What is the primary concern when forwarding emails?

The primary concern with general email forwarding is that it can modify email headers in a way that breaks SPF and DKIM authentication, leading to DMARC failures. This can cause emails to be flagged as spam or rejected by recipient mail servers, ultimately hurting your sender reputation.

How do SPF, DKIM, and DMARC interact with email forwarding?

SPF, DKIM, and DMARC are designed to verify the sender's authenticity and message integrity at the point of initial delivery. When emails are forwarded internally within a system like Salesforce, these authentication checks typically aren't re-evaluated in a way that affects external deliverability, as the original authentication has already passed.

Why might Salesforce's internal forwarding differ from standard email forwarding?

Salesforce's internal forwarding between SFMC and Service Cloud is usually an API-driven data transfer rather than a standard SMTP re-send by an external mail server. This means changes to internal processing won't impact how external mail servers perceive the email's authenticity.

Does disabling Reply Mail Management (RMM) affect my domain's external reputation?

Disabling the specific Reply Mail Management (RMM) feature in SFMC that appends the sending domain is unlikely to affect your external domain's reputation. The reputation is built on how external mail servers authenticate and perceive emails sent *from* your domain, not internal routing.

What should I monitor after making changes to email forwarding in Salesforce?

After making changes to email forwarding in Salesforce, you should monitor your DMARC reports for any unexpected authentication failures and observe how replies are processed within Service Cloud to ensure the desired operational outcome.

Will disabling email forwarding impact deliverability between SFMC and Service Cloud? - Technical - Email deliverability - Knowledge base

The question of whether disabling email forwarding between Salesforce Marketing Cloud (SFMC) and Salesforce Service Cloud will impact email deliverability is a common one. It arises particularly when organizations aim to streamline their internal processes and prevent issues like duplicate records in Service Cloud, which can occur when the sending domain is appended to the from email address. This specific scenario touches upon how email authentication protocols like SPF, DKIM, and DMARC behave within a tightly integrated enterprise environment, as opposed to typical external email forwarding.

My goal here is to clarify the impact of such a change. While Salesforce itself often provides guidance on these internal configurations, understanding the underlying email deliverability principles can help ensure that disabling this forwarding functionality doesn't inadvertently lead to external inbox placement issues or a diminished sender reputation for your domain. We will explore the unique aspects of inter-system communication and what to consider when making such adjustments.

The nuances of email forwarding

Email forwarding is a common practice, but it can introduce complexities for deliverability. Typically, when an email is forwarded, its headers can be modified. This modification sometimes causes issues with email authentication protocols like Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM), potentially leading to DMARC (Domain-based Message Authentication, Reporting, and Conformance) failures. Such failures can result in emails being marked as spam or rejected by recipient mail servers, ultimately impacting your sender reputation.

However, the scenario between SFMC and Service Cloud is often different. This isn't a typical email forwarding setup where an email is simply redirected from one inbox to another through an external mail server. Instead, it's an integration between two Salesforce platforms, usually managed via an internal connector or API calls. This means the way messages are 'forwarded' is often handled at a system level, not at a mail transfer agent (MTA) level in a way that would commonly break standard email authentication.

The concern about the sending domain being appended to the from email address primarily relates to how Service Cloud processes incoming replies and creates cases. If disabling the functionality means the message is now handled 'as if from the original recipient,' it suggests a change in how Service Cloud interprets the From header internally, rather than altering the email's authenticity or sender's domain as perceived by external mail servers. This distinction is crucial for assessing deliverability impact. You can learn more about general email forwarding impacts on authentication protocols in our guide on email forwarding and SPF, DKIM, DMARC validation.

Authentication protocols and internal forwarding

When Salesforce (SF) states that disabling this internal forwarding method will not impact DKIM or SPF, and will not increase your spam score, they are likely referring to the external email deliverability. This means the changes you make to how Service Cloud processes replies are confined within the Salesforce ecosystem and do not alter the authentication passed by the email originally sent from SFMC to the recipient's inbox. The From address that external mail servers see remains consistent with your DMARC, SPF, and DKIM records.

SPF (Sender Policy Framework) verifies that an email came from an authorized IP address listed in your domain's DNS records. DKIM (DomainKeys Identified Mail) uses cryptographic signatures to ensure the email content hasn't been tampered with in transit. DMARC then uses both SPF and DKIM to determine if an email is legitimate and provides instructions on what to do if authentication fails. For a deeper dive into these, our guide A simple guide to DMARC, SPF, and DKIM can be a valuable resource.

Because the email's original journey from SFMC to the recipient's inbox is already complete, and authentication checks have passed, any subsequent internal routing or processing within Salesforce's own systems typically happens post-delivery. This internal handling does not usually re-trigger external authentication checks in a way that would negatively impact your sender reputation or cause your emails to land on a blocklist (or blacklist). The primary concern is often how the email appears within Service Cloud for case management purposes, not how it appears to external Mail Transfer Agents.

Ensuring DMARC alignment

While Salesforce states there's no impact, always ensure your DMARC policies are configured correctly for your sending domains from SFMC. A well-configured DMARC policy helps protect your domain from impersonation and improves overall deliverability. This includes monitoring DMARC reports to identify any unexpected authentication failures, though these are unlikely to stem from internal Service Cloud routing changes.

For more information on configuring deliverability settings within the platform, refer to the Salesforce documentation on email deliverability settings.

