Summary
Aligning SPF and DKIM in Salesforce Service Cloud requires careful configuration of both protocols. For SPF, the 'envelope from' domain needs to match the domain authorized in the SPF record, which often involves setting up a subdomain for Salesforce to use for bounce management and including Salesforce's SPF records (include:_spf.salesforce.com). DKIM alignment involves ensuring the 'd=' tag matches the 'From:' header domain. While DKIM is considered a more robust authentication method and can mitigate some SPF failures, most sources recommend aligning both for optimal deliverability. Salesforce's bounce management can interfere with SPF alignment, and proper setup of DKIM keys within Salesforce is essential. The one-click unsubscribe links cannot be setup in Sales and Service Cloud because you're not supposed to be sending bulk email through it, only transactional.
Key findings
- SPF Alignment Steps: Salesforce needs to change domain to send from subdomain of senders domain.
- Importance of DKIM: DKIM is preferred over SPF as it's a more robust authentication method, however DKIM alignment is often prioritised, and can mitigate SPF failures.
- SPF Requirements: Make sure that the domain in the 'Return-Path' or 'envelope from' address matches the authorized domain in the SPF record.
- Bounce Management Problems: Salesforce's bounce management can prevent SPF Alignment.
- DKIM Setup: Setting up DKIM involves provisioning DKIM keys within Salesforce and ensuring that the correct DNS records are published.
- Transactional sending: one-click unsubscribe links cannot be setup in Sales and Service Cloud as bulk emails are not supported.
Key considerations
- Configure Bounce Domain: If possible, configure Salesforce to use a subdomain of your domain for bounce management.
- DKIM Key Provisioning: Be sure to properly provision DKIM keys within Salesforce and update DNS records.
- SPF Record Maintenance: Carefully manage the SPF record, including Salesforce's SPF include and avoiding 'a' records.
- Test configuration: Testing must be performed to ensure that emails don't go to spam.
- DMARC validation: DKIM and SPF configuration and validation can be simplified with proper DMARC setup and validation.
- Salesforce Documentation: Follow Salesforce specific documentation.
What email marketers say
7 marketer opinions
Aligning SPF and DKIM in Salesforce Service Cloud can be complex due to Salesforce's specific sending infrastructure and bounce management. Several sources recommend prioritizing DKIM alignment, as it's a more robust authentication method. For SPF alignment, the 'envelope from' domain must match the authorized sending domain, which may require configuring Salesforce to use a subdomain of your own for bounce addresses and updating your SPF record to include Salesforce's sending IPs or domains. If bounce management is enabled in Salesforce, SPF alignment may not be possible.
Key opinions
- DKIM Priority: DKIM alignment is generally considered more important than SPF alignment for deliverability.
- SPF Configuration: SPF alignment requires the 'envelope from' domain to match the authorized sending domain.
- Bounce Management: Salesforce's bounce management can interfere with SPF alignment.
- Subdomain Strategy: Using a subdomain for bounce addresses can help achieve SPF alignment with Salesforce.
- Inclusion of Salesforce in SPF: The SPF record needs to include Salesforce sending domains, typically with an 'include:_spf.salesforce.com' statement.
Key considerations
- DKIM Setup: Ensure DKIM keys are properly provisioned within Salesforce and that the correct DNS records are published.
- SPF Record Updates: Adjust SPF record carefully, avoiding 'a' records for the main domain and using the correct 'include' statement for Salesforce.
- Bounce Management Impact: Evaluate the impact of disabling bounce management on email deliverability tracking.
- Domain Matching: Verify the 'envelope from' domain and ensure it matches what is authorized in the SPF record.
- Third-Party Sending: Understand complications for SPF with third-party senders like Salesforce, requiring updates to SPF record
Marketer view
Email marketer from Mailtrap blog explains with third-party senders (like Salesforce), SPF can get complicated because they are sending email on your behalf. To fix this, you'll need to add the third party to your SPF record. Also adding to your record that DKIM alignment is important as it doesn't suffer the same problems as SPF.
9 Jul 2021 - Mailtrap Blog
Marketer view
Email marketer from Stack Overflow discusses that it may be necessary to adjust the SPF record to include Salesforce's sending IPs or domains, but warns against adding 'a' records for the main domain. Instead include the relevant Salesforce SPF records using 'include:_spf.salesforce.com'. If DKIM is setup it may be easier to maintain.
28 Jul 2022 - Stack Overflow
What the experts say
5 expert opinions
Aligning SPF and DKIM in Salesforce Service Cloud involves specific configurations, including setting up a subdomain for the 'envelope from' address and ensuring the correct SPF record with Salesforce's include statement. While DKIM alignment is often prioritized and can mitigate SPF issues, proper SPF configuration remains a fundamental requirement. Several experts note the importance of checking the 'Return-Path' address and ensuring it aligns with the SPF record. One-click unsubscribe links are a separate header requirement handled by Salesforce.
