Email Security

SPF Records: Authorizing Email Senders for Your Shopify Domain

Learn how SPF records tell email servers which services can send email on behalf of your Shopify store.

spf email authentication dns records email security
Last updated

What is SPF?

SPF (Sender Policy Framework) is a DNS record that lists which mail servers are allowed to send email on behalf of your domain. Think of it as a guest list for a VIP event—only the servers you’ve authorized can claim to be sending from your domain.

How SPF Works

When someone receives an email claiming to be from orders@yourstore.com, their email server checks your SPF record to see if the sending server is on your approved list. If it’s not, the email is flagged as suspicious or rejected entirely.

Why Shopify Stores Need SPF

As a Shopify merchant, emails go out from your domain constantly:

  • Order confirmations
  • Shipping notifications
  • Password resets
  • Marketing campaigns (Klaviyo, Mailchimp, etc.)
  • Support tickets

Without SPF, scammers can send emails that appear to come from your domain. Customers receive fake “order confirmation” emails with phishing links, and they blame your brand when they get scammed.

Common Services That Need SPF Authorization

For most Shopify stores, your SPF record should include:

  • Shopify: include:shops.shopify.com
  • Klaviyo: include:sendgrid.net
  • Mailchimp: include:servers.mcsv.net
  • Google Workspace: include:_spf.google.com
  • Microsoft 365: include:spf.protection.outlook.com

How to Check Your SPF Record

  1. Visit a DNS lookup tool (like MXToolbox or DNSchecker)
  2. Enter your domain name
  3. Select TXT record lookup
  4. Look for a record starting with v=spf1

A healthy SPF record looks like:

v=spf1 include:shops.shopify.com include:sendgrid.net -all

Common SPF Mistakes

Too Many Lookups

SPF allows only 10 DNS lookups. Adding too many services causes your SPF to fail silently, breaking email deliverability.

Missing the -all Suffix

Your SPF record should end with -all (reject unauthorized senders) or ~all (soft fail). Without this, the record doesn’t provide real protection.

Forgetting to Add New Services

When you add a new email service (like switching from Klaviyo to Omnisend), you must update your SPF record or that service’s emails will fail authentication.

How Recon Helps

Recon monitors your email authentication by:

  • Checking that your SPF record exists and is valid
  • Alerting you if your SPF has too many lookups
  • Detecting when your email services aren’t properly authorized
  • Providing step-by-step guidance to fix SPF issues

FAQ

Q: Will adding SPF affect my current email delivery?

A: If configured correctly, SPF improves deliverability. However, misconfiguration can cause emails to be rejected. Start by auditing which services send email from your domain.

Q: Do I need SPF if I have DMARC?

A: Yes. DMARC builds on SPF (and DKIM). You need SPF configured correctly for DMARC to work properly.

Q: How quickly do SPF changes take effect?

A: SPF changes typically propagate within 1-4 hours, but can take up to 48 hours. Avoid making changes right before a major email campaign.

Want us to monitor this for you?

Run a free brand security audit with Recon and see your vulnerabilities in minutes.

Run Free Audit

Related Articles

DMARC: Email Authentication Explained

Understand DMARC and how it prevents email spoofing to protect your Shopify brand from phishing attacks.

DKIM: Digital Signatures for Your Shopify Store Emails

Understand how DKIM adds digital signatures to prove your Shopify emails are authentic and haven't been tampered with.

Email Spoofing: When Criminals Impersonate Your Shopify Store

Discover how scammers send fake emails from your domain and the steps to stop email spoofing attacks.

Back to Knowledge Base