How do I align SPF and DKIM in Salesforce Service Cloud, and is it necessary if DKIM is already aligned?
Summary
What email marketers say7Marketer opinions
Email marketer from Mailtrap blog explains with third-party senders (like Salesforce), SPF can get complicated because they are sending email on your behalf. To fix this, you'll need to add the third party to your SPF record. Also adding to your record that DKIM alignment is important as it doesn't suffer the same problems as SPF.
Email marketer from Stack Overflow discusses that it may be necessary to adjust the SPF record to include Salesforce's sending IPs or domains, but warns against adding 'a' records for the main domain. Instead include the relevant Salesforce SPF records using 'include:_spf.salesforce.com'. If DKIM is setup it may be easier to maintain.
Email marketer from DMARCly discusses DKIM is a more important factor for improving email deliverability. DKIM is preferred over SPF. Even if SPF isn't aligned, passing DKIM can prevent the email from going to spam.
Email marketer from Reddit notes the challenges of getting SPF and DKIM to work correctly with Salesforce, especially when using multiple sending sources. The user suggests focusing on getting DKIM aligned first, as it offers a more robust authentication method. They point out needing to ensure DKIM keys are properly provisioned within Salesforce and that the correct DNS records are published.
Email marketer from EmailGeeks forum shares that they struggled with SPF alignment because Salesforce was using a different 'envelope from' domain. They were advised that the best way to align SPF is to configure Salesforce to use a subdomain of their own for the bounce address and then create a specific SPF record for that subdomain.
Marketer from Email Geeks shares that if bounce management is enabled in Salesforce, SPF alignment will not be possible. They suggest removing bounce management in SFDC.
Marketer from Email Geeks mentions that you can't setup one-click unsubscribe in Sales and Service Cloud because you're not supposed to be sending bulk email through it, only transactional.
What the experts say5Expert opinions
Expert from Email Geeks explains that to align SPF with Salesforce Service Cloud, Salesforce needs to change the domain they're using in the envelope from to a subdomain of the sender's domain (e.g., bounce.sfsc.mydomain.com). Then, publish an SPF record for that subdomain that includes Salesforce's SPF record, or create a CNAME record.
Expert from Word to the Wise forums suggests reviewing the 'Return-Path' or 'envelope from' address, as this is what SPF checks against. The user suggests ensuring that the sending domain matches the authorized domain in the SPF record. The user also suggests DKIM should be properly aligned and setup. However, while DKIM helps, it doesn't completely negate the need for correct SPF configuration.
Expert from Spam Resource forum states that Salesforce often requires specific SPF configurations due to their sending infrastructure. They recommend checking Salesforce's documentation for the correct SPF include statement (usually `include:_spf.salesforce.com`). If DKIM is implemented correctly and aligned, it can often mitigate SPF failures but SPF is still a basic requirement to pass.
Expert from Email Geeks states that the one-click unsubscribe link is in the headers and needs to be added and managed by Salesforce.
Expert from Email Geeks, with agreement from Faisal Misle, mentions that SPF alignment may not be as critical if DKIM passes and aligns. Faisal adds that they work for a DMARC vendor, and none of their customers align Salesforce for SPF as long as DKIM is passing and aligned because they want Salesforce to handle bounce management
What the documentation says4Technical articles
Documentation from Salesforce Help explains that to ensure SPF alignment, the domain used in the 'envelope from' address must match the domain authorized to send mail. For DKIM alignment, the 'd' parameter in the DKIM signature must match the domain in the 'From' address. Salesforce recommends aligning both SPF and DKIM for best deliverability. If DKIM passes and aligns, it may reduce the need for SPF alignment but both are still recommended.
Documentation from Salesforce Help provides step-by-step instructions on how to generate and activate DKIM keys within Salesforce. It details navigating to the DKIM Keys section in Setup, creating a new key, publishing the DNS records, and then activating the key. This is critical for DKIM alignment.
Documentation from EasyDMARC explains that SPF alignment requires that the domain in the 'envelope from' (Return-Path) matches the domain authorized in the SPF record. DKIM alignment requires that the 'd=' tag in the DKIM signature matches the domain in the 'From:' header. They mention that while DKIM alignment is stronger, aligning both SPF and DKIM provides the best email authentication.
Documentation from AuthSMTP explains steps required to configure Salesforce to send emails from AuthSMTP. Explains to update SPF record to allow emails from Salesforce. Also DKIM alignment is important and should be configured so that you don't run into any deliverability issues.