SenderReady

Shopify and Klaviyo SPF, DKIM, and DMARC setup review

Ecommerce teams often send customer mail from Shopify, lifecycle campaigns from Klaviyo, and support or review mail from other tools. Use this review to separate provider-generated DNS records from domain-level DMARC decisions before changing production DNS.

Scan the store domain first

Check the public DMARC, SPF, DKIM, BIMI, MTA-STS, and TLS-RPT signals before editing Shopify or Klaviyo authentication records.

01$0Free scan

Check the public sender-auth records mailbox providers expect.

02$0Shareable action plan

Keep one URL with evidence, owner steps, and decisions.

03$49$49 fix plan

Add human review, provider context, and verification steps.

Optional. Most first scans can run with just the domain.
Checks Gmail, Yahoo, and Microsoft sender requirementsPublic DNS onlyNo mailbox login needed
Example result72/100Needs attention

Review DMARC policy strength before a high-volume send.

Public DNS evidence
DMARC/SPF/DKIM status and caveats are visible before you pay.
Owner-ready next step
The audit adds provider context and a verification checklist.
Get the exact fix plan for your domain.$49 readiness audit: prioritized owner actions, DNS evidence, and verification checks.
Get my $49 fix planView sample
Sender readiness cockpitExample action plan

Public DNS workspace

Overall sender readiness

72/100

Needs attention

Sample output: one warning and one fail mean this domain is not campaign-ready yet.

DMARCPass
SPFPass
DKIMPass
MXPass
BIMIWarning
MTA-STSFail

Fix workspace preview

The scan becomes a focused work surface: evidence, owner action, verification, and the paid context a public lookup cannot infer.

HighDMARC

Review DMARC policy strength before a high-volume send.

Evidence
Evidence: a monitoring-only policy can satisfy visibility needs, but enforcement requires aligned legitimate senders.
Verify after change
Re-scan _dmarc after DNS propagation and confirm aligned SPF or DKIM senders before enforcement.
Paid audit adds
Policy sequence, starter record review, alignment questions, and enforcement caveats.
Get my fix plan

Why this setup is easy to misread

Shopify store notifications and Klaviyo marketing mail can both use a branded customer-facing address, but they authenticate through different provider flows. A green status in one admin screen does not prove every other sender aligned with DMARC.

Google lists SPF, DKIM, and DMARC as bulk-sender requirements for domains sending more than 5,000 messages per day to personal Gmail accounts. Shopify and Klaviyo both frame branded-domain authentication as part of meeting modern inbox-provider requirements, but neither removes the need to inventory all legitimate senders.

Setup areas to review

  • Start with the visible From domains: List the addresses customers see from Shopify notifications, Klaviyo campaigns, support replies, review requests, receipts, and shipping messages. DMARC alignment is evaluated against the visible From domain, so the brand domain inventory comes before DNS edits.
  • Check Shopify sender email status: Shopify says stores sending from a branded email address need domain authentication and a DMARC record for Gmail and Yahoo requirements. Shopify-managed domains can have authentication configured automatically, while third-party domains may require Shopify-provided CNAME records and a separate DMARC record.
  • Use Klaviyo branded sending domains for alignment: Klaviyo describes branded sending domains as the path away from shared klaviyomail.com identity. For a friendly-from address such as hello@example.com, Klaviyo explains that a matching branded sending domain such as send.example.com is needed for DMARC compliance.
  • Avoid duplicate SPF cleanup mistakes: Do not add a second root SPF record while trying to connect multiple ecommerce tools. Klaviyo notes that many setups do not need a root SPF record for Klaviyo because it uses its own Return-Path, and if SPF is edited it should normally be merged into the existing record at the correct hostname.
  • Verify DKIM with provider records and message headers: Shopify and Klaviyo generate account-specific DNS values. Copy those exact values from the provider admin screen, then verify public DNS and sample message headers instead of relying on a generic blog-post selector.

DNS record examples and caveats

These examples show the shape of common records. They are not safe copy/paste instructions for your store, because Shopify and Klaviyo generate account-specific values and your domain may already have valid records for other senders.

  • DMARC monitoring shape: v=DMARC1; p=none; rua=mailto:dmarc-reports@example.com. Use a mailbox or DMARC reporting provider you actually monitor. Do not publish a reporting address that cannot receive aggregate reports.
  • Klaviyo marketing subdomain shape: send.example.com. Klaviyo generates dynamic NS records or static CNAME/TXT records for the chosen subdomain. The exact values come from the Klaviyo account, not this guide.
  • Shopify CNAME record shape: provider-generated CNAME host -> provider-generated target. Shopify displays the exact CNAME records for third-party domain authentication. Add every record shown and wait for DNS propagation.

Safe verification sequence

  1. Scan the root domain and each sending subdomain.
  2. Open Shopify sender email authentication and record the exact CNAME values shown.
  3. Open Klaviyo branded sending domain setup and record the chosen send type and routing mode.
  4. Send test messages from Shopify and Klaviyo to inspect SPF, DKIM, and DMARC header results.
  5. Review DMARC aggregate reports before moving beyond monitoring policy.

Shopify and Klaviyo FAQ

Should Shopify and Klaviyo use the same sending domain?

Usually they should not share the exact same hostname unless both providers explicitly support that configuration. A common pattern is to keep the brand root for the visible From address and use provider-specific subdomains for authentication, but confirm the exact plan in Shopify, Klaviyo, and your DNS provider.

Does p=none make an ecommerce domain safe?

No. A p=none policy is useful for monitoring and can meet some minimum sender requirements, but it does not ask receivers to quarantine or reject unauthorized mail. Review aggregate reports and sender alignment before considering enforcement.

Can Klaviyo fix DMARC automatically?

Klaviyo can generate or publish some DNS records during branded sending domain setup, and it can generate a basic DMARC record when the domain is missing one. DMARC remains a domain-level policy that should be reviewed against every legitimate sender, not only Klaviyo.

Why did Shopify rewrite my sender email?

Shopify documentation says unauthenticated branded sender addresses may be rewritten to a shopifyemail.com address so customer emails can continue sending under minimum requirements. Treat that as a signal to authenticate the domain and review DMARC.

Turn the scan into a Shopify/Klaviyo fix list

SenderReady readiness audits organize public DNS findings, provider-specific review steps, and cautious next actions for ecommerce sender stacks. The report is a diagnostic aid, not a deliverability guarantee.

View audit options