Suped

Why did Shopify send DMARC setup emails to users who already have DMARC records?

12 Marketer opinions5 Expert opinions4 Technical articles5 Resources

Summary

Shopify sent DMARC setup emails to all users, including those who already had DMARC records, for a combination of reasons related to security, practicality, and comprehensive coverage. The primary drivers include: the relative ease of sending blanket notifications compared to developing complex targeted messaging systems; ensuring all merchants, regardless of technical proficiency or current configuration, are aware of and adhere to best practices for email authentication; mitigating the risk of overlooking vulnerable accounts and reinforcing the importance of DMARC; educating users about security standards; and addressing the complexities of DMARC deployment and evolving email security standards. The consensus is that while some redundancy might occur, the benefits of broad awareness and security outweigh the potential annoyance.

Key findings

  • Ease of Implementation: It's simpler and more efficient to send blanket emails than to individually audit configurations and develop complex targeted systems.
  • Security Reinforcement: Blanket notifications reinforce the importance of email authentication standards and ensure continuous compliance, even among technically proficient users.
  • Vulnerability Mitigation: Sending emails to all users helps mitigate the risk of overlooking vulnerable accounts susceptible to phishing or spoofing attacks.
  • Broad Awareness: Blanket emails ensure that all merchants are aware of best practices, especially given that many businesses are not fully aware of email authentication standards.
  • Addressing Complexity: Sending updates helps users understand their obligations under evolving standards, given the complexities of DMARC deployment.
  • Proactive Strategy: This is part of a proactive security strategy that ensures continuous compliance and prevents potential security risks by prompting reviews of setup settings

Key considerations

  • Potential Annoyance: Some users may find redundant notifications annoying if they have already correctly configured DMARC.
  • Aggregate Store Access: Ideally, messaging would be limited based on aggregate store access rather than individual accounts.
  • Message Specificity: Tailoring messages to acknowledge existing configurations could reduce redundancy.
  • Brand Reputation: Over-communication ensures protection to domain reputation.

What email marketers say
12Marketer opinions

Shopify sent DMARC setup emails to all users, even those with existing DMARC records, for several reasons. The primary motivations include promoting better security across the platform, ensuring no user is missed during security updates, reinforcing the importance of email authentication standards, educating users on best practices, and mitigating risks associated with phishing or spoofing attacks. This blanket approach prioritizes comprehensive coverage and risk prevention over potential user annoyance or redundancy.

Key opinions

  • Security Promotion: Shopify aims to promote platform-wide security by prompting all users to review their DMARC settings.
  • Risk Mitigation: Sending emails to all users helps mitigate the risk of overlooking vulnerable accounts susceptible to phishing or spoofing.
  • Email Authentication: Blanket emails ensure that all users are reminded about email authentication best practices.
  • Avoiding Assumptions: Shopify avoids assumptions about the correctness of user configurations by notifying everyone.
  • Education: Many businesses are not fully aware of email authentication, and these emails serve as an educational tool for Shopify users.
  • Prevent security risks: It's more important to cover all basis to avoid risks of users missing out on security and domain requirements than to avoid a few people complaining about being informed when they already knew the details.

Key considerations

  • Potential Annoyance: Sending redundant notifications can annoy users who have already implemented DMARC records.
  • Messaging: Using generic messaging like `please check and confirm u have a dmarc record` allows users who already have a record to move onto missing authentication steps.
  • Urgency: Shopify is causing a bit of urgency with stores because this is not the time for them to be dragging their feet.
  • Aggregate store access: It would have been ideal to limit the messages based on aggregate store access, vs individual, which is what caused the message proliferation.
Marketer view

Email marketer from Email Geeks shares that they tried to use generic messaging like `please check and confirm u have a dmarc record` to hopefully allow users who already had a record to move onto missing authentication steps.

September 2021 - Email Geeks
Marketer view

Email marketer from Email Vendor Guide answers that many businesses are not fully aware of email authentication, Shopify sends emails to educate it's users to protect domain reputation.

December 2021 - Email Vendor Guide
Marketer view

Email marketer from StackExchange responds that Shopify casts a wide net, sending notifications to everyone to ensure even those who may have missed previous announcements are now informed about the necessity of setting up DMARC records.

October 2022 - StackExchange
Marketer view

Email marketer from Mailjet Blog explains that when it comes to security, over-communication is a better approach than under-communication. It ensures maximum coverage and reduces the chance of overlooking a critical security measure.

June 2024 - Mailjet
Marketer view

Email marketer from Reddit user suggests Shopify sends these emails by default as a standard procedure to all its users, irrespective of their current settings, to promote better security across the platform.

September 2021 - Reddit
Marketer view

Email marketer from Sendgrid answers that the strategy prevents potential security vulnerabilities by ensuring all users, including those who may have set up DMARC incorrectly or incompletely, review their settings.

March 2022 - Sendgrid
Marketer view

Email marketer from Mailchimp answers that by sending to everyone, Shopify mitigates the risk of overlooking accounts that might be vulnerable to phishing or spoofing attacks.

October 2024 - Mailchimp
Marketer view

Email marketer from Email Geeks said While it would have been ideal to limit the messages based on aggregate store access, vs individual, which is what caused the message proliferation, I was not being facetious about them getting attention from ecomm stores and it is quite literally, time to panic and get their shit together.

April 2022 - Email Geeks
Marketer view

Email marketer from Quora explains that Shopify likely sent these emails as part of a broader security update campaign, choosing to notify all users to ensure no one is missed, even if some are already compliant.

July 2021 - Quora
Marketer view

Email marketer from Email Geeks says it's not a terrible thing that Shopify is causing a bit of urgency with stores because this is not the time for them to be dragging their feet.

