passing or failing your DMARC policy.