Let's Connect
Skip to main content
Successful and modern young Asian businesswoman carrying smartphone and laptop, commuting to work in central business district against contemporary corporate buildings in the city. Female leadership.

Salesforce Email Deliverability Tips: SPF, DKIM, & DMARC

Software • February 16, 2024
Increase your email deliverability with the latest tips for bulk sending and email authentication.
banner background

Email deliverability: It’s the cornerstone of email marketing strategy and planning. With Google and Yahoo both enforcing new email standards, your organization’s email authentication should be top of mind. In this article, we’ll highlight what’s changing, what to review across your organization and in your Salesforce instance, along with best practices to try.

What Are the New Requirements?

Beginning in February 2024, Google and Yahoo will require all email senders, both large and small, to comply with these requirements:

  • Authenticate your sending domain using SPF or DKIM authentication.
  • Maintain a low rate of spam reports.
  • Make unsubscribe easy for recipients (starting in June 2024, bulk senders must implement a one-click unsubscribe option).

For senders of more than 5,000 emails per day, two additional configurations are necessary:

  • The sender domain must be aligned with either the DKIM signature domain or the envelope sender (SPF alignment).
  • You must create a DMARC policy, even if it’s set to “none.”

What Are SPF, DKIM, & DMARC?

Sender Policy Framework (SPF): An email authentication technique used to prevent spammers from sending messages on behalf of your domain. As a sender, you’ll be required to add SPF records in your organization’s Domain Name System (DNS) to allow Salesforce (and other systems) to send email from your organization’s domain.

DomainKeys Identified Mail (DKIM): A protocol that allows an organization to take responsibility for transmitting a message by signing it in a way that mailbox providers can verify. Like the SPF configuration, DKIM requires you to publish a public key in your DNS, and the recipient email server will use this information to accept emails with the corresponding private key.

Domain-Based Message Authentication, Reporting, & Conformance (DMARC): An email authentication protocol designed to allow email domain owners to protect their domain from unauthorized use (also known as email spoofing). This protocol advises the recipient email servers on how to handle emails that are coming from your organization’s domain.

While SPF verifies that an email is sent from an authorized sender (like your Salesforce instance), DKIM authenticates the email by comparing and validating public and private keys. DMARC further helps to verify email senders by building on the DNS, SPF, and DKIM protocols.

Best Practices for Bulk Emailing

If you’re going to send emails on behalf of your organization’s domain from customer relationship management (CRM), marketing automation, customer service, or accounting systems, then you need to have SPF, DKIM, and DMARC configurations completed to help preserve email deliverability.

Other key tips to help email deliverability include:

  • Craft descriptive subject lines that provide relevant context for recipients. Avoid generic subjects like "Hey!" that could trigger spam filters.
  • Segment and personalize emails when possible with recipients’ names and other details. Generic “batch and blast” messages are more likely to be detected as spam.
  • Email people who have opted in and given consent. Purchased email lists often have low engagement and can harm sender reputation in certain scenarios.
  • Be sure your email content is useful and of interest to recipients. Irrelevant messages can increase unsubscribes and complaints.
  • Send from dedicated IP addresses and domains with good reputations when possible.

By following best practices around targeting, content, and overall deliverability, you can effectively execute bulk campaigns while respecting recipient inboxes and current email standards. Striking this balance is critical for productive ongoing sender-receiver relationships.

Setting Up SPF & DKIM in Salesforce

It’s strongly recommended to work with your IT team on any DNS changes—depending on your organization’s setup—you may even be required to. For SPF, work with your IT team to update this DNS record. To set up SPF, add the following to your DNS entries:

  • Type: TXT
  • Host: @
  • Entry: v=spf1 mx include:_spf.salesforce.com ∼all
    • If there’s already an existing SPF record, then add the following to it: _spf.salesforce.com
  • DNS TTL (time to live): 1 hour, or whatever your IT team recommends

For DKIM, in Salesforce, go to Setup and search for “DKIM.” Select DKIM Keys under Email. Then, click Create New Key.

Find the Create New Key button here.

