How to fix missing spf on Shopify

Steps for Shopify

1. Shopify does not manage your domain's DNS records directly — you must edit DNS at wherever your domain is registered or hosted (e.g. GoDaddy, Namecheap, Cloudflare).
2. In your Shopify admin, go to Settings → Domains and note your custom domain and which nameservers it uses (Shopify-managed or external).
3. If your domain uses Shopify-managed DNS: go to Settings → Domains → click your domain → 'DNS Settings' → click 'Add custom record' → choose TXT → Host: @ → Value: your SPF string (e.g. v=spf1 include:_spf.google.com include:shops.shopify.com ~all) → Save.
4. If using external DNS (Cloudflare, GoDaddy, etc.), log in to that provider's DNS dashboard and add the TXT record at '@' with your SPF value there.
5. Shopify's own transactional mail is sent through their infrastructure; if you use Shopify Email or rely on Shopify's default sending, add 'include:shops.shopify.com' to your SPF record.
6. Verify propagation with an SPF checker tool.

; DNS TXT record to add at your domain apex (e.g. yourstore.com)
; Replace the include: values with the ones published by YOUR sending services.

@ 3600 IN TXT "v=spf1 include:_spf.google.com include:sendgrid.net include:shops.shopify.com ~all"

; Key parts:
;   v=spf1               → SPF version (required, always this value)
;   include:…            → Delegate to another provider's SPF list (add one per sending service)
;   ip4:203.0.113.5      → Authorize a specific server IP directly (use only if needed)
;   -all                 → Hard fail: reject mail from any unlisted sender (most secure)
;   ~all                 → Soft fail: accept but mark unlisted senders (use during rollout)

What is missing spf?

SPF (Sender Policy Framework) is a DNS record — a single line of text published at your domain's root — that tells the world's email servers which mail-sending services are officially allowed to send email on behalf of your domain. Without it, there is no published list of authorized senders, so receiving mail servers have no way to confirm whether an email claiming to be "from yourstore.com" actually came from you or from an attacker. It is one of the three foundational email-authentication standards (SPF, DKIM, and DMARC) that major inbox providers now require.

Without an SPF record, cybercriminals can send convincing phishing and spoofing emails that appear to come from your store's domain — targeting your customers, suppliers, and staff. Beyond fraud risk, inbox providers like Google and Microsoft use SPF as a key trust signal: missing or broken SPF causes your legitimate order confirmations, shipping updates, and marketing emails to land in spam or be rejected outright, directly harming customer experience and revenue. Google and Yahoo's 2024 bulk-sender requirements made SPF mandatory for deliverability. Failing to publish one is classified as a Security Misconfiguration (OWASP A05:2021) because it leaves your domain's identity unprotected and exploitable.

See the complete Missing spf guide for every platform and the full background.