Shopify has recently alerted all Merchants about the need to incorporate certain authentication records in the main domains that brands use to send Marketing Emails, as well as notifications and purchase automations. The change is due to the fact that Gmail and Yahoo have added a security layer that requires adding these records in the main domain of the store in order to ensure that the sender of an email received by the user is who they say they are and thus minimize the risk of Phishing.
The technical team at Cluster | E-commerce Agency is currently developing a guide to share with all Shopify and Shopify Plus Merchandisers.
Leave us your details to send you the guide or if you need our specialized team to provide you with personalized assistance, we will be happy to help you.
The need for DMARC and other forms of email authentication is to prevent spoofing in email messages. Every email address has a domain, the part that follows the "@" symbol. Criminals and spammers sometimes try to send emails from an unauthorized domain, mimicking the typing of a fake sender address, either for fraudulent purposes such as phishing attacks or for other reasons.
Together, DMARC, DKIM, and SPF operate as a background check for email senders, ensuring their legitimacy. For example, if a spammer sends an email from " trustworthy@example.com " without authorization to use the "example.com" domain, these mechanisms allow mail servers to identify the spoofing attempt and either mark the message as spam or refuse delivery.
What is a DMARC Policy?
A DMARC Policy defines the actions that should be taken on an email after its SPF and DKIM records are checked. The result of these checks may be that the email passes or fails the SPF and DKIM tests. The DMARC Policy specifies whether failure of these tests will result in the email being marked as spam, blocked, or delivered to the recipient. It is important to note that in the absence of a DMARC record, mail servers can still mark emails as spam, but DMARC provides clearer guidelines on when to do so.
An example policy for the domain example.com might be:
"If an email fails the DKIM and SPF tests, it is marked as spam."
These policies are not recorded in human-readable format, but in machine-readable commands. The DMARC policy mentioned above would have the following actual format: v=DMARC1; p=quarantine; adkim=s; aspf=s;
Explanation of the elements:
- v=DMARC1 indicates that this TXT record contains a DMARC policy and should be interpreted as such by mail servers.
- p=quarantine indicates that mail servers should "quarantine" emails that fail DKIM and SPF, considering them potentially spam. Other possible settings include p=none , which allows emails that fail to pass, and p=reject , which tells emails that fail to pass to be blocked. adkim=s means that DKIM checks are "strict," and can be set to "relaxed" by changing the 's' to an 'r' (adkim=r) .
- aspf=s is similar to adkim=s , but for SPF.