DKIM for Shopify: Email Authentication Setup Guide
How to set up DKIM for Shopify. Step-by-step guide covering sender domain authentication, DNS records, and verification for Shopify Email and notifications.
Last updated: 2026-04-12
This guide is part of our Website and Ecommerce series.
If you run a Shopify store, your customers receive dozens of emails from you: order confirmations, shipping updates, abandoned cart reminders, and marketing campaigns through Shopify Email. By default, all of those messages are sent from a Shopify domain, not yours. That means recipients see something like [email protected] instead of [email protected], which can look unfamiliar and reduce trust.
Setting up DKIM for your Shopify store solves this. It proves to inbox providers that emails from your domain are legitimate, keeps your messages out of spam folders, and makes every notification look like it genuinely came from your brand.
DKIM (DomainKeys Identified Mail) adds a cryptographic signature to your outgoing emails. Inbox providers like Gmail and Outlook use it to verify that a message was actually authorized by the domain in the "From" address.
Why Shopify Store Owners Need DKIM
Without sender domain authentication, Shopify sends emails on your behalf using its own domain. This creates several problems:
- Spam folder risk. Gmail, Yahoo, and Outlook are more likely to flag unauthenticated emails as spam, especially bulk marketing sends through Shopify Email.
- Brand confusion. Customers see a generic Shopify address instead of your store domain, which can erode trust and lower open rates.
- DMARC failures. If you have a DMARC policy on your domain (or plan to add one), emails sent without DKIM alignment will fail authentication checks and may be rejected entirely.
- Deliverability limits. As of 2024, Google and Yahoo require DKIM for senders who send more than 5,000 emails per day. Even smaller stores can benefit from meeting these standards early.
Authenticating your sender domain in Shopify tells inbox providers that Shopify is authorized to send mail for your domain, and DKIM is a core part of that process.
How Shopify Handles DKIM
When you authenticate your sender domain in Shopify, the platform provides you with CNAME records rather than raw DKIM TXT records. These CNAME records point to Shopify's DKIM infrastructure, which manages the actual signing keys on your behalf.
This means you do not need to generate or manage private keys yourself for Shopify's built-in email. You simply add the DNS records Shopify gives you, and Shopify handles the signing.
Shopify's CNAME-based authentication covers emails sent through Shopify (notifications and Shopify Email). If you also send email through other services like Mailchimp, Klaviyo, or your own mail server, each service needs its own DKIM configuration. Use DKIM Creator to generate keys for those additional senders.
Set Up Sender Domain Authentication in Shopify
Open your Shopify Admin
Log in to your Shopify store admin. Navigate to Settings (bottom-left gear icon), then click Notifications.
Change your sender email address
Under Sender email, enter the email address you want customers to see (e.g., [email protected]). Shopify will prompt you to authenticate this domain.
Copy the DNS records Shopify provides
Shopify will display a set of CNAME records needed to verify your domain. You will typically see two CNAME records for DKIM and one for SPF (Return-Path). Copy each record's Host and Value exactly as shown.
Add the records to your DNS provider
Log in to your domain's DNS provider (such as GoDaddy, Namecheap, or Cloudflare) and add the CNAME records. Make sure you enter the host and value fields precisely as Shopify displayed them.
Verify in Shopify
Return to the Shopify Notifications settings page and click Verify. If DNS has propagated, Shopify will confirm that your domain is authenticated. If verification fails, wait an hour and try again.
Need DKIM for other email services?
If you send email through providers beyond Shopify, use DKIM Creator to generate keys for each one.
DNS Records: What to Expect
Shopify provides CNAME records rather than TXT records. Here is what the records typically look like:
| Field | Value |
|---|---|
| Type | CNAME |
| Host/Name | Provided by Shopify (e.g., `shopify._domainkey.yourstore.com`) |
| Points to / Value | Provided by Shopify (e.g., `shopify._domainkey.shopify.com`) |
| TTL | 3600 (or your provider default) |
Some DNS providers automatically append your domain to the host field. If Shopify gives you shopify._domainkey.yourstore.com and your DNS provider already adds .yourstore.com, just enter shopify._domainkey in the host field. Check your provider's documentation if you are unsure.
Verifying That DKIM Is Working
Once Shopify confirms your domain is authenticated, verify that DKIM signatures are actually appearing on outgoing emails:
- Place a test order. Use Shopify's "Send test notification" feature or place a real test order to trigger a transactional email.
- Check the email headers. In Gmail, open the email, click the three dots, and select "Show original." Look for a line that reads
dkim=passin the authentication results. - Send a Shopify Email campaign. If you use Shopify Email for marketing, send a test campaign to yourself and check the headers the same way.
If you see dkim=pass alongside your domain name, DKIM is working correctly.
Troubleshooting Common Issues
Verification keeps failing in Shopify DNS propagation can take anywhere from a few minutes to 48 hours. If you just added the records, wait and retry. Also double-check that you entered the CNAME host and value exactly as Shopify specified, with no extra spaces or missing characters.
Emails still show "via shopify.com" Even after DKIM is configured, some email clients display a "via" label for a short period. Give it 24 to 48 hours after successful verification. If it persists, confirm that both SPF and DKIM records are properly set up.
DKIM passes for notifications but not Shopify Email Make sure you are checking recent emails sent after verification completed. Emails sent before authentication was active will not carry your DKIM signature.
Using a subdomain for your store
If your Shopify store uses a subdomain (e.g., shop.yourstore.com), the DNS records need to be added to the correct zone. Add them under the parent domain's DNS, using the full hostnames Shopify provides.
DKIM for Third-Party Email Services on Shopify
Many Shopify merchants use additional email services alongside Shopify's built-in email. If you use Klaviyo, Mailchimp, Omnisend, or any other marketing platform, each one requires its own DKIM setup.
For those services, you typically need to generate your own DKIM key pair and add a TXT or CNAME record to your DNS. DKIM Creator lets you generate 1024-bit or 2048-bit DKIM keys directly in your browser, so you can configure each service independently while keeping all your email properly authenticated.
This is especially important if you have a DMARC policy. Every service that sends email using your domain needs to pass DKIM or SPF alignment, or those messages risk being quarantined or rejected.
Related Articles
References
- RFC 6376 — DomainKeys Identified Mail (DKIM) Signatures
- Shopify official documentation — Sender domain authentication and email setup
Running a Shopify store? Make sure every order confirmation, shipping update, and marketing email lands in your customers' inboxes, not their spam folders.
Authenticate your email across every service
Generate DKIM keys for any email provider you use alongside Shopify. Keys are created locally in your browser.
Generate DKIM Keys