How to fix missing dmarc on Shopify

Steps for Shopify

1. DMARC is a DNS record — it is NOT managed inside the Shopify admin itself. You manage it at whichever domain registrar or DNS host controls your domain (e.g. GoDaddy, Namecheap, Cloudflare, Google Domains).
2. In your Shopify admin, go to Settings → Domains to see which domain you are using and confirm where it is managed (Shopify-managed vs. third-party).
3. If Shopify manages your DNS: go to Settings → Domains → click your domain → click 'DNS Settings'. Scroll to the 'TXT Records' section and click 'Add record'. Set Host/Name to '_dmarc' and Value to your DMARC policy string (e.g. v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com).
4. If DNS is managed externally (e.g. Cloudflare, GoDaddy): log into that provider's DNS dashboard, add a new TXT record, set the Name/Host to '_dmarc' (or '_dmarc.yourdomain.com' depending on the interface), and paste the DMARC value.
5. Also ensure Shopify's outbound email is covered: in Settings → Notifications → Sender email, verify your sending domain and follow Shopify's guide to authenticate it with SPF and DKIM so those emails pass DMARC alignment.

; DNS TXT record — hostname: _dmarc.yourdomain.com
; Phase 1 – monitoring only (safe starting point)
v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

; Phase 2 – enforcement (after confirming all legitimate mail passes)
v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com; pct=100

; Phase 3 – strictest (recommended long-term goal)
v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com; pct=100

What is missing dmarc?

DMARC (Domain-based Message Authentication, Reporting & Conformance) is a free email authentication standard you publish as a DNS record. It tells the world's email providers — Gmail, Outlook, Yahoo, and others — what to do when someone sends an email that pretends to be from your domain but fails authentication checks. Without a DMARC record, anyone can forge your store's "From" address and send convincing phishing or spam emails that appear to come from you. The record lives at a specific DNS address (_dmarc.yourdomain.com) and takes effect within 24–48 hours of being added.

Without DMARC, criminals can send emails that look exactly like they came from your store — order confirmations, password resets, or fake promotions — tricking your customers into handing over payment details or passwords. This directly damages customer trust, can result in your domain being blacklisted by mail providers (destroying your legitimate email deliverability), and exposes you to legal and reputational liability under consumer-protection and data-privacy laws. OWASP classifies this as a Security Misconfiguration (A05:2021) — one of the most common and impactful categories of web security failures. Fixing it is free and takes under 30 minutes yet closes a major attack vector immediately.

See the complete Missing dmarc guide for every platform and the full background.