Shopify: “Authenticate and add a DMARC record to continue sending” — what to do

Shopify emailed you (or shows a banner) saying “Authenticate and add a DMARC record to continue sending emails from your domain,” or your store's emails now arrive from a shopifyemail.com address.

Check your domain first — 10 seconds, free, no signup.
See your DMARC policy, SPF lookup count and every issue explained in plain English.
Run the free check →

What this means

This traces back to Gmail and Yahoo's 1 February 2024 sender rules. If your Shopify sender domain isn't authenticated with a DMARC record, Shopify rewrites your From address to store+123@shopifyemail.com so your mail keeps sending — but you lose your brand in the inbox. To keep sending as your own domain you need CNAME records that configure both DKIM and SPF, plus a DMARC record of at least v=DMARC1; p=none. Two things quietly cause the rewrite to persist: a DMARC record using strict alignment (adkim=s or aspf=s), and having more than one DMARC record — both make validation fail. Source: Shopify Help — Displaying your store's sending email · verified 2026-07-18.

What to do about it

Step 1. Add the CNAME records Shopify provides for DKIM and SPF on your sending domain.
Step 2. Publish a DMARC record with at least v=DMARC1; p=none — that minimum is what Shopify checks for.
Step 3. Make sure you have exactly one DMARC record and that it does not use adkim=s or aspf=s (strict alignment breaks Shopify sending).
Step 4. Run the free check below to confirm the store domain now authenticates before the rewrite kicks back in.

Frequently asked

Does my sector legally require DMARC by name?

Usually not by name — HIPAA, most legal-sector rules and UK charity guidance don't cite DMARC specifically. But they require protecting communications and preventing impersonation, and DMARC is the standard technical control that regulators, insurers and auditors expect you to use to meet that.

Will publishing DMARC block our own staff or member email?

No, not if you start correctly. A p=none policy is monitoring only and changes nothing about delivery. You only move to quarantine or reject after aggregate reports confirm every legitimate sender already passes — so real mail is never caught by surprise.

We're small and have no IT team — is this realistic?

Yes. The DNS side is a handful of records added once. The ongoing part is reading aggregate reports, which a plain-English monitoring tool does for you instead of leaving you to parse XML. Start with the free check below to see where you stand.

Don't want to babysit DNS records?
DMARCKeeper monitors your reports, names every sender, and walks you to full p=reject protection.
Start free monitoring →