Guides8 min read

The Commerce Email Stack: Shopify Now Sends for Nearly 1% of the Top-1M

From 0.04% of top-1M SPF domains in 2016 to 0.85% today: Shopify has quietly become one of the internet's biggest email senders. Here is the line between what the platform handles for a merchant — and what it never will.

Every Shopify store that sends order confirmations from its own domain leaves a fingerprint in public DNS: an SPF record authorising Shopify's servers to send on the domain's behalf. Our nightly scan of the Tranco top-1M counts those fingerprints, and the curve is striking. As of the 2026-07-05 snapshot, 0.85% of top-1M domains with SPF records authorise Shopify — up from 0.04% in 2016. A twenty-fold rise in a decade, tracking the platform's march from webshop builder to commerce operating system.

0%0.20%0.40%0.60%0.80%20172018201920202021202220232024202520260.86%Shopify
Domains authorising Shopify in SPF, as a share of Tranco top-1M domains with SPF records, 2016–2026. Source: our daily OpenINTEL-based scan of the Tranco top-1M.

For a founder running a store, that number carries a practical question: which parts of "email" does the platform actually take off your plate, and which parts silently remain yours? Merchants get this wrong in both directions — re-building what Shopify already handles, or assuming Shopify covers things it never touches.

What the platform takes off your plate

Shopify sends the operational lifecycle of an order for you: confirmations, shipping and delivery updates, refund notices, abandoned-checkout nudges, account and password mail. Crucially, it sends them from its own, professionally warmed infrastructure. The deliverability of an order confirmation is Shopify's problem, at Shopify's scale — which is why these messages reliably arrive even for a store that launched yesterday. When you configure your own domain as the sender, the platform walks you through the DNS records that authorise it, which is exactly the SPF footprint our dataset measures.

This is the "commerce email stack" pattern in miniature: the platform bundles the transactional layer the way suites bundled the mailbox. You could not match its deliverability for order mail if you tried, and you should not try.

What stays yours (and bites if ignored)

  • Marketing email. Campaigns, newsletters, win-backs, product launches — whether you use Shopify's own marketing product or a dedicated ESP, the strategy, list hygiene, frequency, and the spam-complaint consequences are yours. The platform ships the pipes, not the judgement.
  • Your domain's reputation. Mailbox providers score the sending domain across everything it sends. A sloppy marketing blast damages the same domain reputation your order confirmations ride on. One domain, one ledger.
  • Your DMARC policy. Shopify cannot publish DMARC for you — it is your DNS. With 47.16% of DMARC-publishing domains now enforcing their policies, commerce domains that stay at p=none forfeit both spoofing protection for their customers and the trust signal that enforcement sends to receivers.
  • Your mailbox. The platform sends; it does not receive. Support and reply-handling need a real mailbox provider behind hello@yourstore.com.

The multi-sender reality of a commerce domain

Look at the SPF record of a typical established store and you will find several senders authorised at once: the commerce platform for transactional, an ESP for marketing, often a support desk for tickets. Our dataset confirms this is the norm, not the exception — ESP shares summed across the top-1M exceed 100% of SPF domains because multi-ESP stacks are standard practice. That layout is healthy, with two cautions:

  • SPF has a hard 10-DNS-lookup limit. Every include: spends lookups, and the platform-plus-ESP-plus-desk pattern eats them quickly. Exceed ten and receivers get a PermError — your authorisation silently stops evaluating.
  • Every authorised sender is a reputation co-signer. Each service in your SPF can affect how receivers treat mail from your domain. Prune senders you no longer use; forgotten includes are both a lookup tax and an attack surface.
Division of email responsibility for a Shopify merchant
LayerPlatform handlesMerchant owns
Order/shipping notificationsSending, templates, deliverabilitySender domain configuration
Marketing campaignsTooling (optional)Strategy, list hygiene, complaint rates
DNS authenticationProvides records to publishPublishing SPF/DKIM, DMARC policy
Inbound mail (support, replies)Mailbox provider, routing
Domain reputationEverything sent as the domain

A 30-minute audit for store owners

If you run a store and have never looked at this layer, three checks cover most of the risk. First, read your own SPF record (dig TXT yourstore.com) and verify every authorised service is one you still use. Second, check your DMARC record exists and has a plan to move past p=none. Third — and this is the one merchants skip — verify placement empirically: send your marketing template to seed mailboxes at Gmail, Microsoft 365, and Yahoo and see which folder it lands in. Transactional mail arriving is no evidence your campaigns do; they travel different paths with different reputations.

Context for your numbers

Which providers guard your customers' inboxes, and how commerce senders like Shopify trend against ESPs — it is all in our daily email infrastructure report, updated nightly from a fresh scan of the top-1M.

FAQ

How many top domains send email through Shopify?

As of July 2026, 0.85% of Tranco top-1M domains with SPF records authorise Shopify as a sender — up from 0.04% in 2016. Measured by SPF footprint, that makes Shopify one of the largest SaaS email senders on the internet.

Does Shopify handle all my store's email deliverability?

Only the transactional layer: order confirmations, shipping updates, and account mail ride Shopify's own infrastructure. Marketing campaigns, your domain's overall reputation, your DMARC policy, and inbound mail remain entirely your responsibility.

Do I need a DMARC record for my store?

Yes. Shopify cannot publish it for you — DMARC lives in your DNS. With 47.16% of DMARC-publishing domains now enforcing their policies, a store stuck at p=none leaves customers easier to spoof and gives up a trust signal receivers increasingly expect.

Can having many services in my SPF record cause problems?

Yes, in two ways. SPF allows at most 10 DNS lookups — platform, ESP, and support-desk includes consume them fast, and exceeding the limit yields PermError. And every authorised sender co-signs your domain's reputation, so prune services you no longer use.
Related reading
Found this useful? Share it
AB
About the author
Artem Berezin
B2B Deliverability Specialist

B2B deliverability specialist with 5+ years of hands-on outreach experience. Built campaigns reaching 90,000+ inboxes across 20+ countries — and fixed the deliverability problems that came with that scale.

Check your deliverability across 20+ providers

Gmail, Outlook, Yahoo, Mail.ru, Yandex, GMX, ProtonMail and more. Real inbox screenshots, SPF/DKIM/DMARC, spam engine verdicts. Free, no signup.

Run Free Test →

Unlimited tests · 20+ seed mailboxes · Live results · No account required