SPF, DMARC, and MX Records: Email Deliverability for Ecommerce Explained

An ecommerce store that doesn't send transactional email isn't really running. Order confirmations, shipping updates, return labels, password resets, abandoned cart recovery, post-purchase reviews — every transaction creates a chain of automated emails. When those emails go to spam or get rejected outright, your customer experience falls apart in ways you might not even notice.

Three DNS records control whether your email reaches the inbox: SPF, DKIM, and DMARC. Plus the MX record that tells the world where to send mail to your domain. Most stores have at least one of them broken or missing.

The Three Email Authentication Records

SPF (Sender Policy Framework)

SPF is a TXT record that lists which servers are authorized to send email for your domain. When a receiving mail server (Gmail, Outlook, etc.) gets an email claiming to be from you, it checks your SPF record to verify the sending server is on the approved list.

A typical SPF record for a Shopify store using Klaviyo for marketing email looks like:

v=spf1 include:shops.shopify.com include:_spf.klaviyo.com -all

The -all at the end means "any sender not in this list should be rejected." A common mistake is using ~all (soft fail) when -all (hard fail) is what you actually want.

DKIM (DomainKeys Identified Mail)

DKIM is a cryptographic signature added to every email you send. It proves the email genuinely came from your domain and wasn't modified in transit. The receiving server fetches your public key from DNS and verifies the signature.

DKIM is set up by your email provider — Klaviyo, Mailchimp, Postmark, etc. — by adding a CNAME or TXT record they generate. If you've never set up DKIM, your transactional emails are unsigned and look suspicious to spam filters.

DMARC (Domain-based Message Authentication)

DMARC ties SPF and DKIM together with a policy: what should receivers do when an email fails authentication? A typical DMARC record:

v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@yourstore.com; pct=100

The three policy values:

• p=none: Just monitor. Don't reject anything. Use this initially while you verify all your senders are configured correctly.
• p=quarantine: Send failing email to spam. The middle ground.
• p=reject: Bounce failing email. The strict choice — only use after extensive testing.

Why Stores Get This Wrong

Ecommerce email is unusual: stores typically send through 3-5 different services. Shopify (or your platform) sends order confirmations. Klaviyo sends marketing. Gorgias or Zendesk sends support replies. Loop or Returnly sends return notifications. Each one needs to be in your SPF record, with DKIM keys configured.

The most common failure modes:

• SPF record missing entirely: Stores that never set this up. Marketing email lands in spam.
• SPF record exceeds 10 DNS lookups: Each include: in your SPF can recursively fetch more includes. Past 10 total lookups, the record is invalid.
• DKIM not set up for marketing platform: Order emails are signed but Klaviyo emails aren't.
• No DMARC record: No reporting, no policy enforcement, no protection against spoofing.
• DMARC reports going to a forgotten inbox: The reports are valuable. Check them.

The Spoofing Threat

Without SPF and DMARC, anyone can send email pretending to be from your domain. "Your order has shipped — click here to track" emails sent from a spoofed yourstore.com address are a real threat. Customers who get phished blame your brand. Setting up SPF and DMARC isn't just deliverability — it's brand protection.

How to Audit Your Setup

Free tools to check your DNS records:

• StoreVitals DNS Health Checker — quick read of your SPF, DMARC, and MX
• Google MX Toolbox — comprehensive checks across all record types
• DMARC Analyzer — full DMARC report parsing

Run a full check after every change to your email provider stack. A new email tool added without updating SPF means its emails go straight to spam.

Setting Up DMARC the Right Way

Don't jump straight to p=reject. The recommended rollout:

1. Week 1-2: Set up p=none with reports to a monitored inbox. Check what emails are failing.
2. Week 3-4: Fix any legitimate senders that are failing (usually means adding to SPF or setting up DKIM).
3. Week 5+: Move to p=quarantine; pct=10 — quarantine 10% of failing emails. Increase weekly.
4. After full coverage: Move to p=reject.

Skipping the monitoring phase causes legitimate transactional emails to bounce. That's worse than the original problem.

BIMI: The Logo in Gmail

BIMI (Brand Indicators for Message Identification) lets your logo appear next to your emails in Gmail. It requires DMARC at p=quarantine or p=reject as a prerequisite. Once you've gotten DMARC right, BIMI is the logical next step — it improves brand recognition and trust in the inbox.

What StoreVitals Checks

StoreVitals scans your domain's DNS records during every health check, flags missing SPF/DMARC records, and warns about misconfigurations like soft-fail policies and excessive DNS lookups. The free DNS Health Checker tool gives you the same view on demand.

Email deliverability isn't glamorous, but it directly affects revenue: every order confirmation that lands in spam is a customer who emails support asking where their receipt is.