The short answer: To authenticate email from your Shopify store, complete domain authentication in Shopify Admin → Settings → Domains → Authenticate (adds Shopify's SPF and DKIM records automatically), then add your other sending tools — Klaviyo (include:_spf.klaviyo.com), Mailchimp (include:servers.mcsv.net), Google Workspace — to your SPF record, configure DKIM in each platform's settings, and publish a DMARC record at _dmarc.yourdomain.com. Without this setup, order confirmation and marketing emails from your store risk landing in spam.
Shopify sends email from your domain for every order confirmation, shipping update, and customer notification your store generates. If your domain's email authentication isn't set up correctly, those emails land in spam — or get flagged as suspicious by Gmail and Outlook.
This guide walks through the exact setup for SPF, DKIM, and DMARC for Shopify stores, covering both Shopify's built-in email and third-party marketing tools.
How Shopify Sends Email From Your Domain
Shopify sends two types of email that touch your domain:
1. Transactional email — order confirmations, shipping notifications, customer account emails, and refund receipts. These come from Shopify's own mail infrastructure but use your custom store email address (e.g. orders@yourdomain.com) as the From address.
2. Marketing email — if you use Shopify Email (the built-in marketing tool) or connect a third-party like Klaviyo, Mailchimp, or Omnisend.
Each of these requires your SPF and DKIM records to authorise the relevant sending service. If any sender isn't in your SPF record or doesn't have DKIM configured, its emails may fail authentication and land in spam.
Step 1: Verify Your Custom Domain in Shopify
Before authentication can work, Shopify needs to verify that you own your domain. In your Shopify admin:
- Go to Settings → Domains
- Under "Sender email authentication", click Authenticate
- Shopify will show you DNS records to add — typically SPF
include:entries and DKIM TXT records specific to your domain
Add these records exactly as shown at your DNS provider (Cloudflare, GoDaddy, Namecheap, etc.).
Note: If your domain's DNS is managed by Shopify itself (you bought the domain through Shopify), these records may be added automatically.
Step 2: Set Up Your SPF Record
Your SPF record lists every service authorised to send email from your domain. For a Shopify store, this typically includes:
| Service | SPF Include String |
|---|---|
| Shopify (transactional) | include:shops.shopifyemail.com |
| Google Workspace (if you use it) | include:_spf.google.com |
| Klaviyo | include:_spf.klaviyo.com |
| Mailchimp | include:servers.mcsv.net |
| Omnisend | include:sendgrid.net |
A complete SPF record for a store using Google Workspace, Shopify, and Klaviyo:
v=spf1 include:_spf.google.com include:shops.shopifyemail.com include:_spf.klaviyo.com -all
Important rules:
- Only one SPF TXT record is allowed per domain. If one already exists, edit it — don't create a second one.
- The 10-lookup limit applies. Each
include:adds to the count. If you have many sending services, check your lookup count. See SPF too many DNS lookups for how to fix it if you're over the limit. - Use
-all(hard fail) rather than~allonce all your senders are correctly listed. See SPF hard fail vs soft fail for the difference.
Use the free SPF Generator to build your record correctly, then verify it with the SPF Checker.
Step 3: Enable DKIM Signing
DKIM adds a cryptographic signature to outgoing emails that receiving servers use to verify the message wasn't tampered with. For Shopify:
Shopify's Built-in DKIM
When you go through the domain authentication flow in Settings → Domains → Authenticate, Shopify generates DKIM records for you. Add the CNAME or TXT records they provide to your DNS exactly as shown.
After adding, verify the records are live using the free DKIM Validator. Enter your domain and Shopify's selector (shown during setup).
Klaviyo DKIM
- In Klaviyo, go to Account → Settings → Email Settings → Domain Setup
- Follow the domain authentication flow — Klaviyo provides DKIM records to add to your DNS
- Verify in Klaviyo's interface and with the DKIM validator
Mailchimp DKIM
- In Mailchimp, go to Account → Domains
- Add and verify your domain — Mailchimp walks through adding DKIM records
- Verify with the DKIM validator after DNS propagation
If you're using multiple sending tools, each one typically needs its own DKIM record (with a different selector). This is normal — DKIM records don't conflict with each other because they use different selectors.