Why internal system forwarding differs

The key difference lies in the nature of the communication. External email forwarding involves one mail server sending a message to another, often leading to changes in the Return-Path or From headers, which can break SPF alignment or invalidate DKIM signatures. For instance, if you forward an email from Gmail to another account, Gmail might re-write certain headers, which can cause issues with the original sender's SPF or DKIM. This is elaborated in our article on forwarding Gmail emails through Marketing Cloud.

In contrast, the SFMC to Service Cloud communication is usually not an SMTP-level forward for external delivery purposes. Instead, it is an internal data exchange. Salesforce's Reply Mail Management (RMM) feature in Marketing Cloud is designed to capture replies and route them, often by modifying the From address to manage routing and tracking. When you disable this appending behavior, you are instructing Salesforce to process the reply differently for internal record-keeping, without affecting the authenticity of the original outbound email that reached the customer's inbox.

This kind of internal routing means that the deliverability outcome (whether the email lands in the inbox or spam) has already been determined by the time the message hits your customer's mail server. The subsequent 'forwarding' to Service Cloud is more of a data transfer or API call within the Salesforce ecosystem. Therefore, changing how this internal processing occurs is unlikely to affect your external sender reputation, which is built on factors like bounce rates, spam complaints, and adherence to authentication protocols for emails sent *out* to recipients. A useful external resource discussing Salesforce email deliverability is Salesforce Email Deliverability: Ensure your emails reach the inbox.

External email forwarding

Process: Involves an external mail server (e.g., ISP or corporate mail system) receiving an email and sending it to another address.
Header changes: Can modify headers like Return-Path or From, potentially breaking SPF and DKIM alignment.
Deliverability impact: High risk of DMARC failures, increased spam scoring, and reduced inbox placement for the *original* sender.

SFMC to Service Cloud forwarding

Process: Typically an internal data routing or API-driven process within the Salesforce ecosystem, post-initial delivery to the recipient.
Header changes: Modifications are internal to Salesforce systems for processing and routing, not for external email delivery.
Deliverability impact: Minimal to no direct impact on external SPF, DKIM, DMARC validation, or sender reputation.

Mitigating potential risks

Even though the direct impact on external deliverability is likely minimal, it is still prudent to consider potential indirect or edge-case risks. One such consideration is ensuring that any changes to how Service Cloud handles replies do not inadvertently affect the integrity of the data used for DMARC reporting. While the email itself has already been delivered, DMARC reports provide valuable feedback on authentication outcomes, which can help detect any unforeseen issues.

It is also important to maintain good email sending practices from SFMC itself. This includes regular list hygiene, monitoring engagement, and avoiding content that could trigger spam filters. These factors have a far greater impact on your sender reputation and inbox placement than internal Service Cloud routing configurations. Consistent monitoring of your DMARC reports is always a good idea. Our DMARC monitoring service can provide insights into your email authentication performance.

When making any changes that affect how emails are processed, even internally, it is beneficial to conduct small-scale tests. Send test emails and monitor how they are received and processed by both SFMC and Service Cloud. This allows you to confirm that the desired functionality is achieved without introducing unexpected side effects. Here's an example of a DMARC record that you should aim to have in place for proper monitoring:

Example DMARC record for monitoringDNS

v=DMARC1; p=none; rua=mailto:dmarc_agg@yourdomain.com; ruf=mailto:dmarc_forensic@yourdomain.com; fo=1;

Views from the trenches

Best practices

Always align your sender reputation with core deliverability practices within Salesforce Marketing Cloud.

Monitor DMARC aggregate and forensic reports for any changes in authentication results or potential abuse, even for internal flows.

Regularly review Salesforce's official documentation and best practices for integrating SFMC and Service Cloud.

Common pitfalls

Assuming internal forwarding changes will affect external deliverability in the same way as traditional forwarding.

Neglecting to test changes thoroughly in a controlled environment before full implementation.

Overlooking the impact of DMARC policies on internal email routing when not fully understood.

Expert tips

Implement a DMARC policy with a 'p=none' setting first to gather data without impacting delivery.

Use the Salesforce Email Deliverability Workbench to diagnose any issues related to emails sent from SFMC.

Collaborate closely with your Salesforce administrators and email deliverability experts to ensure correct configuration.

Marketer view

Marketer from Email Geeks says that SFMC likely does not monitor reputation for messages forwarded between their systems.

2021-05-20 - Email Geeks

Marketer view

Marketer from Email Geeks says they have observed no deliverability issues when messages pass through the connector between SFMC and Service Cloud over many years.

2021-05-20 - Email Geeks

Key takeaways for SFMC and Service Cloud deliverability

Disabling the specific email forwarding functionality between Salesforce Marketing Cloud and Service Cloud, where the sending domain is appended to the from email address, is highly unlikely to negatively impact your external email deliverability or sender reputation. This is primarily because the core email authentication (SPF, DKIM, DMARC) for messages sent from SFMC has already occurred by the time the email reaches the recipient's inbox.

The change you are considering pertains to an internal routing and data processing mechanism within the Salesforce ecosystem, specifically how Service Cloud records replies. Salesforce's assurance that this won't affect DKIM, SPF, or your spam score directly points to the fact that this adjustment is about internal system behavior, not external mail server interactions. As always, maintaining robust DMARC policies and monitoring your email performance remains a best practice to ensure consistent deliverability.