How to configure SFMC to send on behalf of sales reps with DKIM/DMARC authentication?

Key findings

• Doability: Sending on behalf of sales reps from SFMC with DKIM and DMARC authentication is achievable without conflict, even if the domain is also used for G-Suite or Salesforce CRM.
• Authentication mechanisms: The primary solution involves configuring both a Sender Authentication Package (SAP) using a subdomain (e.g., e.domain.com) and a private domain for the top-level domain (e.g., domain.com) to properly sign messages.
• DMARC reliance: DMARC authentication often relies on DKIM being set up properly through the private domain, as SFMC's SPF validation is typically checked at the return-path level, not the 'from' domain's SPF record.
• Reply-to addresses: Using a 'reply-to' address that differs from the primary sending domain can lead to recipient confusion and potential deliverability issues.
• Multi-domain support: For sending from multiple corporate domains (e.g., domain1.com and domain2.com), adding each as a private domain will enable DKIM signing, generally sufficient for DMARC pass even if SPF doesn't align.

Key considerations

• Integrated setup: A full SAP and private domain configuration is generally required for proper authentication; half-measures are not effective.
• Subdomain strategy: Using a dedicated subdomain for the SAP (e.g., email.domain.com) isolates SFMC's tracking and bounce domains from your primary corporate domain, reducing potential conflicts.
• SPF implications: While SFMC's SPF is handled at the bounce domain, external SPF records for the top-level domain should still be managed for other sending systems (like G-Suite or CRM). For SFMC, SPF alignment is less critical than DKIM for DMARC pass when using private domains.
• RMM deactivation: Official Salesforce recommendations may include deactivating Reply Mail Management (RMM) for certain configurations to avoid unexpected behaviors.
• Multi-bounce domain: Enabling a multi-bounce domain setting within SFMC (MID or enterprise level) can potentially help SPF match the 'from' domain for multiple sending domains, but this is a complex configuration that warrants careful discussion with Salesforce support.

Key opinions

• Domain overlap concerns: Many marketers express concern about potential conflicts when the primary company domain is used across multiple sending platforms like SFMC, G-Suite, and Salesforce CRM.
• Configuration clarification: There's often confusion regarding whether both a Sender Authentication Package (SAP) and a Private Domain are necessary, or if one can suffice for DMARC compliance.
• Reply-to impact: Marketers are wary of using different 'reply-to' domains, fearing it could lead to confusion for recipients or negative deliverability impacts. This is a common pitfall that can hurt domain reputation.
• SPF integration: Questions arise about whether the SFMC SPF include statement should be added to the top-level domain's existing SPF record, especially given different subdomain configurations.
• Authentication for multiple domains: Marketers often seek confirmation on whether adding multiple corporate domains as private domains will ensure DMARC authentication, even if SPF alignment isn't perfect.

Key considerations

• Comprehensive approach: Marketers should adopt the recommended SAP and Private Domain setup fully, rather than attempting partial implementations, for reliable authentication.
• Recipient experience: Prioritize a consistent 'from' and 'reply-to' experience to prevent recipients from adding incorrect addresses to their address books, which can lead to future communication issues.
• Understanding SPF in SFMC: It's important to grasp that SFMC's SPF validation mechanisms differ from standard practices, primarily focusing on the return-path domain, meaning the top-level domain's SPF record may not require SFMC-specific includes.
• DMARC for brand identity: Ensuring DMARC passes, primarily through DKIM alignment, is crucial for displaying the correct sender domain and building trust with recipients. Marketers should refer to a simple guide to DMARC, SPF, and DKIM to clarify concepts.
• Official guidance: Marketers should consult official Salesforce documentation or support regarding specific configurations, such as deactivating RMM or implementing multi-bounce domains, as these details can significantly impact setup.

Key opinions

• Feasibility confirmed: Experts affirm that sending emails on behalf of sales reps from SFMC with DKIM and DMARC authentication is entirely doable without creating conflicts with existing domain uses (e.g., G-Suite).
• Required setup: The recommended approach involves a complete setup: a subdomain for the Sender Authentication Package (SAP) and the top-level domain as a private domain. Partial configurations are generally not effective.
• SPF validation behavior: In SFMC, the SPF record is primarily checked at the bounce/return-path level in the email headers, meaning the top-level domain's SPF record does not typically need to include SFMC's specific SPF entries to pass DMARC.
• DMARC reliance on DKIM: DMARC will pass based on the DKIM being set up correctly via the private domain, even if SPF does not align with the 'from' domain. This is a critical point for maintaining DMARC compliance.
• Avoiding reply-to issues: Using a 'reply-to' address from a different subdomain than the 'from' address can confuse recipients and may lead to incorrect addresses being saved in their contacts, causing future communication problems.
• Multi-bounce domain complexity: While a 'multi-bounce domain' setting exists in SFMC to help SPF always match the 'from' domain across multiple domains, experts advise caution due to its complexity and recommend discussing it with SFMC support.

Key considerations

• Subdomain for SAP: Experts recommend dedicating a subdomain for the SAP (e.g., email.domain.com) to keep all SFMC-related tracking and links contained below that subdomain, minimizing impact on the main corporate domain.
• DKIM for DMARC alignment: The key to DMARC pass with SFMC, especially for corporate domains, is robust DKIM signing. The DKIM signature from the private domain must align with the 'from' domain for DMARC to authenticate successfully.
• Multiple domain strategy: For sending from additional corporate domains, adding them as private domains will ensure DKIM signing and DMARC authentication, even if SPF alignment isn't achieved for all sending sources.
• Complex configurations: Advanced scenarios, such as enabling multi-bounce domains, require careful consideration and consultation with Salesforce experts due to their potential complexity and impact on deliverability. It's important to understand why DMARC might be failing in 'on behalf of' sending.

Key findings

• SAP functionality: A Sender Authentication Package (SAP) in Salesforce Marketing Cloud is a bundle that includes a private domain, dedicated IP address, and comprehensive email authentication (SPF, DKIM, DMARC) setup.
• Private domain role: Salesforce documentation specifies that a Private Domain allows you to send emails with a 'from' address that reflects your brand and enables DKIM signing for that domain.
• DMARC requirements: DMARC authentication requires either SPF alignment or DKIM alignment (or both) to pass. This provides flexibility for organizations with complex sending architectures. You can explore the benefits of implementing DMARC to improve deliverability.
• SPF and Return-Path: Standard SPF checks typically validate the return-path domain. In SFMC, the bounce domain is part of the SAP setup and typically handles this validation.
• Reply Mail Management (RMM): Salesforce documentation may advise specific settings for RMM, or its deactivation, depending on the desired email flow and 'on behalf of' sending configuration.

Key considerations

• Comprehensive authentication: Ensure all three authentication protocols (SPF, DKIM, DMARC) are configured correctly as per SFMC's specific instructions for the SAP and private domains to maximize inbox placement and minimize blocklist occurrences.
• Domain delegation: Properly delegate the subdomain used for SAP to Salesforce's ExactTarget environment through DNS records.
• Brand consistency: The 'from' address should align with the domain authenticated by DKIM (via the private domain) to achieve DMARC compliance and a consistent sender identity.
• Multi-domain strategy: When sending from multiple corporate domains, each domain should be added as a private domain within SFMC to ensure individual DKIM signing and DMARC pass for that specific 'from' domain.
• Monitoring: Regularly monitor DMARC reports to identify any authentication failures or discrepancies, allowing for timely adjustments to your configuration. This is key for maintaining high deliverability rates and avoiding email blacklists.