Work with your IT team to fill in the fields below. Once published, a message like this should display: “Salesforce has published the TXT records for this DKIM key to DNS. Before activating this key, add the CNAME and Alternate CNAME records in the DNS for your domain.” Copy the CNAME and Alternate CNAME record values and work with your IT team to enter this information into your organization’s DNS records. Please note that DNS changes can take 48 hours to propagate.

Review the Create a DKIM Key in Salesforce fields with IT.

When the DNS update is complete, your CNAME and Alternate CNAME records should appear on the DKIM Key Details page. Then, click Activate.

Find more information at Salesforce Help.

Setting Up SPF, DKIM, & DMARC in Salesforce Marketing Cloud

If your organization added Marketing Cloud to the base CRM platform, the email authentication process here is a little different.

The Sender Authentication Package (SAP) for Marketing Cloud is available for purchase to organizations sending more than 250,000 email messages per month and seeking a private domain for email sending, among other features.

If your organization has SAP, you’ll need to complete this configuration for email deliverability. Marketing Cloud only requires DNS changes if you have SAP.

In addition, you can request a DMARC policy for your Marketing Cloud by following these instructions from Salesforce.

Setting Up SPF, DKIM, & DMARC in Salesforce Marketing Cloud Account Engagement

Salesforce Marketing Cloud Account Engagement (formerly Pardot) is a marketing automation and lead generation tool.

To set up SPF and DKIM in Account Engagement, go to Account Engagement Settings and select Domain Management. Click “Add New Domain” to get started.

The Add New Domain button can be found here.

Then, enter the domain you want to send emails from, and click Create domain.

In the Actions column, click Expected DNS Entries and copy the validation key. Work with your IT team to add the validation key to your DNS entries as TXT records. They can follow the examples below.

  • For SPF:
    • Type: TXT
    • Host: @
    • Entry: v=spf1 include:aspmx.pardot.com ∼all
      • If there’s already an existing SPF record, then add the following to it: include:aspmx.pardot.com
    • DNS TTL: 1 hour, or whatever your IT team recommends
  • For DKIM DomainKey_Policy and DomainKey:
    • DomainKey_Policy
      • Domain: _domainkey.yourdomain.com
      • Type: TXT
      • Entry: t=y; o=∼;
    • DomainKey
      • Domain: [insert host record]._domainkey.yourdomain.com
      • Type: TXT
      • Entry: [insert host record]

After your organization’s DNS is configured, return to the Domain Management page in Account Engagement. In the Actions column, click Check DNS Entries to verify your domain. Please note that any DNS changes can take up to 48 hours to propagate.

In addition, if you scroll down on the Domain Management page, you can add a Tracker Domain. A Tracker Domain creates a vanity/branded URL for any landing pages, forms, and files you have hosted in Account Engagement.

Here is an example of a Tracker Domain on the Domain Management page.

To set up a Tracker Domain, work with your IT team and follow these instructions from Salesforce.

DMARC in Account Engagement requires IT support as well, and possibly Salesforce Support. DMARC lets domain owners, like webmail providers, publish a “policy” that can have restrictions on where their domain can be used.

The new requirements from Google and Yahoo stipulate that you must create a DMARC policy, even if it’s set to “none.”

Generally, if your SPF and DKIM are set up properly, you’ll pass the DMARC test for your email sending domain. However, if you fail, it may have to do with return-path domain and mail-from address alignment. If your company requires configuration for aligning the return-path address to the mail-from domain, log an Account Engagement Support case and the support team can supply the DNS records to add to your domain.

Testing Salesforce Email Deliverability

When your DNS changes are complete, you may want to use Google Postmaster Tools, DMARC.org, or MxToolbox resources to test your SPF, DKIM, and DMARC setup.

Also, email authentication doesn’t end with Salesforce! If you’re using a different marketing automation tool, customer service platform, or accounting system to send email, be sure to test email deliverability for each system and email domain.

Email authentication is an essential part of communicating safely with your audience. If you’d like assistance with validating your SPF, DKIM, and DMARC records in Salesforce, Marketing Cloud, or Account Engagement, please send us a message. The Business Technology Solutions team at FORVIS is a Salesforce partner with certified experience.

Related Reading


Related FORsights
Like what you see?
Subscribe to receive tailored insights directly to your inbox.