Email Security intermediate

How to Set Up SPF Records for Your Shopify Store

Configure SPF DNS records for your Shopify store. Authorize sending servers and avoid delivery issues.

10 minutes
5 steps
intermediate level

Before You Start

  • SecurEcommerce installed
  • Access to your Shopify admin

What SPF Records Do

SPF (Sender Policy Framework) is a DNS record that lists which mail servers are allowed to send email on behalf of your domain. When someone receives an email from orders@yourstore.com, their email provider checks your SPF record to verify that the server which sent the email is authorized.

Without an SPF record, any server in the world can send email claiming to be from your domain. Email providers cannot distinguish between your legitimate order confirmations and a scammer’s phishing email. With a properly configured SPF record, unauthorized emails are flagged or rejected.

SPF works through a simple mechanism:

  1. You publish a TXT record in your DNS that lists authorized senders
  2. When your email arrives at a receiving server, that server looks up your SPF record
  3. The server checks whether the sending IP address matches one of your authorized senders
  4. If it matches, SPF passes. If it does not, SPF fails
  5. The receiving server uses the SPF result (along with DKIM and DMARC) to decide whether to deliver, flag, or reject the email

For Shopify stores, SPF is critical because you likely have multiple services sending email on your behalf — Shopify itself for transactional emails, a marketing platform for campaigns, possibly a helpdesk for support tickets, and maybe a subscription service for recurring order notifications.

Step 1: Check Your Current SPF Record

Before making changes, find out what you currently have.

Using an Online Lookup Tool

Visit a DNS lookup tool like MXToolbox, DNSChecker, or Google Admin Toolbox and query the TXT records for your domain. Look for a record that starts with v=spf1.

Using the Command Line

On Mac or Linux, open a terminal and run:

dig TXT yourdomain.com +short

On Windows, use:

nslookup -type=TXT yourdomain.com

Look for a result containing v=spf1. That is your SPF record.

Using SecurEcommerce

  1. Open SecurEcommerce in your Shopify admin
  2. Navigate to Email Security
  3. Your current SPF status is shown with specific details about what was found
  4. SecurEcommerce flags missing records, syntax errors, and missing sender includes

Interpreting What You Find

No SPF record found: You need to create one from scratch. This is common for stores that have not configured email authentication before.

SPF record exists but incomplete: You have a record but it may not include all your sending services. Check whether Shopify, your marketing platform, and other senders are listed.

SPF record exists with errors: Syntax issues, too many lookups, or conflicting records need to be fixed before adding more senders.

Step 2: Build Your SPF Record

An SPF record is a single TXT record with a specific syntax. It starts with v=spf1, followed by mechanisms that define authorized senders, and ends with a default action for unauthorized senders.

Basic Structure

v=spf1 [mechanism1] [mechanism2] [mechanism3] [default]

Identify All Your Sending Services

Make a list of every service that sends email using your domain. For each one, find their SPF include directive. Here are the most common services Shopify merchants use:

ServiceSPF Include
Shopifyinclude:_spf.shopify.com
Google Workspaceinclude:_spf.google.com
Microsoft 365include:spf.protection.outlook.com
Klaviyoinclude:_spf.klaviyo.com
Mailchimpinclude:servers.mcsv.net
SendGridinclude:sendgrid.net
Postmarkinclude:spf.mtasv.net
Zendeskinclude:mail.zendesk.com
Freshdeskinclude:email.freshdesk.com
Gorgiasinclude:_spf.gorgias.com
HubSpotinclude:_spf.hubspot.com

Check each service’s documentation for their current SPF include directive, as these can change.

Construct Your Record

Combine all your senders into a single record. For a typical Shopify store using Google Workspace for email and Klaviyo for marketing:

v=spf1 include:_spf.shopify.com include:_spf.google.com include:_spf.klaviyo.com ~all

Choose Your Default Action

The last part of your SPF record tells receiving servers what to do with emails from unauthorized senders:

  • ~all (softfail) — Mark unauthorized emails as suspicious but still deliver them. Recommended as a starting point.
  • -all (hardfail) — Reject unauthorized emails outright. Use this once you are confident all legitimate senders are included.
  • ?all (neutral) — Take no action. This is effectively the same as not having SPF and should be avoided.
  • +all (pass) — Allow all senders. This defeats the purpose of SPF entirely. Never use this.

Recommendation: Start with ~all and move to -all once you have confirmed through monitoring that all legitimate emails pass SPF checks.

