Email Domain Authentication (DMARC)

Email authentication is a crucial aspect of online communication, especially for e-commerce. Authentication ensures that messages are delivered reliably without being rejected or marked as spam. The most adopted email authentication protocol is DMARC (Domain-based Message Authentication, Reporting, and Conformance).

DMARC is an email policy that controls your domain security. Email authentication protocols like DMARC prevent cybercriminals from sending emails impersonating your organization, protecting you and your buyers. Email authentication also ensures that legitimate emails are recognized by Email Service Providers.

There are two main protocols that DMARC uses to ensure that emails come from a trusted sender and have not been corrupted after being sent. Those protocols are Sender Policy Framework (SPF) and Domain Keys Identified Mail (DKIM).

This article will explain each of these protocols and the steps you will need to take to set up your DMARC policy.

Google/Yahoo! Requirement updates

Starting February 2024, Google and Yahoo! email services will enforce DMARC more strictly.

Google will start sending error messages in February. On April 1st, Google will start blocking emails that are not DMARC compliant.

If you have set ShipStation to send shipment notification emails to your customers and have not added your own email address to your store's branding settings, ShipStation sends the emails using our default tracking email ( These emails are already configured to pass DMARC checks and there is no further action required on your part.

ShipStation provides the ability to add your email as the sender for notifications, allowing you to send the email from your own address rather than from ShipStation’s. Follow the instructions in Configure Sender Emails and Domain Authentication to ensure your email is verified and that emails get delivered to your recipients.

Sender Policy Framework (SPF)

SPF is a system that allows domain owners to list which email servers are allowed to send emails for them. When you send a customer an email, their email service checks this list in the Domain Name System (DNS) to make sure that the email is coming from an approved server. If an email tries to come from a server that's not on the list, it might be rejected. This is important because without SPF, cybercriminals could impersonate your brand and send emails from your domain.

Domain Keys Identified Mail (DKIM)

DKIM ensures that an email hasn't been messed with on its way to your customer. It does this by adding an invisible digital signature to the email's header message. The sending domain puts this signature on the email using a private key, and then the email server on the receiving end uses a public key that's available in the DNS to check that signature. If everything matches up, it means the email has not been tampered with and can reach its destination.

ShipStation's Default Email Includes SPF and DKIM Authentication

For ShipStation’s default email sender, emails are automatically authenticated through SPF and DKIM.

If you use your branded domain in ShipStation, the necessary SPF records will be automatically added through the CNAME records which you can verify when adding a sender email in ShipStation.

DKIM records will be generated when you verify your domain after adding a sender email address.

Domain-based Message Authentication, Reporting and Conformance (DMARC)

DMARC uses SPF and DKIM together to check if an email is real. It lets domain owners put a policy in their DNS records that says how to use SPF and DKIM to verify emails. DMARC also lets domain owners get reports about whether their emails are passing these checks, which helps them understand how their domain is being used and spot any misuse.

With DMARC, domain owners can also specify what actions should be taken if an email fails the authentication checks. This includes actions like rejecting or quarantining suspicious emails.

Setting Up A DMARC Policy

To set up a DMARC policy, you need to be able to change your domain's DNS settings. You'll create a special DMARC DNS TXT record for your brand's domain that tells email services what to do if an email fails the security checks.

Changing DNS Settings Not Provided By ShipStation

The implementation of a DMARC policy is beyond ShipStation’s scope of support as it requires changes to your DNS settings. We recommend you work with your IT team or third-party expert to implement a policy that best works for your brand.

Example DMARC Policy

A DMARC policy can have a number of different tags and each tag represents a specific function. An example of a DMARC policy and the most common tags is as follows:

Example policy:

v=DMARC1; p=none;


  • "v" tag (required): This tells you which version of DMARC is being used.

  • "p" tag (required): This is the policy tag. It tells email services what to do with emails that don't pass DMARC checks, like reporting them, putting them aside, or rejecting them.

  • "rua" tag (optional): This tag lets you get DMARC reports sent to a specific email address in XML format. The email domain here should match your DMARC record's domain. You might need to do some extra setup to get reports sent to a different domain.

Tag Value

Instruction for email client if authentication fails


Accept email, even when checks fail


Accept email but display a warning and place email in spam folder


Block the email

Verifying your DMARC Policy

There are several web pages that offer DMARC checks on a specific domain. One popular option is EasyDMARC.

Enter your domain name to check if the record has been set up correctly. The status field will indicate if your DMARC record is in good shape.


You can also review the DMARC checks by analyzing the email headers. This helps you confirm that your authentication protocols are configured accurately.


Additional Resources

The following external resources can help with basic DMARC questions: