There's a class of trust problem that is completely invisible inside your Shopify dashboard, your Google Analytics, or your email platform. It lives in DNS — the phone book of the internet — and it's draining your conversion rate without leaving any trace in your reports.
The problem is email domain spoofing. And the fix is three DNS records.
What Email Spoofing Is
When you send an email from hello@yourstore.com, your customers see your domain in the From field. But anyone — including criminals — can also send an email that appears to come from hello@yourstore.com. Without the right DNS records in place, there's nothing to stop them.
This matters to your business for two reasons that have nothing to do with your own email deliverability.
Reason 1: Your customers are getting phished in your name.
Fraudsters send emails from spoofed versions of legitimate e-commerce domains all the time — "Your order is delayed, click here to verify your payment." If your DMARC policy is set to p=none (monitoring only) or doesn't exist at all, those emails land in inboxes. When your customers discover they were defrauded by an email that looked like it came from you, they never buy from you again — and you have no idea why they churned.
Reason 2: Sophisticated buyers check this before they buy. B2B buyers and security-conscious consumers increasingly run quick checks on vendors before handing over payment details or signing up. A missing DMARC record is a public, checkable signal that your domain hygiene is poor. It reads the same way a missing SSL certificate read in 2018: amateur.
The Three Records You Need
SPF (Sender Policy Framework) A TXT record in your DNS that lists the mail servers allowed to send email from your domain. If a server not on this list sends email claiming to be from your domain, receiving mail servers know to be suspicious.
Example: v=spf1 include:_spf.google.com include:amazonses.com ~all
DKIM (DomainKeys Identified Mail) A cryptographic signature added to every email you send. The receiving server checks the signature against a public key in your DNS. If the signature doesn't match, the email is flagged. DKIM proves the email actually came from your infrastructure.
DMARC (Domain-based Message Authentication, Reporting & Conformance) DMARC ties SPF and DKIM together and tells receiving mail servers what to do with emails that fail both checks: `p=none` (do nothing, just report), `p=quarantine` (send to spam), or `p=reject` (block entirely).
A p=reject DMARC policy is the full protection. p=none — which is what most sites have if they have DMARC at all — is useless from a spoofing-prevention perspective. It's monitoring without action.
How to Check Your Current Status
Your SPF, DKIM, and DMARC records are publicly visible. You can check them with:
dig TXT yourdomain.com(for SPF and DMARC)dig TXT _dmarc.yourdomain.com(specifically for DMARC)
Or run a RoastReady trust audit — it checks all three automatically and tells you whether your DMARC policy is set to none, quarantine, or reject, with a specific recommendation if you're underprotected.
The Fix Takes One Afternoon
1. Add an SPF record for your email sending services (Google Workspace, Mailchimp, etc.)
2. Enable DKIM signing in your email provider (it's usually a one-click toggle)
3. Add a DMARC record starting with p=quarantine — monitor for two weeks, then move to p=reject
Total cost: free. Total time: 2 hours including testing.
The conversion impact is indirect but real: cleaner domain reputation means better email deliverability for your own sends, and eliminated spoofing means your customers don't get defrauded in your name. Both improve the long-term trust relationship between your brand and your audience.
Check your domain's SPF, DKIM, and DMARC status in 30 seconds — run a free RoastReady trust audit and get a prioritised fix plan with exact DNS record values for your setup.