For advanced ecommerce strategies, subscribe to our newsletter

Understand the New Sender Requirements for Shopify & Klaviyo

by Helen Hulskamp

January 23, 2024
Boost Your Brand's Reach With Email + SMS Marketing

Are the new sender requirements from Gmail and Yahoo causing you concern?

If you’re already following basic email best practices, like using your domain name instead of a generic gmail.com address and providing easy newsletter unsubscribe options, you’re on the right track.

However, users of Shopify or Klaviyo have recently received some less clear-cut warnings to “authenticate and add a DMARC record to continue sending emails from your domain” and “prepare for new sender requirements from Google and Yahoo”! Making sense of SPF, DKIM, and DMARC is daunting at first, but we’re here to demystify these acronyms for you.

It is easy to find articles telling you what DNS records to add without explaining what they do. Or worse, only telling you how to meet the minimum DMARC requirements, leaving your domain unprotected! Once you understand the role of these tools, you can use them to monitor and thwart attempts to spoof or tamper with emails from your domain.

You may have seen that Google and Yahoo’s new requirements are only for “bulk senders” and hoped you could fly under the radar. But Shopify, Klaviyo, and other providers will no longer send emails using your domain unless you get on board with the new rules. The good news is that you will be protecting your sender reputation and increasing the chances that your emails will be delivered to the inbox. Email deliverability should be a top priority for all ecommerce brands of any size!

Authorize Shopify and Klaviyo, Using SPF and DKIM

If you have a store on Shopify, your order and shipping confirmation emails should come from your domain rather than an address like store@shopifyemail.com. This reassures your customers, elevates your brand, and bolsters your chances of landing in the inbox instead of spam.

Another platform that sends emails on your behalf is your email marketing program. For ecommerce, our favorite email service provider is Klaviyo. There might be other platforms that send emails from your domain. Some examples are help desk software like Gorgias, product reviews apps like Judge.me, and subscription platforms like Recharge. You can authorize these senders by publishing special DNS records called SPF and DKIM.

SPF is similar to a permission slip letting the world know which servers you authorize to send emails from your domain. And DKIM is like a seal to prove that no one has tampered with the contents of individual emails. These verification methods are important because it is surprisingly easy for spammers to impersonate you.

Follow these instructions to add SPF and DKIM authentication for Shopify and Klaviyo, two platforms that we use on most Aeolidia projects:

Contact technical support for other platforms or see our list of instructions for common providers at the end of this document.

Adding SPF and DKIM for each sender who uses your domain is a prerequisite to the other new sender requirement: a DMARC policy.

What is DMARC?

DMARC stands for “Domain-based Message Authentication, Reporting, and Conformance.” A DMARC policy is yet another DNS record, similar to SPF and DKIM, but you should only have one of these.

A DMARC policy lets email inbox providers like Gmail know how they should handle emails from a server that is not authorized by SPF or emails that don’t have the tamper-proof seal provided by DKIM. The policy tells inbox providers if they should quarantine the suspicious emails in the spam box, reject the emails, or do nothing and deliver them as usual.

Start with a Simple DMARC Policy

A DMARC policy is published in the form of a DNS record that looks like this in its simplest form:

TypeHostValue
TXT_dmarc.yourdomain.comv=DMARC1; p=none;

The value is made up of “tags” separated by semicolons. The p=none; tag means do nothing with suspicious emails; let them through without quarantining or rejecting them. This is the recommended option when you are getting started with DMARC. A lot can go wrong if you have a strict policy to quarantine or reject messages from unauthorized senders, especially if you have not properly authorized all the legitimate senders using your domain.

Don’t forget to replace yourdomain.com with your sending domain! Your sending domain is the domain after the “@” in your email addresses.

For weekly tips like this, subscribe to our newsletter

"*" indicates required fields

This field is for validation purposes and should be left unchanged.

Receive Aggregated Reports

If you would like to receive daily aggregated reports, which can alert you to imposters (or senders you forgot to authorize…oops!), you can add an optional “rua” tag to your DMARC policy like this:

v=DMARC1; p=none; rua=mailto:info@example.com;

Replace info@example.com with the email address that should receive the reports. There is one problem with the email reports: they are not in human-readable format! The notifications are sent as XML and you can paste that XML into a tool that converts it to a readable format.

Copying and pasting those reports every day can be tedious. Luckily, there are services that will receive the XML data for you and then send you a nicely formatted summary. We like Postmark’s free service which provides you with an email address to put in your DMARC policy so you don’t have to deal with the raw reports.

Inspect Your DMARC Policy

Once you add your DMARC policy to your DNS records, it is very important to test that it is valid using tools such as the ones below. Don’t forget this step!

These tools may tell you that your policy is valid, but your domain is unprotected. If you opted to receive reports, you are at least able to monitor activity, but p=none; does not prevent abuse.

Get More Strict, Gradually

Starting with a basic policy of p=none; plus reporting is a great first step for smaller businesses and those new to DMARC. As your brand grows, your policy should evolve to become more strict. This is especially important if your domain is a target for spoofing attacks or you notice unusual activity in the reports.

DMARC offers several options for fine-tuning your security. For instance, the “pct” tag allows you to gradually increase the percentage of emails that are subjected to your more strict policy, ensuring a smoother transition.

Google’s comprehensive document provides a detailed overview of DMARC tags. Alternatively, this “wizard” will walk you through the options using less technical language.

Email deliverability is critical for ecommerce success, so we recommend working with your IT team or email experts as your policy gets more complex.

Meet the New Standards with Confidence

For Gmail and Yahoo’s February 1st deadline, the simplest DMARC policy will suffice. And authorizing Shopify and Klaviyo to send emails from your domain, instead of a generic email address, is a best practice anyway. By understanding these guidelines, you’re not just complying with the rules; you’re taking proactive steps to secure your brand’s sender reputation.

You’ve got this!

SPF and DKIM Instructions for Other Common Senders

In addition to the instructions for Shopify and Klaviyo mentioned above, here are links to instructions for other platforms commonly used by our ecommerce website clients and other Shopify merchants:

Hire Impactful Shopify Help

Are you looking for a partner that can upgrade your brand and site, then stick around long term to optimize and maintain? Aeolidia is big enough to handle your complexities and small enough to be personally invested in your goals. Let's talk!

Browse by Category

Related Posts

Tools & Guides

Courses & Webinars

2 thoughts on “Understand the New Sender Requirements for Shopify & Klaviyo”

  1. Thank you SO much for publishing this information in a way that is easy to understand AND implement! Your efforts to support this community are very appreciated! <3

    Reply

Leave a Comment

Let's take your online shop to the next level

The Shopify websites we design have a reputation for substantial improvements to ecommerce conversion rates and online sales. Let's talk!

Want to learn more? See our services.