What DMARC Does and Why You Need It
DMARC (Domain-based Message Authentication, Reporting, and Conformance) is a DNS record that tells receiving email servers what to do when someone sends an email claiming to be from your domain but fails authentication checks. Without DMARC, anyone can send emails that appear to come from your store’s domain. Your customers receive a phishing email that looks identical to your order confirmations, and their email provider has no instructions on whether to deliver it, flag it, or reject it.
DMARC works by connecting two existing authentication mechanisms — SPF and DKIM — and adding a policy layer on top. When an email arrives claiming to be from yourstore.com, the receiving server checks:
- SPF alignment — Is the sending server authorized to send on behalf of your domain?
- DKIM alignment — Does the email carry a valid cryptographic signature matching your domain?
- DMARC policy — If either check fails, what should the server do with the email?
For Shopify merchants specifically, DMARC matters because:
- Your domain sends transactional emails (order confirmations, shipping updates, password resets)
- Customers trust emails from your domain and act on them
- Scammers target ecommerce domains because they can trick customers into entering payment info
- Email deliverability improves when receiving servers can verify your authentication is properly configured
Before You Start: Check Your Current Setup
Before creating a DMARC record, verify your existing email authentication.
Check SPF
Open a terminal or use an online DNS lookup tool and query your domain’s TXT records. You need an SPF record that includes all services sending email on your behalf. At minimum, Shopify stores need include:_spf.shopify.com in their SPF record.
If you do not have an SPF record yet, set that up first. See our SPF record setup guide for detailed instructions.
Check DKIM
DKIM records are typically set up by your email sending services. Shopify handles DKIM for emails sent through their platform. If you use additional services like Klaviyo, Mailchimp, or Google Workspace, each one needs its own DKIM configuration.
Check in SecurEcommerce
- Open SecurEcommerce in your Shopify admin
- Go to Email Security
- Review the status indicators for SPF, DKIM, and DMARC
- If SPF and DKIM show issues, resolve those before proceeding with DMARC
DMARC relies on SPF and DKIM being correctly configured. Setting up DMARC without functioning SPF and DKIM will cause your legitimate emails to fail DMARC checks.
Step 1: Log Into Your DNS Provider
You need access to the DNS settings for your domain. This is where your domain is registered or where your nameservers point.
Common DNS providers for Shopify stores include:
- Shopify Managed Domains — Go to Shopify Admin > Settings > Domains > Manage Domain > DNS Settings
- Cloudflare — Log in at dash.cloudflare.com and select your domain
- GoDaddy — Go to My Products > DNS > Manage Zones
- Namecheap — Go to Domain List > Advanced DNS
- Google Domains — Go to My Domains > DNS
If you are unsure where your DNS is managed, look up your domain’s nameservers using a tool like dig NS yourdomain.com or an online nameserver checker. The nameservers tell you which provider controls your DNS.
Step 2: Create Your DMARC Record
A DMARC record is a TXT record added to your DNS at a specific subdomain: _dmarc.yourdomain.com.
Add the DNS Record
In your DNS provider’s dashboard:
- Click Add Record or New Record
- Set the record type to TXT
- Set the name/host to
_dmarc(some providers require_dmarc.yourdomain.com— check their documentation) - Set the value to your DMARC policy string (see below)
- Set TTL to 3600 (1 hour) or your provider’s default
- Save the record
Your First DMARC Record
Start with a monitoring-only policy:
v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; ruf=mailto:dmarc-forensic@yourdomain.com; pct=100Breaking this down:
| Tag | Value | Meaning |
|---|---|---|
v | DMARC1 | DMARC version (always DMARC1) |
p | none | Policy: take no action on failures (monitor only) |
rua | mailto:... | Where to send aggregate reports (daily summaries) |
ruf | mailto:... | Where to send forensic reports (individual failure details) |
pct | 100 | Apply policy to 100% of emails |
Replace yourdomain.com with your actual domain. The email addresses for rua and ruf must be real mailboxes you can access.
Step 3: Understand DMARC Policy Options
DMARC has three policy levels. You should move through them in order, never jumping straight to reject without monitoring first.
p=none (Monitor Only)
v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com- No emails are blocked or quarantined
- You receive reports showing which emails pass and fail authentication
- Use this to identify all legitimate sending services before enforcing
- Stay at this level for at least 2-4 weeks
This is the discovery phase. The reports will show you every server sending email on behalf of your domain. You may discover services you forgot about — a marketing tool, a CRM, a helpdesk platform. Each one needs to be authorized in your SPF record and have DKIM configured before you move to enforcement.
p=quarantine (Soft Enforcement)
v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@yourdomain.com; pct=25- Emails failing DMARC are sent to the recipient’s spam/junk folder
- Start with
pct=25to apply this to only 25% of failing emails - Gradually increase
pctto 50, 75, then 100 as you confirm no legitimate emails are affected - Stay at this level for at least 2-4 weeks with pct=100 before moving to reject
The pct tag is your safety net. If you set pct=25 and a legitimate email service is not properly authenticated, only 25% of those emails will be quarantined. The rest will still be delivered normally, giving you time to fix the issue.
p=reject (Full Enforcement)
v=DMARC1; p=reject; rua=mailto:dmarc-reports@yourdomain.com- Emails failing DMARC are rejected outright — they never reach the recipient
- This is the strongest protection against domain spoofing
- Only move here after confirming all legitimate email passes DMARC at the quarantine level
The progression timeline looks like this:
- Weeks 1-4:
p=none— Collect data, fix authentication gaps - Weeks 5-6:
p=quarantine; pct=25— Start soft enforcement on a fraction - Weeks 7-8:
p=quarantine; pct=100— Full quarantine enforcement - Week 9+:
p=reject— Full rejection of unauthenticated email
Step 4: Set Up Report Monitoring
DMARC reports are XML files sent to the email addresses you specified in rua and ruf. Raw XML reports are difficult to read. You have several options for processing them.
