Why aren't my customers receiving their Shopify order confirmation emails?
It's end of financial year, which in my house means I finally buy the things I've been "thinking about" for eleven months and bask in the triumph of my perceived savings (while ignoring how broke it makes me).
So I went on a bit of a spree. Seven different stores, seven orders, money out the door. All seven run their storefront on Shopify. And five of them took my payment and then went completely silent. No order confirmation. No receipt. No "thanks for your order". Nada! Zilch! Zip! Nothing.
How rude!
If you read my other 'Misadventures in Retail' posts, you'll know I have a thing about order confirmations. I touched on this specific problem once already, but it's apparently so common that I managed to trigger it five times in a few days.
My inbox is fine. Stop telling me to check my bloody Spam folder.
My first reaction, naturally, was to blame myself. Wrong email, typo, spam folder. I checked all of it. Searched the store names, searched "order", searched "receipt". Looked in spam, in promotions, in the bin. But this only confirmed that the other two stores had delivered their emails to me successfully and they had arrived instantly, so my inbox clearly works.
And my inbox isn't some flaky free account. It's iCloud running on my own custom domain, which is about as well-behaved as email gets. I also use Apple's Hide My Email a heap, and my Shop.app account, the thing half these checkouts lean on, is tied to my Apple ID.
Then I did the thing you do when something feels off. I went to contact customer service, filled in the form, hit send, waited. For a couple of these orders I also followed up with a phone call. They insisted they'd replied but their replies never reached me. Because of course they wouldn't.
An automated order confirmation and a support reply typed by a person are two separate operations. When both fail in exactly the same way, the thing they share is the sending domain.
Here's what's actually going on.
Back in February 2024, Gmail and Yahoo made some changes (for the better, really). If your store wants to send email from your own branded address, something like orders@yourshop.com, you now have to prove the message actually came from you.
That proof is supplied by a handful of DNS settings. DKIM signs your mail, SPF says which servers are allowed to send on your behalf, and DMARC tells the receiving inbox what to do with anything that fails the check. If you set them up correctly, your mail will be sent and delivered as the Shopify gods intended, but if you skip them, they'll be sent to Email Hell and one of two things will happen.
Either Shopify quietly rewrites your sender address to something like store+123@shopifyemail.com so it can keep sending for you or the message fails the check at the far end and gets dumped in spam or dropped entirely. The second one is the killer, because it's invisible to you. From where you sit in Shopify, the order went through and the email "sent" but your customer will receive nothing, while Shopify says "Uh... everything's perfectly all right now. We're fine. We're all fine here now, thank you. How are you?"
Google and Yahoo started it. Apple is stricter.
Apple does exactly the same, and it's arguably less forgiving about it.
iCloud Mail honours whatever DMARC policy your domain publishes, so when your mail fails the check, it doesn't even get the courtesy of the Junk folder. No bounce, no warning, nothing sitting in spam for the customer to rescue three days later. Like that one friend we all have who RSVP's Yes but you know, deep down, won't show up, it just never arrives.
Think about how their accounts get made now. Few people manually type out their name, email address, and come up with a password any more, unless they're our parents and their 'secure password manager' is a piece of paper they keep in their desk drawer. Increasingly, they tap "Sign in with Apple" or "Continue with Google" and they're in. Two seconds, no friction, and brilliant for getting people through signup without losing them. Shop Pay and Shop.app use the same logins.
However, each one of those Apple accounts can hand the store a relayed or hidden address instead of a ‘real’ one. Signing in with Apple allows customers to hide their real email address by default. I use this feature religiously (and think everyone should, if I’m being perfectly honest).
Hide My Email adds a further compounding layer. When I use it, the store isn't really emailing me, rather a privaterelay.appleid.com address that forwards to my real email address. Apple's relay only forwards mail that passes SPF or DKIM. Only properly authenticated domains get through, but everyone else is put through the shredder. So the easier you make it to create an account, the more of your customer list that can end up sitting behind a provider that bins unauthenticated mail without telling you.
Have you checked Klaviyo?
My Shopify developer threw me only a curveball on this one: more than half the time, it isn't a Shopify problem. It could be Klaviyo.
Heaps of stores don't only send their emails through Shopify. They send them through Klaviyo which is a brilliant tool and also a separate sending system with its own authentication to get right. So you can set up everything above perfectly and still go quiet because it left through a different platform.
On Klaviyo's shared sending domain, the address your customers see (you@yourshop.com) doesn't match the domain Klaviyo actually sends from. That's normally fine, because Klaviyo's shared domain is set to wave it through. But the moment you tighten your own DMARC to something stricter, which is exactly what people do after the Gmail and Yahoo changes, those mismatched Klaviyo emails start failing the check and vanishing.
