How do I align SPF and DKIM in Salesforce Service Cloud, and is it necessary if DKIM is already aligned?

Summary

Aligning SPF and DKIM in Salesforce Service Cloud requires careful configuration of both protocols. For SPF, the 'envelope from' domain needs to match the domain authorized in the SPF record, which often involves setting up a subdomain for Salesforce to use for bounce management and including Salesforce's SPF records (include:_spf.salesforce.com). DKIM alignment involves ensuring the 'd=' tag matches the 'From:' header domain. While DKIM is considered a more robust authentication method and can mitigate some SPF failures, most sources recommend aligning both for optimal deliverability. Salesforce's bounce management can interfere with SPF alignment, and proper setup of DKIM keys within Salesforce is essential. The one-click unsubscribe links cannot be setup in Sales and Service Cloud because you're not supposed to be sending bulk email through it, only transactional.

Key findings

  • SPF Alignment Steps: Salesforce needs to change domain to send from subdomain of senders domain.
  • Importance of DKIM: DKIM is preferred over SPF as it's a more robust authentication method, however DKIM alignment is often prioritised, and can mitigate SPF failures.
  • SPF Requirements: Make sure that the domain in the 'Return-Path' or 'envelope from' address matches the authorized domain in the SPF record.
  • Bounce Management Problems: Salesforce's bounce management can prevent SPF Alignment.
  • DKIM Setup: Setting up DKIM involves provisioning DKIM keys within Salesforce and ensuring that the correct DNS records are published.
  • Transactional sending: one-click unsubscribe links cannot be setup in Sales and Service Cloud as bulk emails are not supported.

Key considerations

  • Configure Bounce Domain: If possible, configure Salesforce to use a subdomain of your domain for bounce management.
  • DKIM Key Provisioning: Be sure to properly provision DKIM keys within Salesforce and update DNS records.
  • SPF Record Maintenance: Carefully manage the SPF record, including Salesforce's SPF include and avoiding 'a' records.
  • Test configuration: Testing must be performed to ensure that emails don't go to spam.
  • DMARC validation: DKIM and SPF configuration and validation can be simplified with proper DMARC setup and validation.
  • Salesforce Documentation: Follow Salesforce specific documentation.

What email marketers say
7Marketer opinions

Aligning SPF and DKIM in Salesforce Service Cloud can be complex due to Salesforce's specific sending infrastructure and bounce management. Several sources recommend prioritizing DKIM alignment, as it's a more robust authentication method. For SPF alignment, the 'envelope from' domain must match the authorized sending domain, which may require configuring Salesforce to use a subdomain of your own for bounce addresses and updating your SPF record to include Salesforce's sending IPs or domains. If bounce management is enabled in Salesforce, SPF alignment may not be possible.

Key opinions

  • DKIM Priority: DKIM alignment is generally considered more important than SPF alignment for deliverability.
  • SPF Configuration: SPF alignment requires the 'envelope from' domain to match the authorized sending domain.
  • Bounce Management: Salesforce's bounce management can interfere with SPF alignment.
  • Subdomain Strategy: Using a subdomain for bounce addresses can help achieve SPF alignment with Salesforce.
  • Inclusion of Salesforce in SPF: The SPF record needs to include Salesforce sending domains, typically with an 'include:_spf.salesforce.com' statement.

Key considerations

  • DKIM Setup: Ensure DKIM keys are properly provisioned within Salesforce and that the correct DNS records are published.
  • SPF Record Updates: Adjust SPF record carefully, avoiding 'a' records for the main domain and using the correct 'include' statement for Salesforce.
  • Bounce Management Impact: Evaluate the impact of disabling bounce management on email deliverability tracking.
  • Domain Matching: Verify the 'envelope from' domain and ensure it matches what is authorized in the SPF record.
  • Third-Party Sending: Understand complications for SPF with third-party senders like Salesforce, requiring updates to SPF record
Marketer view

Email marketer from Mailtrap blog explains with third-party senders (like Salesforce), SPF can get complicated because they are sending email on your behalf. To fix this, you'll need to add the third party to your SPF record. Also adding to your record that DKIM alignment is important as it doesn't suffer the same problems as SPF.