November 2022 - Email Geeks
Marketer view

Email marketer from BigScoots answers that it's more important to cover all basis to avoid risks of users missing out on security and domain requirements than to avoid a few people complaining about being informed when they already knew the details.

March 2024 - BigScoots
Marketer view

Email marketer from Webmaster World states that Shopify avoids assumptions about who has correctly configured DMARC. Sending to everyone ensures all users are reminded about the best practices.

May 2023 - Webmaster World

What the experts say
5Expert opinions

Shopify's decision to send DMARC setup emails to all users, regardless of their existing DMARC configuration, is primarily attributed to the ease of implementation and the complexities involved in targeted messaging. It's simpler to send blanket reminders and universal advice than to individually audit configurations and write complex scripts for targeted emails. This approach aims to ensure all users meet email authentication standards and review their settings, even if it means some receive redundant notifications.

Key opinions

  • Ease of Implementation: Sending blanket emails is easier and requires less complex coding than targeted messaging.
  • Resource Efficiency: It's more efficient to provide universal advice than to individually audit configurations.
  • Email Authentication Standards: Sending DMARC setup emails aims to ensure all users are meeting the necessary email authentication standards.
  • Complexity of Targeted Messaging: Targeted messaging requires complex scripts and accounting for many variables, making it more difficult to implement.
  • Simplified Scripting: Writing DMARC checking code is not easy - it can be much easier to just mail everyone.

Key considerations

  • Redundant Notifications: Some users may receive redundant notifications if they already have DMARC configured correctly.
  • Lack of Individual Auditing: The approach avoids individual auditing of configurations, potentially missing nuanced issues.
Expert view

Expert from Word to the Wise responds that sometimes platforms send blanket reminders because it's easier to give universal advice rather than individually audit configurations, ensuring everyone reviews their settings regardless of existing configurations.

April 2022 - Word to the Wise
Expert view

Expert from Email Geeks elaborates that sending targeted messages, even with thousands of domains, requires a more complex script to pull out relevant accounts compared to sending a blanket email. This requires accounting for many variables.

August 2024 - Email Geeks
Expert view

Expert from Email Geeks confirms that it is much easier for Shopify to mail everyone than to write DMARC checking code, implying a reason for the blanket email.

October 2021 - Email Geeks
Expert view

Expert from Email Geeks suggests Shopify likely sent the DMARC setup emails to all users regardless of their current DMARC deployment status because it is easier to do that rather than write DMARC checking code.

September 2023 - Email Geeks
Expert view

Expert from Spam Resource explains that sending DMARC setup emails can be an attempt to ensure that all their users are meeting the necessary email authentication standards.

January 2023 - Spam Resource

What the documentation says
4Technical articles

Shopify sends DMARC setup emails to all users, even those who already have DMARC records, as a proactive security strategy and to ensure all merchants are aware of and adhere to best practices for email authentication. This approach reinforces the importance of email authentication standards and ensures continuous compliance, even among technically proficient users. The redundancy is intended to address the complexities of DMARC deployment and to keep users informed of evolving standards.

Key findings

  • Proactive Security: Frequent DMARC reminders are part of a proactive security strategy.
  • Awareness of Best Practices: Blanket notifications ensure all merchants are aware of best practices for email authentication.
  • Continuous Compliance: Redundant notifications reinforce the importance of email authentication standards and ensure continuous compliance.
  • Addressing DMARC Complexities: Sending updates ensures users understand their obligations under evolving standards, given the complexities of DMARC deployment.

Key considerations

  • User Experience: Users who have already implemented DMARC might find the notifications redundant and potentially annoying.
  • Message Tailoring: Future iterations of the strategy might consider tailoring messages based on existing DMARC configurations to reduce redundancy.
Technical article

Documentation from Shopify Help Center explains that Shopify may send blanket notifications regarding security settings like DMARC to ensure all merchants are aware of best practices, even if they have already implemented them.

December 2022 - Shopify Help Center
Technical article

Documentation from DMARC Analyzer suggests that platforms like Shopify might send redundant notifications to reinforce the importance of email authentication standards and ensure continuous compliance.

October 2021 - DMARC Analyzer
Technical article

Documentation from Agari (Now Proofpoint) says that frequent reminders about DMARC are part of a proactive security strategy, ensuring even technically proficient users periodically re-evaluate their settings and configurations.

March 2025 - Proofpoint
Technical article

Documentation from RFC Editor says that DMARC deployment has complexities, and platforms like Shopify might send updates to ensure users understand their obligations under evolving standards.

May 2024 - RFC Editor

Related resources
5Resources

Setting up your email - Shopify Help Center
Setting up your email - Shopify Help Center

Configure your email address and connect to Shopify SPF and DKIM records.

Shopify Help Center
Displaying your store's sending email - Shopify Help Center
Displaying your store's sending email - Shopify Help Center

How we'll rewrite your email based on different scenarios.

Shopify Help Center
Shopify DMARC Record Setup: Meet Google and Yahoo Standards
Shopify DMARC Record Setup: Meet Google and Yahoo Standards

Explore this guide for Shopify users on how to set up DMARC and align with Google and Yahoo's new email sender requirements on time.

EasyDMARC
DMARC Guide for Shopify Customers - dmarcian
DMARC Guide for Shopify Customers - dmarcian

We created this guide to help you deploy DMARC with Shopify. Google and Yahoo’s DMARC requirements will be enforced in Feb. 2024.

dmarcian
Understanding email authentication | Klaviyo Help Center
Understanding email authentication | Klaviyo Help Center

Search our knowledge base to find answers to the most commonly asked questions. Browse our articles, community forum, live and recorded trainings, and more, to learn all about how to use Klaviyo and to discover our best practices.

Klaviyo Help Center

Related questions