Step 4: Add a DMARC Record
DMARC ties SPF and DKIM together and tells receiving servers what to do when authentication fails. Without a DMARC record, mail providers make their own decisions — and your domain can be spoofed with no policy in place to stop it.
Start with a monitoring-only record:
v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com
Add this as a TXT record at _dmarc.yourdomain.com in your DNS provider.
Use a real email address you monitor for the rua tag — this is where daily aggregate reports will arrive. These reports show every service sending email from your domain and whether each one passes authentication. For a free reporting address, Postmark's DMARC monitoring service provides one at no cost.
Use the DMARC Generator to build your record, and verify it's live with the DMARC Checker.
Moving to Enforcement
Once you've monitored aggregate reports for 2–4 weeks and confirmed every sending service passes both SPF and DKIM, move to p=quarantine and then p=reject. See DMARC policy: none vs quarantine vs reject for the safe progression path.
Common Shopify Email Authentication Problems
Order confirmations landing in spam
Cause: Shopify's sending infrastructure isn't included in your SPF record, or DKIM wasn't set up during the domain authentication step.
Fix: Complete the domain authentication in Settings → Domains → Authenticate and confirm include:shops.shopifyemail.com is in your SPF record.
Marketing emails from Klaviyo or Mailchimp failing authentication
Cause: The third-party platform's SPF include string is missing, or DKIM wasn't configured in their platform settings.
Fix: Follow the domain setup flow in your marketing platform's settings, add the DNS records they provide, and verify with the SPF Checker and DKIM Validator.
SPF record has too many lookups
Cause: Multiple email tools (Shopify + Google Workspace + Klaviyo + Mailchimp + Zendesk...) push the lookup count over 10, causing SPF to fail entirely.
Fix: See SPF too many DNS lookups: how to fix the 10-lookup limit. Options include removing services you no longer use or flattening include statements into IP ranges.
DMARC at p=none but still getting spam complaints
p=none is monitoring mode — it doesn't block anything. Spam filtering at this stage is happening based on content, sender reputation, or authentication gaps. Work through the email spam diagnosis guide to identify the cause.
Shopify Email vs Third-Party ESPs
Shopify Email (the built-in marketing tool) is the simplest setup — authentication is handled through the Shopify domain verification flow. If you're on Shopify Email only, the setup is straightforward.
If you use a third-party ESP alongside Shopify's transactional email — Klaviyo is the most common — you need to authenticate both. Your SPF record needs to include both Shopify and Klaviyo's include strings, and DKIM needs to be set up in both platforms.
For stores with multiple tools sending email (Shopify, Klaviyo, a helpdesk like Gorgias or Zendesk, and Google Workspace), use the SPF Generator to build your record with all includes, and run the SPF Checker to verify the lookup count is under 10.
Checklist: Shopify Email Authentication
- Custom domain set up in Shopify (Settings → Domains)
- Domain authentication completed (Settings → Domains → Authenticate) — adds Shopify's SPF and DKIM
- SPF record includes all sending tools (Shopify, Google Workspace, Klaviyo, etc.)
- DKIM set up in each third-party marketing platform (Klaviyo, Mailchimp, etc.)
- SPF record verified — lookup count under 10, no syntax errors
- DKIM verified — selector resolving correctly
- DMARC record published at
_dmarc.yourdomain.comwithruatag - Aggregate reports reviewed before moving to
p=quarantine - Policy progressed to
p=rejectafter clean monitoring period
Related Guides
- How to Add Mailchimp, HubSpot, or Salesforce to Your SPF Record Without Breaking It
- SPF Too Many DNS Lookups: How to Fix the 10-Lookup Limit
- DMARC Policy: None vs Quarantine vs Reject — When to Use Each
- Why Are My Emails Going to Spam?
Check your Shopify domain's authentication status — free Full Audit at EmailAudit.io. See your SPF, DKIM, and DMARC results in seconds, with a prioritised list of what to fix. No account required.