ShipStation Community

edited- TEMPORARY SOLUTION (that worked for us)

After months of back and forth, multiple support tickets and escalations, we were left with no choice but to find another provider. Then out of nowhere, we received a response from the "Manager of Merchant Support", telling us to add a DMARC record which actually resolved all of our issues right away. It was really that simple. 

I won't share the DMARC record text that we used because it might vary for you (and I don't want to be responsible if it breaks something) but just contact your email hosting company and they should be able to help you get it done.

It's surprising how much time it took and how many different support people we went through for such a simple response. Kudos to the Support Manager, hopefully he shared his knowledge with the rest of support. 

See comments below from some more technically inclined users about using DMARC. 

I hope this helps!
If you need printing services (including custom packaging), contact us! www.mmprint.com 🙂

@PrintBizI just checked your DMARC record and all that is doing is basically telling the recipient's server to ignore DMARC checks because your DMARC policy is disabled. You have a valid DMARC record, but it is basically turned off. There are two verification methods for emails: SPF and DKIM. The DMARC record is what tells the recipient's server what to do with the email after running SPF and DKIM authentication and alignment. It's a little more involved than what I'm going to type, but the basics are that your DMARC policy can be set to accept all email regardless of outcome (basically disabled...the way yours is), or it can be set to either quarantine (usually move to junk mail) or reject (do not receive at all and return message to sender) based on one or both methods (SPF and/or DKIM). You should be receiving emails to the address you specified in your DMARC record that tells you when emails did not pass. You should review those and you'll probably see every email sent from shipstation is showing up there. The problem with the way your DMARC is setup is that I can send an email right now from my server claiming to be you, it will fail both SPF and DKIM but your DMARC record will still tell the recipient to accept it. A disabled policy is really only intended to be used for a short period of time to allow you to review the reports you receive to make sure that your records are setup properly (primarily the SPF record). Everyone should have a DMARC policy even if it is disabled like yours is. At the very least, it will give you notification when spammers are using your email addresses unauthorized as well as letting you know if something is setup incorrectly for legitimate email. Next month in February, Google and Yahoo will require a DMARC record AND it must pass DMARC (meaning it has to pass either SPF and/or DKIM) if you are sending more than 5,000 messages per day to their servers. That all sounds well and good, but I'm not sure how they will count that 5,000. Is it going to be 5,000 from me via shipstation and 5,000 from you via shipstation? Or will it count everything sent via shipstation regardless of who is shown as the "from" sender? I know I don't send more than 5,000 packages a day, so as long as it just relies on the "from" sender then I will be good. But if it aggregates all shipstation sent emails, regardless of the "sender" then we are all in trouble if you are using your own email address.

Here is some more reading for you if you're interested:

https://dmarcian.com/yahoo-and-google-dmarc-required/

DMARC is not the same as authenticated email and DMARC=none is useless most people need to dial up to DMARC policy of REJECT which means you still need SPF/DKIM to pass authentication...this entire things is very complex..I wrote about it last year but a DMARC record is a pass/fail of authentication and "none" does nothing for you to prevent spam and authenticate messages.

https://chriscolotti.us/technology/how-to-get-safely-dmarc-fully-configured/

DMARC policy checks for Authentication first which is still a requirement if you want anything more than "none" in the DMARC policy

what @Lanbo said is accurate as well but the support manager has no idea how SPF/DKIM and DMARC all work if they told you to just add a DMARC record with "none"

@Lanbo

You are absolutely right, I checked with our hosting company and they confirmed that we do have it set to email us. It is absolutely a temporary band aid. I'm not technically inclined about this stuff so I thought it was the solution. I edited my original post to reflect your comments!

100% agree, the right way to go about it is adding the SPF/DKIM but Shipstation doesn't offer that so this at least gets the emails out with our own domain for now until they fix it correctly or we find another solution. 

We tried using a gmail address and within a day or 2 google locked our account up because it was violating TOS. Plus, our marketing dept. was not happy about using gmail or a no-reply shipstation address in our emails to customers.

SHIPSTATION NEEDS TO GIVE US A PERMANENT SPF/DKIM SOLUTION.

9 days....

@Shipping55 I agree that DMARC does not need DKIM to pass. For our BigCommerce store (which does not offer DKIM), we have SPF alignment and it passes DMARC according to our DMARC monitoring solution.

The requirement for Google and Yahoo is simply to pass DMARC with either SPF alignment -or- DKIM (for now).

ShipStation is failing SPF and DKIM, even though we have "include:email.shipstation.com" in our SPF record, so it must be SPF alignment that is failing.

And Ship Station continues on to do nothing about it.....

I have an open ticket with them from 10 days ago and still no response.  

Hey Community!

You may have heard about the Google and Yahoo! email updates, we have, too.

If you use ShipStation’s default tracking email for customer shipment notifications (tracking@shipstation.com), your emails are already configured to pass DMARC checks. You do not need to take any further action.

While ShipStation doesn’t currently support domain verification, we are working on a solution so that when your brand’s email is used to send notifications, the recipient’s mail server does not filter the email as spam. You can find additional updates or changes in this article. If any questions arise, please feel free to contact our support team.

Happy Shipping!

-Erin: Your Friendly Neighborhood ShipStation Community Manager