Step 3: Add the SPF Record to Your DNS

Shopify Managed Domains

  1. Go to your Shopify Admin
  2. Navigate to Settings > Domains
  3. Click on your domain
  4. Go to DNS Settings
  5. Click Add custom record
  6. Select TXT record
  7. Leave the name field as @ (or blank, depending on interface)
  8. Paste your SPF record as the value
  9. Save

Cloudflare

  1. Log into Cloudflare and select your domain
  2. Go to DNS > Records
  3. Click Add record
  4. Type: TXT
  5. Name: @
  6. Content: Your SPF record value
  7. Click Save

GoDaddy

  1. Go to My Products > DNS > Manage Zones
  2. Search for your domain
  3. Click Add Record
  4. Type: TXT
  5. Name: @
  6. Value: Your SPF record value
  7. TTL: 1 Hour
  8. Click Save

Namecheap

  1. Go to Domain List > select your domain > Advanced DNS
  2. Click Add New Record
  3. Type: TXT Record
  4. Host: @
  5. Value: Your SPF record value
  6. TTL: Automatic
  7. Click Save

Important: One SPF Record Only

Your domain must have exactly one SPF record. If you already have one and need to add senders, edit the existing record rather than creating a second one. Multiple SPF records cause unpredictable behavior and will likely result in SPF failures for all your email.

Wrong — two separate records:

v=spf1 include:_spf.shopify.com ~all
v=spf1 include:_spf.google.com ~all

Correct — one combined record:

v=spf1 include:_spf.shopify.com include:_spf.google.com ~all

Step 4: Avoid Common SPF Mistakes

The 10 DNS Lookup Limit

SPF has a hard limit of 10 DNS lookups per record. Each include: directive counts as at least one lookup, and some includes contain nested includes that add to the count. If your record exceeds 10 lookups, SPF will return a permanent error (permerror) and all your emails will fail SPF.

How to count your lookups:

Each of these mechanisms triggers a DNS lookup:

  • include: (1 lookup, plus any lookups within the included record)
  • a (1 lookup)
  • mx (1 lookup, plus one for each MX record returned)
  • redirect= (1 lookup)

These do NOT count as lookups:

  • ip4: (direct IP, no lookup needed)
  • ip6: (direct IP, no lookup needed)
  • all (no lookup)

Example count:

v=spf1 include:_spf.shopify.com include:_spf.google.com include:_spf.klaviyo.com include:sendgrid.net include:mail.zendesk.com ~all

This is 5 direct lookups, but _spf.google.com contains nested includes that add 3 more, bringing the total to around 8. Check yours with an SPF lookup count tool.

How to Stay Under the Limit

If you are approaching or exceeding 10 lookups:

Option 1: Use IP addresses directly

If a service has a small, stable set of sending IPs, use ip4: instead of include::

v=spf1 include:_spf.shopify.com ip4:192.168.1.1 ip4:10.0.0.1 ~all

This works for services with a few fixed IPs but not for large services like Google or Shopify that use many rotating IPs.

Option 2: SPF flattening

SPF flattening resolves all your includes into direct IP addresses and updates them automatically. Services like AutoSPF, SPF Flattening by dmarcian, and EasySPF handle this for you.

Option 3: Remove unused senders

Audit your includes. If you switched from Mailchimp to Klaviyo six months ago but never removed the Mailchimp include, remove it now.

Syntax Errors

SPF records are unforgiving about syntax. Common mistakes:

  • Missing v=spf1 at the start — The record will be ignored entirely
  • Extra spaces — Use exactly one space between each mechanism
  • Typos in include domainsinclude:_spf.shpoify.com silently fails
  • Using redirect and all togetherredirect= replaces the entire SPF evaluation. If you have both, the all mechanism is ignored
  • Uppercase — SPF is case-insensitive, but stick to lowercase for consistency

Using ~all vs -all Incorrectly

If you switch to -all (hardfail) before all your senders are included, legitimate emails will be rejected. The difference:

  • ~all says “emails from unlisted senders are suspicious” — they usually still get delivered but may be flagged
  • -all says “reject emails from unlisted senders” — they will be bounced or dropped

Start with ~all. Only move to -all after weeks of monitoring confirm that every legitimate service passes SPF.

Step 5: Test and Validate Your SPF Record

Verify DNS Propagation

After saving your SPF record, it needs to propagate across DNS servers. This typically takes 15 minutes to a few hours, though it can take up to 48 hours in rare cases.

