Understand the New Sender Requirements for Shopify & Klaviyo

Are the new sender requirements from Gmail and Yahoo causing you concern?

If you’re already following basic email best practices, like using your domain name instead of a generic gmail.com address and providing easy newsletter unsubscribe options, you’re on the right track.

However, users of Shopify or Klaviyo have recently received some less clear-cut warnings to “authenticate and add a DMARC record to continue sending emails from your domain” and “prepare for new sender requirements from Google and Yahoo”! Making sense of SPF, DKIM, and DMARC is daunting at first, but we’re here to demystify these acronyms for you.

It is easy to find articles telling you what DNS records to add without explaining what they do. Or worse, only telling you how to meet the minimum DMARC requirements, leaving your domain unprotected! Once you understand the role of these tools, you can use them to monitor and thwart attempts to spoof or tamper with emails from your domain.

You may have seen that Google and Yahoo’s new requirements are only for “bulk senders” and hoped you could fly under the radar. But Shopify, Klaviyo, and other providers will no longer send emails using your domain unless you get on board with the new rules. The good news is that you will be protecting your sender reputation and increasing the chances that your emails will be delivered to the inbox. Email deliverability should be a top priority for all ecommerce brands of any size!

Authorize Shopify and Klaviyo, Using SPF and DKIM

If you have a store on Shopify, your order and shipping confirmation emails should come from your domain rather than an address like store@shopifyemail.com. This reassures your customers, elevates your brand, and bolsters your chances of landing in the inbox instead of spam.

Another platform that sends emails on your behalf is your email marketing program. For ecommerce, our favorite email service provider is Klaviyo. There might be other platforms that send emails from your domain. Some examples are help desk software like Gorgias, product reviews apps like Judge.me, and subscription platforms like Recharge. You can authorize these senders by publishing special DNS records called SPF and DKIM.

SPF is similar to a permission slip letting the world know which servers you authorize to send emails from your domain. And DKIM is like a seal to prove that no one has tampered with the contents of individual emails. These verification methods are important because it is surprisingly easy for spammers to impersonate you.

Follow these instructions to add SPF and DKIM authentication for Shopify and Klaviyo, two platforms that we use on most Aeolidia projects:

• In your Shopify admin go to Settings > Notifications and click the link to “authenticate your domain.” Follow the instructions to add the DNS records to your domain then check the admin again to verify that it worked.
• If you are using Klaviyo, go to Settings > Email > Domains, and follow the steps to set up a branded sending domain. Then go back into the settings and apply the domain.

Contact technical support for other platforms or see our list of instructions for common providers at the end of this document.

Adding SPF and DKIM for each sender who uses your domain is a prerequisite to the other new sender requirement: a DMARC policy.

What is DMARC?

DMARC stands for “Domain-based Message Authentication, Reporting, and Conformance.” A DMARC policy is yet another DNS record, similar to SPF and DKIM, but you should only have one of these.

A DMARC policy lets email inbox providers like Gmail know how they should handle emails from a server that is not authorized by SPF or emails that don’t have the tamper-proof seal provided by DKIM. The policy tells inbox providers if they should quarantine the suspicious emails in the spam box, reject the emails, or do nothing and deliver them as usual.

Start with a Simple DMARC Policy

A DMARC policy is published in the form of a DNS record that looks like this in its simplest form:

Type	Host	Value
TXT	_dmarc.yourdomain.com	v=DMARC1; p=none;

The value is made up of “tags” separated by semicolons. The p=none; tag means do nothing with suspicious emails; let them through without quarantining or rejecting them. This is the recommended option when you are getting started with DMARC. A lot can go wrong if you have a strict policy to quarantine or reject messages from unauthorized senders, especially if you have not properly authorized all the legitimate senders using your domain.

Don’t forget to replace yourdomain.com with your sending domain! Your sending domain is the domain after the “@” in your email addresses.

Receive Aggregated Reports

If you would like to receive daily aggregated reports, which can alert you to imposters (or senders you forgot to authorize…oops!), you can add an optional “rua” tag to your DMARC policy like this:

v=DMARC1; p=none; rua=mailto:info@example.com;

Replace info@example.com with the email address that should receive the reports. There is one problem with the email reports: they are not in human-readable format! The notifications are sent as XML and you can paste that XML into a tool that converts it to a readable format.

Copying and pasting those reports every day can be tedious. Luckily, there are services that will receive the XML data for you and then send you a nicely formatted summary. We like Postmark’s free service which provides you with an email address to put in your DMARC policy so you don’t have to deal with the raw reports.

Inspect Your DMARC Policy

Once you add your DMARC policy to your DNS records, it is very important to test that it is valid using tools such as the ones below. Don’t forget this step!

• DMARC Record Checker by dmarcian
• DMARC Check Tool by MXToolBox
• DMARC Record Checker by EasyDMARC

These tools may tell you that your policy is valid, but your domain is unprotected. If you opted to receive reports, you are at least able to monitor activity, but p=none; does not prevent abuse.

Get More Strict, Gradually

Starting with a basic policy of p=none; plus reporting is a great first step for smaller businesses and those new to DMARC. As your brand grows, your policy should evolve to become more strict. This is especially important if your domain is a target for spoofing attacks or you notice unusual activity in the reports.

DMARC offers several options for fine-tuning your security. For instance, the “pct” tag allows you to gradually increase the percentage of emails that are subjected to your more strict policy, ensuring a smoother transition.

Google’s comprehensive document provides a detailed overview of DMARC tags. Alternatively, this “wizard” will walk you through the options using less technical language.

Email deliverability is critical for ecommerce success, so we recommend working with your IT team or email experts as your policy gets more complex.

Meet the New Standards with Confidence

For Gmail and Yahoo’s February 1st deadline, the simplest DMARC policy will suffice. And authorizing Shopify and Klaviyo to send emails from your domain, instead of a generic email address, is a best practice anyway. By understanding these guidelines, you’re not just complying with the rules; you’re taking proactive steps to secure your brand’s sender reputation.

You’ve got this!

SPF and DKIM Instructions for Other Common Senders

In addition to the instructions for Shopify and Klaviyo mentioned above, here are links to instructions for other platforms commonly used by our ecommerce website clients and other Shopify merchants:

• Prepare Judge.me for Gmail and Yahoo’s Sender Requirements
• Prepare Recharge for Gmail and Yahoo’s Sender Requirements
• Prepare Gorgias for Gmail and Yahoo’s Sender Requirements
• Prepare Zendesk for Gmail and Yahoo’s Sender Requirements
• Prepare Mailchimp for Gmail and Yahoo’s Sender Requirements
• Prepare MailerLite for Gmail and Yahoo’s Sender Requirements
• Prepare Omnisend for Gmail and Yahoo’s Sender Requirements
• Prepare Attentive for Gmail and Yahoo’s Sender Requirements