Key opinions
- Subdomain for SPF: Salesforce requires using a subdomain of the sender's domain for the 'envelope from' address to achieve SPF alignment.
- DKIM Mitigation: While not a complete substitute, properly implemented and aligned DKIM can mitigate some SPF failures.
- SPF Fundamental: SPF configuration is still a basic requirement for email authentication, even with DKIM in place.
- Return-Path Check: The 'Return-Path' or 'envelope from' address is what SPF checks against.
- Header requirement.: one-click unsubscribe links are a separate header requirement handled by Salesforce.
Key considerations
- Salesforce Configuration: Carefully review Salesforce's documentation for specific SPF include statements and configuration requirements.
- Domain Alignment: Ensure the domain in the 'Return-Path' or 'envelope from' address matches the authorized domain in the SPF record.
- DKIM Setup and Alignment: Properly set up and align DKIM in addition to ensuring correct SPF configuration.
- Prioritizing based on DMARC: Prioritize deliverability rules based on DMARC setup (but not disregarding SPF configuration).
- SPF Alignment Steps: Salesforce needs to change domain to send from subdomain of senders domain.
Expert view
Expert from Email Geeks explains that to align SPF with Salesforce Service Cloud, Salesforce needs to change the domain they're using in the envelope from to a subdomain of the sender's domain (e.g., bounce.sfsc.mydomain.com). Then, publish an SPF record for that subdomain that includes Salesforce's SPF record, or create a CNAME record.
15 Sep 2024 - Email Geeks
Expert view
Expert from Word to the Wise forums suggests reviewing the 'Return-Path' or 'envelope from' address, as this is what SPF checks against. The user suggests ensuring that the sending domain matches the authorized domain in the SPF record. The user also suggests DKIM should be properly aligned and setup. However, while DKIM helps, it doesn't completely negate the need for correct SPF configuration.
25 Feb 2025 - Word to the Wise
What the documentation says
4 technical articles
Aligning SPF and DKIM in Salesforce Service Cloud involves ensuring the 'envelope from' domain matches the authorized sending domain in the SPF record and that the 'd=' tag in the DKIM signature matches the domain in the 'From:' header. Salesforce recommends aligning both SPF and DKIM for best deliverability, while others note that DKIM is stronger. Proper setup of DKIM keys within Salesforce, including generating keys, publishing DNS records, and activation, is critical. Also updating SPF records to include salesforce sending IPs.
Key findings
- SPF Alignment Requirement: SPF alignment requires the 'envelope from' domain to match the authorized sending domain.
- DKIM Alignment Requirement: DKIM alignment requires the 'd=' tag in the DKIM signature to match the domain in the 'From:' header.
- Salesforce Recommendation: Salesforce recommends aligning both SPF and DKIM for optimal deliverability.
- DKIM Setup is Critical: Generating keys, publishing DNS records and activating DKIM.
- Update SPF: Ensure that SPF includes all IP's that send emails from Salesforce.
Key considerations
- Domain Matching for SPF: Verify that the 'envelope from' domain is authorized in the SPF record.
- DKIM Signature: Ensure that the 'd=' tag in the DKIM signature matches the domain in the 'From:' header.
- Salesforce Specific Steps: Follow Salesforce's step-by-step instructions for DKIM key generation and activation.
- Prioritising both : Align both SPF and DKIM for best deliverability
Technical article
Documentation from Salesforce Help explains that to ensure SPF alignment, the domain used in the 'envelope from' address must match the domain authorized to send mail. For DKIM alignment, the 'd' parameter in the DKIM signature must match the domain in the 'From' address. Salesforce recommends aligning both SPF and DKIM for best deliverability. If DKIM passes and aligns, it may reduce the need for SPF alignment but both are still recommended.
25 Oct 2024 - Salesforce Help
Technical article
Documentation from Salesforce Help provides step-by-step instructions on how to generate and activate DKIM keys within Salesforce. It details navigating to the DKIM Keys section in Setup, creating a new key, publishing the DNS records, and then activating the key. This is critical for DKIM alignment.
7 Apr 2025 - Salesforce Help
Are SPF, DKIM, and DMARC records necessary for transactional email servers not used for marketing?
Can DKIM be set up on a subdomain, and which domain should be used for signing?
Do SPF and DKIM records need to be aligned for all email service providers?
Does unaligned SPF affect Gmail performance and domain reputation?
How can I improve SPF alignment and email deliverability when using Hubspot?
How do I align SPF authentication with my sending domain in Google Postmaster Tools?
How do I properly set up SPF and DKIM records for email marketing, including handling multiple SPF records, IP ranges, bounce capturing, and Google Postmaster Tools verification?
How do SPF, DKIM, and DMARC affect email deliverability with Cvent?
How does SPF alignment work with DMARC in HubSpot, and what are the implications for shared and dedicated senders?