Option A: Use a DMARC Report Service
Dedicated DMARC monitoring services parse your reports into readable dashboards. Some popular options:
- Postmark DMARC (free for basic monitoring)
- DMARC Analyzer
- Valimail
- dmarcian
These services give you a special email address to use in your rua tag. They process incoming reports and display them in a web dashboard with charts, graphs, and actionable recommendations.
Option B: Use SecurEcommerce Monitoring
SecurEcommerce checks your DMARC configuration and alerts you to issues:
- Go to Email Security in SecurEcommerce
- Your DMARC status is displayed on the dashboard
- SecurEcommerce monitors your record for misconfigurations
- You receive alerts if your DMARC record is removed or weakened
Understanding Aggregate Reports
Aggregate reports (rua) are sent daily by email providers and contain:
- Which IP addresses sent email using your domain
- How many messages passed or failed SPF
- How many messages passed or failed DKIM
- What action was taken based on your DMARC policy
Look for:
- Legitimate senders failing authentication — These need SPF/DKIM fixes
- Unknown IP addresses sending as your domain — These are potential spoofing attempts
- High failure rates — Investigate immediately before tightening your policy
Step 5: Fix Common DMARC Mistakes
Mistake 1: Skipping p=none and Going Straight to p=reject
This is the most common and most damaging mistake. If any legitimate email service is not properly authenticated, those emails will be rejected. Order confirmations, shipping notifications, and marketing emails could all disappear. Always start with monitoring.
Mistake 2: Forgetting Third-Party Senders
Every service that sends email on your behalf needs to be authorized. Common ones Shopify merchants forget:
- Klaviyo or Mailchimp for marketing emails
- Gorgias or Zendesk for support emails
- Recharge for subscription notifications
- ShipStation or AfterShip for shipping notifications
- Google Workspace or Microsoft 365 for team email
Check your rua reports during the monitoring phase to catch services you missed.
Mistake 3: Setting rua to a Non-Existent Mailbox
If the email address in your rua tag does not exist or the mailbox is full, you will not receive reports. Create a dedicated mailbox for DMARC reports and check that it is working. Alternatively, use a DMARC monitoring service that provides a dedicated receiving address.
Mistake 4: Having Multiple DMARC Records
Your domain should have exactly one DMARC record. If you have two TXT records at _dmarc.yourdomain.com, the behavior is unpredictable. Some receiving servers will use the first record, others will use the second, and some will ignore both. Check your DNS to make sure there is only one.
Mistake 5: Misaligning SPF and DKIM Domains
DMARC checks “alignment” — the domain in the From header must match the domain that passed SPF or DKIM. If your emails have a From address of orders@yourstore.com but the SPF-authenticated domain is mail.shopify.com, that is an alignment failure even though SPF itself passed. Shopify handles this correctly for their sending infrastructure, but third-party services sometimes do not. Check their DMARC alignment documentation.
Mistake 6: Ignoring Subdomain Policy
If you send email from subdomains (like support.yourdomain.com), you may need a separate DMARC record or use the sp tag to set subdomain policy:
v=DMARC1; p=reject; sp=quarantine; rua=mailto:dmarc-reports@yourdomain.comThe sp=quarantine tag means subdomains that lack their own DMARC record will use quarantine policy rather than the parent domain’s reject policy.
Step 6: Verify and Monitor in SecurEcommerce
After creating your DMARC record:
-
Verify DNS propagation — DNS changes can take up to 48 hours to propagate, though most complete within a few hours. Use an online DNS checker to verify your
_dmarcTXT record is visible. -
Check in SecurEcommerce:
- Open SecurEcommerce in your Shopify admin
- Go to Email Security
- Click Refresh Check to re-scan your DNS
- Confirm the DMARC status shows as configured
-
Set up ongoing monitoring:
- SecurEcommerce will alert you if your DMARC record is removed or changed
- Review your DMARC reports weekly during the monitoring phase
- Review monthly once you reach full enforcement
-
Track your progress through the policy stages:
- Log when you move from
p=nonetop=quarantinetop=reject - Document which senders you authorized at each stage
- Keep a record of any issues discovered in reports
- Log when you move from
DMARC Record Quick Reference
Here are complete DMARC record examples for each stage:
Stage 1 — Monitoring:
v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; ruf=mailto:dmarc-forensic@yourdomain.comStage 2 — Partial quarantine:
v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc-reports@yourdomain.comStage 3 — Full quarantine:
v=DMARC1; p=quarantine; pct=100; rua=mailto:dmarc-reports@yourdomain.comStage 4 — Full enforcement:
v=DMARC1; p=reject; rua=mailto:dmarc-reports@yourdomain.comFull enforcement with subdomain policy:
v=DMARC1; p=reject; sp=quarantine; rua=mailto:dmarc-reports@yourdomain.com; ruf=mailto:dmarc-forensic@yourdomain.com; pct=100What’s Next
With DMARC configured, continue strengthening your email security:
- Set Up SPF Records — Ensure your SPF record covers all legitimate senders
- Set Up Email Security Monitoring — Configure SecurEcommerce to monitor your full email authentication stack
- Analyze Suspicious Emails — Forward phishing attempts to SecurEcommerce for analysis