Your domain has no DMARC record — the rule that tells Gmail and Outlook what to do with email that fails authentication. Without it, scammers can send convincing phishing email that appears to come from your domain to your own customers, and your legitimate email is more likely to land in spam.
On WordPress
DMARC is a DNS record, not a WordPress setting — add it at your registrar or host. If reading raw DMARC reports is overwhelming, a free tier of a tool like Postmark's DMARC Digests or dmarcian turns them into a plain-English weekly summary.
On Shopify
Add the _dmarc TXT record at whatever service manages your domain's DNS. If your domain is registered through Shopify, add it in Settings → Domains → your domain → DNS settings.
Pro tip: Always start at "p=none" and watch the reports before enforcing. Jumping straight to "p=reject" before confirming your real senders pass can cause your own legitimate email — invoices, password resets, newsletters — to silently bounce.
SiteSprout scans your site, tells you which issues you actually have in plain English, and keeps watch so nothing breaks silently.
Scan your site free