How do I align SPF and DKIM in Salesforce Service Cloud, and is it necessary if DKIM is already aligned?

Key findings

• DKIM alignment is paramount: If your DKIM passes and aligns with your 5322.from domain, DMARC will generally pass, making SPF alignment less critical for deliverability.
• SPF mechanics: SPF checks the Envelope From (Return-Path) domain, not necessarily the visible From header. In Salesforce Service Cloud, the Envelope From often defaults to a Salesforce-owned subdomain, making direct SPF alignment challenging without specific Salesforce configurations.
• Bounce management trade-off: Achieving SPF alignment in Salesforce Service Cloud often requires disabling Salesforce's native bounce management, which many organizations prefer to retain for ease of tracking.
• Deliverability focus: While technical alignment is important, the ultimate goal of email deliverability is ensuring recipients want to receive your emails, which heavily influences inbox placement.

Key considerations

• Evaluate your DMARC reports: Before attempting SPF alignment, review your DMARC aggregate reports. If your emails are passing DMARC via DKIM, the immediate need for SPF alignment might be less pressing.
• Salesforce configuration: Investigate if Salesforce Service Cloud allows for custom Envelope From domains or CNAME records that can point to a Salesforce subdomain, thereby facilitating SPF alignment. This may involve discussions with Salesforce support.
• Impact on bounce handling: Understand the implications of disabling Salesforce's bounce management. Bounces would then return to your sender address, potentially requiring internal processes (like email-to-case) to handle them.
• Comprehensive authentication: Always ensure DKIM is fully configured and aligned. This is often the stronger authentication signal for DMARC. For more on best practices, see our guide on SPF, DKIM, and DMARC.
• Unsubscribe links: For transactional emails, one-click unsubscribe links may not be a requirement as per Google and Yahoo sender guidelines, but consider a "This is not me" or "Close case" link for user convenience if cases are auto-generated.

Key opinions

• Pursuing full alignment: Some marketers are driven to satisfy all conditions on email testing tools, even if it means trying to force SPF alignment in scenarios where it might not be the most effective or necessary action.
• Prioritizing deliverability: The ultimate aim is to prevent emails from going to spam, especially critical communications like service replies. If current configurations lead to spam issues, marketers will explore all authentication fixes.
• DKIM as primary fix: Many marketers recognize that a missing or unaligned DKIM is a more significant deliverability problem than SPF non-alignment, particularly under a DMARC policy.
• Unsubscribe link confusion: There can be pushback or confusion regarding whether transactional emails, like service replies, require unsubscribe links, especially with new sender requirements.

Key considerations

• Understanding Salesforce's Envelope From: It's important to differentiate between the visible 'From' header and the 'Envelope From' address, as SPF authentication relies on the latter. Salesforce often uses its own subdomains for the Envelope From, complicating direct SPF alignment.
• Balance features vs. alignment: Marketers must weigh the benefits of SPF alignment against the operational advantages of features like Salesforce's integrated bounce management. If DKIM is solid, sacrificing bounce tracking might not be a worthwhile trade-off.
• Transactional vs. marketing email: The requirements for unsubscribe links differ significantly between marketing and transactional emails. Salesforce Service Cloud is primarily for transactional communication, which typically doesn't mandate a visible unsubscribe link. For more on this, check out our insights on Gmail's 'Manage subscriptions' feature.
• Focus on DMARC success: The ultimate goal is to pass DMARC. If DKIM is properly aligned and authenticates your domain, it fulfills one of the two DMARC alignment requirements, often sufficient for inbox delivery, even if SPF does not align.

Key opinions

• SPF alignment limitation: It's often impossible to achieve SPF alignment solely through DNS records if the sending platform (like Salesforce) uses its own domain in the Envelope From address.
• DKIM sufficiency: If DKIM is properly configured and aligned, it typically satisfies DMARC requirements, negating the absolute need for SPF alignment.
• Bounce management impact: Disabling Salesforce's bounce management is often a prerequisite for SPF alignment, a trade-off that many prefer not to make due to the minor impact of non-aligned SPF when DKIM is aligned.
• Deliverability is about content: True deliverability hinges on sending relevant emails that recipients want, reducing spam complaints, and maintaining a positive sender reputation. Technical authentication is a foundation, not the sole determinant.
• Salesforce DKIM setup: Sales and Service Cloud platforms generally allow for straightforward self-service DKIM provisioning and alignment, unlike more complex systems like SFMC.

Key considerations

• Understand Envelope From vs. Header From: SPF checks the Envelope From domain. If Salesforce is using a dynamic subdomain for this, your SPF record for your main domain will not align. This distinction is crucial for understanding why SPF alignment fails. Our article on RFC 5322 provides further detail.
• Rely on DKIM for DMARC pass: Given that DKIM alignment is often achievable and sufficient for DMARC, focus efforts on ensuring DKIM is correctly set up and aligned before attempting complex SPF workarounds.
• Transactional email practices: For transactional emails sent via Service Cloud, a one-click unsubscribe link (RFC 8058) is not typically required. Instead, consider including a "This is not me" or "close this case" link to handle misdirected emails without affecting deliverability through unnecessary unsubscribe options. More on transactional emails and authentication can be found here.
• Consult Salesforce directly: If SPF alignment is a strict requirement, engage with Salesforce support to determine if they offer options to customize the Envelope From domain or provide CNAME records that enable direct SPF alignment for your domain.
• Monitor DMARC reports: Regularly review your DMARC reports to understand authentication outcomes and identify any issues, regardless of initial SPF or DKIM setup. This offers a holistic view of your email health. Learn more about DMARC reports from Google and Yahoo.

Key findings

• DMARC alignment rules: DMARC explicitly requires that either SPF or DKIM (or both) align with the domain in the visible 'Header From' address for successful authentication. If one aligns, DMARC passes.
• Bounce management functionality: Salesforce's Bounce Management feature is designed to monitor email delivery. Its operation typically involves redirecting the Envelope From address, which can impact SPF alignment.
• DKIM configuration: Salesforce provides specific instructions for setting up DKIM keys, enabling self-service configuration for Sales and Service Cloud to ensure email signing with your domain.
• One-click unsubscribe: Recent sender guidelines from major mailbox providers like Google and Yahoo mandate one-click unsubscribe headers for bulk marketing email, but not explicitly for transactional messages. This is based on RFC 8058.

Key considerations

• Verify Envelope From: When troubleshooting SPF, always identify the exact domain used in the 'Envelope From' (or Return-Path) header. This is the domain against which the SPF record is checked.
• Adhere to DMARC: Prioritize DMARC compliance. If your DKIM setup is correct and aligned, it typically satisfies the DMARC authentication requirement, ensuring your emails are delivered even if SPF does not explicitly align.
• Understand email types: Distinguish between transactional and marketing emails. The stricter requirements for list-unsubscribe headers and one-click unsubscribe links apply predominantly to marketing communications.
• Configure DKIM correctly: Ensure you follow Salesforce's official guidance for setting up DKIM keys. Proper DKIM signing is crucial for establishing your domain's identity and reputation. Salesforce's guide on Bounce Management Explained is a key resource.