SPF, DKIM, DMARC: The Email Authentication Setup Every Shopify Brand Gets Wrong

Every email you send carries invisible credentials. These credentials tell Gmail, Yahoo, and Outlook whether the email actually came from you or from someone pretending to be you. When these credentials are missing or misconfigured, inbox providers have a simple default: treat the email as suspicious.

That's what SPF, DKIM, and DMARC do. They're the authentication layer that proves your emails are legitimate. And most Shopify brands either don't have them set up correctly or don't have them set up at all.

SPF stands for Sender Policy Framework. It's a DNS record on your domain that lists which mail servers are authorized to send email on your behalf. When you use Klaviyo to send marketing emails, Klaviyo's servers need to be listed in your SPF record. When Gmail receives an email claiming to be from your domain, it checks the SPF record. If the sending server isn't listed, the email fails SPF authentication.

The common mistake with SPF is having too many includes. SPF allows a maximum of 10 DNS lookups. If you're using Klaviyo, Shopify's transactional emails, Google Workspace, and a helpdesk tool that sends from your domain, you can approach that limit quickly. When the lookup limit is exceeded, SPF breaks entirely — and every email from your domain fails authentication. Check your current SPF record using MXToolbox's SPF lookup tool. If you see more than 8-9 includes, you need to consolidate.

DKIM stands for DomainKeys Identified Mail. It adds a cryptographic signature to every email that proves the content wasn't altered in transit. Klaviyo generates a unique DKIM key for your account, which you add as a CNAME record in your DNS. This is usually two records — Klaviyo will provide the exact values in the account settings under Email > Domains.

The common DKIM mistake is not verifying after setup. Adding the DNS records isn't enough. DNS propagation can take up to 48 hours, and typos in CNAME records are surprisingly common. After adding the records, go back to Klaviyo's domain settings and verify that DKIM shows as authenticated. If it doesn't pass after 48 hours, double-check the records character by character.

DMARC stands for Domain-based Message Authentication, Reporting, and Conformance. It ties SPF and DKIM together and tells inbox providers what to do when authentication fails. A DMARC record is a TXT record added to your DNS at _dmarc.yourdomain.com.

The recommended starting DMARC policy for most brands is: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com. This "none" policy means you're monitoring authentication results without taking action on failures. It's the starting point. You'll receive reports showing which emails pass and fail authentication, which helps identify any legitimate sending sources you've missed.

Once you've confirmed that all legitimate email sources pass SPF and DKIM consistently (usually after 2-4 weeks of monitoring), you can move to p=quarantine (failed emails go to spam) and eventually p=reject (failed emails are blocked entirely). Moving to reject too quickly can cause legitimate emails to bounce if you've missed a sending source, so the gradual approach matters.

The setup process for Klaviyo specifically follows these steps. First, log into Klaviyo and go to Settings > Email > Domains. Add your sending domain. Klaviyo will provide DNS records to add — typically two CNAME records for DKIM and one for custom sending domain verification. Log into your domain registrar (GoDaddy, Cloudflare, Namecheap, etc.) and add each record exactly as Klaviyo specifies. Wait for propagation, then verify in Klaviyo.

For SPF, if you're using a dedicated sending subdomain (like mail.yourdomain.com), the SPF record is handled differently than your root domain. Klaviyo's documentation walks through the specific configuration for their servers.

How to verify everything is working: send a test email from Klaviyo to a Gmail address. Open the email in Gmail, click the three dots menu, and select "Show original." You'll see SPF, DKIM, and DMARC results. All three should show "PASS." If any show "FAIL" or "NONE," the corresponding authentication needs attention.

You can also use free tools like MXToolbox, DMARC Analyzer, or mail-tester.com to check your authentication setup. These tools provide detailed breakdowns of what's configured correctly and what's missing.

The consequences of getting this wrong go beyond individual emails landing in spam. Gmail and Yahoo's February 2024 requirements made SPF and DKIM mandatory for bulk senders (anyone sending 5,000+ emails per day). Brands that don't comply risk having their emails blocked entirely — not just filtered to spam, but rejected at the server level.

Authentication isn't a one-time setup and forget. When you add new tools that send email from your domain (a new helpdesk platform, a review request tool, transactional email service), each one needs to be added to your authentication records. An annual audit of your DNS records and authentication status should be part of your email operations calendar.

The good news is that once it's set up correctly, authentication runs silently in the background. The 30-60 minutes spent configuring DNS records correctly protects every email you'll ever send from that domain.