How to fix weak spf on Shopify

Steps for Shopify

1. SPF is a DNS record — it is NOT set inside Shopify's admin. You must edit it at the DNS provider where your domain's nameservers are hosted.
2. If you bought your domain through Shopify: go to Shopify Admin → Settings → Domains → click your domain → click 'Manage' → 'DNS Settings'. Find the TXT record starting with v=spf1 and edit it to end with -all or ~all.
3. If your domain is hosted elsewhere (GoDaddy, Namecheap, Cloudflare, etc.): log in to that provider's DNS management panel, find the TXT record for @ (root domain) starting with v=spf1, and add -all or ~all at the end.
4. Shopify's email sending (order confirmations, etc.) uses its own SPF infrastructure — confirm you have 'include:shops.shopify.com' or 'include:myshopify.com' in your record before closing with -all.

; Correct SPF TXT record examples:

; Strict (recommended) — unlisted senders are rejected:
v=spf1 include:_spf.google.com include:sendgrid.net -all

; Soft-fail — unlisted senders are flagged but not hard-rejected:
v=spf1 include:_spf.google.com include:sendgrid.net ~all

; If your record uses redirect=, verify the TARGET record also ends in -all:
; v=spf1 redirect=cf3962es._spf._d.mim.ec
; → look up cf3962es._spf._d.mim.ec and confirm it ends in -all or ~all

What is weak spf?

SPF (Sender Policy Framework) is a DNS record on your domain that tells the world's email servers which computers are allowed to send email on your behalf. It works like a guest list at the door — but right now your record has no "turn away everyone not on the list" instruction at the end. That final instruction is called an "all mechanism" and it must end with either `-all` (hardfail: reject unlisted senders outright) or `~all` (softfail: accept but mark as suspicious). Without it, the record is incomplete and receiving mail servers may treat any server in the world as a valid sender for your domain.

An SPF record without a closing `-all` or `~all` gives spammers and phishers a green light to send email that appears to come from your store's domain. Customers receiving fake order confirmations, password resets, or "shipping delay" scams from your domain name will lose trust in your brand — and there is nothing more damaging to an ecommerce business than customers believing your email is fraudulent. Many large email providers (Gmail, Microsoft 365, Yahoo) use SPF alignment as a key spam-filtering signal, meaning your own legitimate marketing and transactional emails are more likely to land in spam if your SPF record is weak or incomplete. Under regulations like GDPR and CAN-SPAM, allowing domain spoofing can also create indirect legal exposure. Fixing this is one of the fastest, highest-impact security improvements you can make.

See the complete Weak spf guide for every platform and the full background.