Check propagation using:

  1. An online tool like DNSChecker.org — enter your domain and select TXT records
  2. Command line: dig TXT yourdomain.com +short (run from multiple locations if possible)
  3. MXToolbox SPF checker — validates both the record and its syntax

Test With a Real Email

Send a test email to a Gmail address and inspect the headers:

  1. Send an email from your domain to a Gmail account you control
  2. Open the email in Gmail
  3. Click the three dots menu > Show original
  4. Look for the Authentication-Results header
  5. Find the spf= result — it should say pass

If you see spf=softfail or spf=fail, your record is not correctly authorizing the sending service.

Validate in SecurEcommerce

  1. Open SecurEcommerce in your Shopify admin
  2. Go to Email Security
  3. Click Refresh Check
  4. Review the SPF status — it should show green with your complete record displayed
  5. SecurEcommerce will flag any warnings such as approaching the lookup limit or missing common senders

Run an SPF Record Audit

Use MXToolbox’s SPF lookup or a similar tool to check:

  • Syntax validity — Is the record properly formatted?
  • Lookup count — Are you under the 10 lookup limit?
  • Nested includes — Are all included domains resolving correctly?
  • Duplicate mechanisms — Are any senders listed twice?

Set Up Ongoing Monitoring

SPF is not a set-and-forget configuration. You need to update it when:

  • You add a new email sending service
  • You remove an old service
  • A sending service changes their SPF include domain
  • You change email providers

SecurEcommerce monitors your SPF record continuously and alerts you if:

  • The record is removed or changed unexpectedly
  • The lookup count approaches or exceeds 10
  • A previously included domain becomes unreachable
  • Syntax errors are introduced

SPF Record Examples for Common Setups

Shopify Only

If Shopify is your only email sender:

v=spf1 include:_spf.shopify.com ~all

Shopify + Google Workspace

v=spf1 include:_spf.shopify.com include:_spf.google.com ~all

Shopify + Google Workspace + Klaviyo

v=spf1 include:_spf.shopify.com include:_spf.google.com include:_spf.klaviyo.com ~all

Shopify + Microsoft 365 + Klaviyo + Gorgias

v=spf1 include:_spf.shopify.com include:spf.protection.outlook.com include:_spf.klaviyo.com include:_spf.gorgias.com ~all

Full Stack (Approaching Lookup Limit)

v=spf1 include:_spf.shopify.com include:_spf.google.com include:_spf.klaviyo.com include:sendgrid.net include:mail.zendesk.com ~all

This record is at approximately 8-9 lookups depending on nested includes. Adding more services would require SPF flattening.

Troubleshooting

”SPF record not found”

  • Verify you added the record to the correct domain (not a subdomain unless intended)
  • Check that the record type is TXT, not CNAME or other types
  • Wait for DNS propagation (up to 48 hours, usually much faster)
  • Confirm you are looking at the right DNS provider (check your nameservers)

“Too many DNS lookups”

  • Count your lookups using an SPF checker tool
  • Remove includes for services you no longer use
  • Consider SPF flattening for complex setups
  • Replace includes with direct ip4: entries where feasible

”SPF softfail” on legitimate emails

  • The sending service is not listed in your SPF record
  • Add the correct include: for that service
  • Check whether the service uses a different sending domain that needs its own SPF

”Multiple SPF records detected”

  • You have more than one TXT record starting with v=spf1
  • Combine them into a single record
  • Delete the duplicate(s)
  • Verify with a DNS lookup that only one remains

What’s Next

With SPF properly configured, continue building your email authentication:

  • Set Up DMARC — Add a DMARC policy to instruct receiving servers how to handle SPF and DKIM failures
  • Set Up Email Security Monitoring — Configure SecurEcommerce to monitor your SPF, DKIM, and DMARC continuously
  • Analyze Suspicious Emails — Use SecurEcommerce to check whether suspicious emails targeting your customers are spoofing your domain

Related Guides

Guide

Set Up Email Security Monitoring

Scammers can send emails pretending to be your store. Set up DMARC, SPF, and DKIM monitoring to stop spoofing and protect your customers.

Read more Guide

How to Set Up DMARC for Your Shopify Store

Step-by-step DMARC setup for Shopify stores. Configure DNS records, choose policies, and monitor reports.

Read more

Let SecurEcommerce Handle This For You

This guide works, but it takes time. SecurEcommerce automates security so you can focus on growing your business.

Install SecurEcommerce Free
★★★★★ 5/5 on Shopify 7-day free trial No credit card required