August 2024 - Mailtrap Blog
Marketer view

Email marketer from Stack Overflow discusses that it may be necessary to adjust the SPF record to include Salesforce's sending IPs or domains, but warns against adding 'a' records for the main domain. Instead include the relevant Salesforce SPF records using 'include:_spf.salesforce.com'. If DKIM is setup it may be easier to maintain.

March 2024 - Stack Overflow
Marketer view

Email marketer from DMARCly discusses DKIM is a more important factor for improving email deliverability. DKIM is preferred over SPF. Even if SPF isn't aligned, passing DKIM can prevent the email from going to spam.

October 2023 - DMARCly
Marketer view

Email marketer from Reddit notes the challenges of getting SPF and DKIM to work correctly with Salesforce, especially when using multiple sending sources. The user suggests focusing on getting DKIM aligned first, as it offers a more robust authentication method. They point out needing to ensure DKIM keys are properly provisioned within Salesforce and that the correct DNS records are published.

March 2023 - Reddit
Marketer view

Email marketer from EmailGeeks forum shares that they struggled with SPF alignment because Salesforce was using a different 'envelope from' domain. They were advised that the best way to align SPF is to configure Salesforce to use a subdomain of their own for the bounce address and then create a specific SPF record for that subdomain.

April 2021 - EmailGeeks Forum
Marketer view

Marketer from Email Geeks shares that if bounce management is enabled in Salesforce, SPF alignment will not be possible. They suggest removing bounce management in SFDC.

May 2022 - Email Geeks
Marketer view

Marketer from Email Geeks mentions that you can't setup one-click unsubscribe in Sales and Service Cloud because you're not supposed to be sending bulk email through it, only transactional.

April 2023 - Email Geeks

What the experts say
5Expert opinions

Aligning SPF and DKIM in Salesforce Service Cloud involves specific configurations, including setting up a subdomain for the 'envelope from' address and ensuring the correct SPF record with Salesforce's include statement. While DKIM alignment is often prioritized and can mitigate SPF issues, proper SPF configuration remains a fundamental requirement. Several experts note the importance of checking the 'Return-Path' address and ensuring it aligns with the SPF record. One-click unsubscribe links are a separate header requirement handled by Salesforce.

Key opinions

  • Subdomain for SPF: Salesforce requires using a subdomain of the sender's domain for the 'envelope from' address to achieve SPF alignment.
  • DKIM Mitigation: While not a complete substitute, properly implemented and aligned DKIM can mitigate some SPF failures.
  • SPF Fundamental: SPF configuration is still a basic requirement for email authentication, even with DKIM in place.
  • Return-Path Check: The 'Return-Path' or 'envelope from' address is what SPF checks against.
  • Header requirement.: one-click unsubscribe links are a separate header requirement handled by Salesforce.

Key considerations

  • Salesforce Configuration: Carefully review Salesforce's documentation for specific SPF include statements and configuration requirements.
  • Domain Alignment: Ensure the domain in the 'Return-Path' or 'envelope from' address matches the authorized domain in the SPF record.
  • DKIM Setup and Alignment: Properly set up and align DKIM in addition to ensuring correct SPF configuration.
  • Prioritizing based on DMARC: Prioritize deliverability rules based on DMARC setup (but not disregarding SPF configuration).
  • SPF Alignment Steps: Salesforce needs to change domain to send from subdomain of senders domain.
Expert view

Expert from Email Geeks explains that to align SPF with Salesforce Service Cloud, Salesforce needs to change the domain they're using in the envelope from to a subdomain of the sender's domain (e.g., bounce.sfsc.mydomain.com). Then, publish an SPF record for that subdomain that includes Salesforce's SPF record, or create a CNAME record.