The fix is to set up a branded sending domain inside Klaviyo, so the address customers see lines up with the domain the email is really sent from. Same idea as authenticating Shopify, just done again in a second place.
How strict to make your DMARC policy, and how to line it up across every tool you send from, is a decision to make with your developer. If you've suddenly lost faith in your dev, let us know and we'll help match you with a better one.
the (Potential) Fallout.
Every one of my five shopping experiences made me stop and wonder, just for a second, whether I'd been scammed. I hadn't, but I couldn't know it with 100% certainty at the time, and a first-time customer who doesn't do the kind of work I do (and write blog posts about it) would surely have even less confidence. No confirmation means no reassurance, at the exact moment someone has just handed you their money.
Then it becomes your problem twice. The customer can't find their order confirmation but the money has left their account, so they email you. Except your support replies don't land either, so they email again, or they panic and request their money back through their bank. Now you're fighting a chargeback over an order that was fine. What if this is taking place over an EOFY rush or a Black Friday weekend? What if someone jumps the gun and goes straight to blasting you with a Google Review or Reddit post? What does that cost?
Putting possibility of a negative review aside, the lack of communication will quietly undo every other customer touch point downstream and poison the experience further. Dispatch notices, shipping updates, "your order's on its way". If the domain isn't authenticated, none of it reliably arrives.
How to fix it before your next sale.
Good news: if you're only fixing this on Shopify, it is a one-time job, usually under an hour, and you don't need to be technical to fix it. You will need access to wherever your domain's DNS records live, which is usually wherever you bought the domain.
Shopify should alert you to this issue in your admin, so if there's been a warning sitting in your settings that you've been scrolling past, consider this the nudge you ignored, written out in full.
Find out if you've got the problem. Place a test order on your own store using addresses you control: a Gmail or Yahoo one, and an iCloud or Hide My Email one if you can manage it. If a confirmation doesn't arrive, or it shows up from store+123@shopifyemail.com instead of your own address, that's a bingo.
Authenticate your sender domain. In your Shopify admin, go to Settings, then Notifications, and find the Sender email section. If your domain is on Cloudflare, GoDaddy, or IONOS, click Email domain authentication and let Shopify do it automatically. Otherwise, do it by hand: Shopify shows you a set of CNAME records to paste into your DNS, and you need to add every one of them, because the number varies. Either way, your store needs to be on a paid plan for this to work.
Add a DMARC record. This is the bit people skip, because even Shopify's automatic option sets up the CNAME records but not DMARC. You add it yourself: a TXT record named _dmarc with the value v=DMARC1; p=none as the minimum. If you bought your domain through Shopify, this part is already done.
Watch the gotchas. Only have one DMARC record, because duplicates make the whole check fail. If you already had one, make sure it doesn't use adkim=s or aspf=s, since those strict settings break Shopify's authentication. Don't delete the CNAME records later either, or Shopify resets you straight back to store+123. And steer clear of words like "no-reply" in your sender address, because some inboxes reject them outright.
Check Klaviyo if you use it. If your order or flow emails go out through Klaviyo, or any app like it, authenticating Shopify won't save them. Set up a branded sending domain inside that app so its emails line up with your domain.
Verify it. Run your domain through a free DMARC checker (dmarcian and EasyDMARC both have one) to confirm the records are live. DNS changes can take up to 48 hours, so give it a day or two before you panic.
Test it like a customer. Place one more real order from outside addresses, ideally a Gmail one and an Apple one, and watch the confirmation arrive from your own branded address. Done.
None of this needs a developer to write code. It's configuration that should have been part of setting the store up in the first place.
The short version.
You did the hard part and you got someone to want the thing, pick it, and pay for it. Don't fall at the last hurdle by letting the one email that says "yes, this is real" disappear into the void.
Place a test order and see what actually arrives. Authenticate your domain so DKIM and SPF are set. Add a DMARC record, and make sure there's only one of them. If your emails go out through Klaviyo or a similar app, authenticate there too. Then verify it with a checker and test it like a real customer, from a Gmail address and an Apple one.
And the call to action? Ring whoever built your Shopify store and ask them why this wasn't sorted when they set it up, because it should have been. If that conversation makes you realise your Shopify dev maybe doesn't know what they're doing, let us know. We work with people who do, and we're happy to make an introduction.
About Misadventures in Retail
We spend a lot of time helping businesses sell and ship things better. But we're also customers, and sometimes the experience on that side of the counter is illuminating in ways a client brief never could be. Misadventures in Retail is an ongoing series where we write about real shopping experiences that went wrong, and what the businesses involved could have done differently, systematically, not just operationally. If you recognise your business in any of it and want help getting it sorted, we'd love to hear from you.
