Every Shopify store that sends order confirmations from its own domain leaves a fingerprint in public DNS: an SPF record authorising Shopify's servers to send on the domain's behalf. Our nightly scan of the Tranco top-1M counts those fingerprints, and the curve is striking. As of the 2026-07-05 snapshot, 0.85% of top-1M domains with SPF records authorise Shopify — up from 0.04% in 2016. A twenty-fold rise in a decade, tracking the platform's march from webshop builder to commerce operating system.
For a founder running a store, that number carries a practical question: which parts of "email" does the platform actually take off your plate, and which parts silently remain yours? Merchants get this wrong in both directions — re-building what Shopify already handles, or assuming Shopify covers things it never touches.
What the platform takes off your plate
Shopify sends the operational lifecycle of an order for you: confirmations, shipping and delivery updates, refund notices, abandoned-checkout nudges, account and password mail. Crucially, it sends them from its own, professionally warmed infrastructure. The deliverability of an order confirmation is Shopify's problem, at Shopify's scale — which is why these messages reliably arrive even for a store that launched yesterday. When you configure your own domain as the sender, the platform walks you through the DNS records that authorise it, which is exactly the SPF footprint our dataset measures.
This is the "commerce email stack" pattern in miniature: the platform bundles the transactional layer the way suites bundled the mailbox. You could not match its deliverability for order mail if you tried, and you should not try.
What stays yours (and bites if ignored)
- Marketing email. Campaigns, newsletters, win-backs, product launches — whether you use Shopify's own marketing product or a dedicated ESP, the strategy, list hygiene, frequency, and the spam-complaint consequences are yours. The platform ships the pipes, not the judgement.
- Your domain's reputation. Mailbox providers score the sending domain across everything it sends. A sloppy marketing blast damages the same domain reputation your order confirmations ride on. One domain, one ledger.
- Your DMARC policy. Shopify cannot publish DMARC for you — it is your DNS. With 47.16% of DMARC-publishing domains now enforcing their policies, commerce domains that stay at
p=noneforfeit both spoofing protection for their customers and the trust signal that enforcement sends to receivers. - Your mailbox. The platform sends; it does not receive. Support and reply-handling need a real mailbox provider behind
hello@yourstore.com.
The multi-sender reality of a commerce domain
Look at the SPF record of a typical established store and you will find several senders authorised at once: the commerce platform for transactional, an ESP for marketing, often a support desk for tickets. Our dataset confirms this is the norm, not the exception — ESP shares summed across the top-1M exceed 100% of SPF domains because multi-ESP stacks are standard practice. That layout is healthy, with two cautions:
- SPF has a hard 10-DNS-lookup limit. Every
include:spends lookups, and the platform-plus-ESP-plus-desk pattern eats them quickly. Exceed ten and receivers get aPermError— your authorisation silently stops evaluating. - Every authorised sender is a reputation co-signer. Each service in your SPF can affect how receivers treat mail from your domain. Prune senders you no longer use; forgotten includes are both a lookup tax and an attack surface.
| Layer | Platform handles | Merchant owns |
|---|---|---|
| Order/shipping notifications | Sending, templates, deliverability | Sender domain configuration |
| Marketing campaigns | Tooling (optional) | Strategy, list hygiene, complaint rates |
| DNS authentication | Provides records to publish | Publishing SPF/DKIM, DMARC policy |
| Inbound mail (support, replies) | — | Mailbox provider, routing |
| Domain reputation | — | Everything sent as the domain |
A 30-minute audit for store owners
If you run a store and have never looked at this layer, three checks cover most of the risk. First, read your own SPF record (dig TXT yourstore.com) and verify every authorised service is one you still use. Second, check your DMARC record exists and has a plan to move past p=none. Third — and this is the one merchants skip — verify placement empirically: send your marketing template to seed mailboxes at Gmail, Microsoft 365, and Yahoo and see which folder it lands in. Transactional mail arriving is no evidence your campaigns do; they travel different paths with different reputations.
Which providers guard your customers' inboxes, and how commerce senders like Shopify trend against ESPs — it is all in our daily email infrastructure report, updated nightly from a fresh scan of the top-1M.