August 2024 - Email Geeks
Expert view

Expert from Word to the Wise forums suggests reviewing the 'Return-Path' or 'envelope from' address, as this is what SPF checks against. The user suggests ensuring that the sending domain matches the authorized domain in the SPF record. The user also suggests DKIM should be properly aligned and setup. However, while DKIM helps, it doesn't completely negate the need for correct SPF configuration.

June 2022 - Word to the Wise
Expert view

Expert from Spam Resource forum states that Salesforce often requires specific SPF configurations due to their sending infrastructure. They recommend checking Salesforce's documentation for the correct SPF include statement (usually `include:_spf.salesforce.com`). If DKIM is implemented correctly and aligned, it can often mitigate SPF failures but SPF is still a basic requirement to pass.

June 2024 - Spam Resource
Expert view

Expert from Email Geeks states that the one-click unsubscribe link is in the headers and needs to be added and managed by Salesforce.

August 2023 - Email Geeks
Expert view

Expert from Email Geeks, with agreement from Faisal Misle, mentions that SPF alignment may not be as critical if DKIM passes and aligns. Faisal adds that they work for a DMARC vendor, and none of their customers align Salesforce for SPF as long as DKIM is passing and aligned because they want Salesforce to handle bounce management

January 2025 - Email Geeks

What the documentation says
4Technical articles

Aligning SPF and DKIM in Salesforce Service Cloud involves ensuring the 'envelope from' domain matches the authorized sending domain in the SPF record and that the 'd=' tag in the DKIM signature matches the domain in the 'From:' header. Salesforce recommends aligning both SPF and DKIM for best deliverability, while others note that DKIM is stronger. Proper setup of DKIM keys within Salesforce, including generating keys, publishing DNS records, and activation, is critical. Also updating SPF records to include salesforce sending IPs.

Key findings

  • SPF Alignment Requirement: SPF alignment requires the 'envelope from' domain to match the authorized sending domain.
  • DKIM Alignment Requirement: DKIM alignment requires the 'd=' tag in the DKIM signature to match the domain in the 'From:' header.
  • Salesforce Recommendation: Salesforce recommends aligning both SPF and DKIM for optimal deliverability.
  • DKIM Setup is Critical: Generating keys, publishing DNS records and activating DKIM.
  • Update SPF: Ensure that SPF includes all IP's that send emails from Salesforce.

Key considerations

  • Domain Matching for SPF: Verify that the 'envelope from' domain is authorized in the SPF record.
  • DKIM Signature: Ensure that the 'd=' tag in the DKIM signature matches the domain in the 'From:' header.
  • Salesforce Specific Steps: Follow Salesforce's step-by-step instructions for DKIM key generation and activation.
  • Prioritising both : Align both SPF and DKIM for best deliverability
Technical article

Documentation from Salesforce Help explains that to ensure SPF alignment, the domain used in the 'envelope from' address must match the domain authorized to send mail. For DKIM alignment, the 'd' parameter in the DKIM signature must match the domain in the 'From' address. Salesforce recommends aligning both SPF and DKIM for best deliverability. If DKIM passes and aligns, it may reduce the need for SPF alignment but both are still recommended.

September 2024 - Salesforce Help
Technical article

Documentation from Salesforce Help provides step-by-step instructions on how to generate and activate DKIM keys within Salesforce. It details navigating to the DKIM Keys section in Setup, creating a new key, publishing the DNS records, and then activating the key. This is critical for DKIM alignment.

November 2022 - Salesforce Help
Technical article

Documentation from EasyDMARC explains that SPF alignment requires that the domain in the 'envelope from' (Return-Path) matches the domain authorized in the SPF record. DKIM alignment requires that the 'd=' tag in the DKIM signature matches the domain in the 'From:' header. They mention that while DKIM alignment is stronger, aligning both SPF and DKIM provides the best email authentication.

December 2021 - EasyDMARC
Technical article

Documentation from AuthSMTP explains steps required to configure Salesforce to send emails from AuthSMTP. Explains to update SPF record to allow emails from Salesforce. Also DKIM alignment is important and should be configured so that you don't run into any deliverability issues.

March 2024 - AuthSMTP