Shopify SPF and DKIM setup

What you are setting up

Shopify sends your order confirmations, shipping notices, and Shopify Email campaigns from your store's sender address. Authenticating your domainmakes that mail sign as you so it passes DMARC and drops the “via shopifyemail.com” tag recipients otherwise see. Two things are specific to Shopify: it handles DKIM and SPF through CNAME records you copy from the admin (there is no separate SPF line to paste), and if you do not finish, it quietly rewrites your from address. Both below.

Authenticate your domain

In the Shopify admin, go to Settings > Notifications, find the Sender email section, and click Authenticate your domain. Shopify shows you a set of CNAME records that handle DKIM and SPF together, plus a DMARC record. Add them at your DNS host exactly as shown:

Type:  CNAME   (Shopify shows several; they handle DKIM + SPF)
Host:  (copy the exact host Shopify shows)
Value: (copy the exact target Shopify shows)

The values are specific to your store, so copy them from the admin. Shopify deliberately does not publish fixed record values, and you do not add a separate include: SPF line; the CNAMEs cover SPF for you. If your domain is on Cloudflare, GoDaddy, or IONOS, Shopify can add the records automatically, and a domain you bought through Shopify is authenticated for you.

Add DMARC (and keep it relaxed)

Shopify requires exactly one _dmarc TXT record, and it must use relaxed alignment. The minimum is:

Type:  TXT
Host:  _dmarc
Value: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

Do not set adkim=s or aspf=s: Shopify warns that strict alignment breaks its mail, so keep them relaxed (the default). And make sure you do not end up with two DMARC records, which fails validation and triggers the rewrite below. Build the record with our DMARC builder and progress past p=none when reports are clean.

The Shopify gotchas

You need a domain you own. The most common trap is using a free sender like yourstore@gmail.com. You cannot authenticate a domain you do not control, so that mail can never align, and Shopify keeps the “via” tag or rewrites it. Send from an address on your own domain.

The silent from-rewrite. If the records are not fully in place (or get removed, or your DMARC is strict or duplicated), Shopify rewrites your from address to something like store+12345@shopifyemail.comso mail keeps flowing. It works, but recipients no longer see your address. So “I set this up but my email still comes from shopifyemail.com” means the setup is incomplete, not that DNS is broken.

Confirm it worked

• Check the status in Shopify.The Sender email section should show your domain authenticated, and the “via shopifyemail.com” tag should be gone.
• Send a test and read the headers. Trigger an order notification or a test campaign, open the original, and confirm the DKIM signature aligns to your domain and dmarc=pass. Our header analyzer reads it back plainly.
• Watch the reports. Shopify should appear as an aligned, passing source in your DMARC aggregate reports, labeled as a known sender in trustyourinbox.