Salesforce CRM with marketing and transactional email capabilities. This guide covers the complete email authentication stack for Salesforce: SPF, DKIM, and DMARC. Each section gives you the exact DNS records, step-by-step instructions, common pitfalls, and how to verify your setup.
Authorize Salesforce to send marketing and transactional email on behalf of your domain.
TXT
@
v=spf1 include:_spf.salesforce.com ~all
Add include:_spf.salesforce.com to your existing SPF record.
Sign in to your Salesforce org.
Determine if you use Salesforce for standard email, Marketing Cloud, or both. Each may have different SPF requirements.
Add include:_spf.salesforce.com to your existing SPF record.
v=spf1 include:_spf.salesforce.com ~allFor better SPF alignment, configure a custom return-path (bounce) domain in Salesforce Setup under Email Administration.
Test by sending an email from Salesforce and checking the SPF result in the email headers.
v=spf1 include:_spf.google.com ~allv=spf1 include:_spf.google.com include:_spf.salesforce.com ~allAdd include:_spf.salesforce.com to your SPF record.
Not always. Core Salesforce uses _spf.salesforce.com. Marketing Cloud may require additional includes depending on your configuration.
Yes. You can configure a custom return-path domain in Salesforce Setup to improve SPF alignment for DMARC.
Generate DKIM keys in Salesforce Setup and publish the public key in your DNS to sign outgoing email.
CNAME
YOUR_SELECTOR._domainkey
YOUR_SELECTOR._domainkey.yourdomain.com.sf._domainkey.salesforce.com
Salesforce generates DKIM keys in Setup. The exact CNAME records depend on your configuration.
Go to Setup > search for "DKIM Keys" in the Quick Find box.
Click "Create New Key". Enter your domain, choose a selector name, and set the key size (2048-bit recommended).
Salesforce generates CNAME records for the DKIM key and an alternate key. Copy both.
Create the CNAME records in your DNS provider as shown by Salesforce.
Return to Salesforce Setup and activate the DKIM key once DNS has propagated.
Go to Setup > DKIM Keys (search in Quick Find). Click "Create New Key" to generate a key pair.
Yes. Salesforce provides a primary and alternate CNAME. You can rotate keys by publishing the alternate and switching the active key.
Use 2048-bit for maximum security. 1024-bit is acceptable if your DNS provider has record length limitations.
Publish a DMARC record to protect your domain when sending email through Salesforce.
TXT
_dmarc
v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1
Configure SPF with custom return-path and DKIM in Salesforce before enforcing.
Ensure both SPF and DKIM are configured. Use a custom return-path domain for SPF alignment.
Send test emails from Salesforce and verify SPF and DKIM pass with alignment in the email headers.
Add a TXT record at _dmarc.yourdomain.com.
v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1Analyze DMARC aggregate reports for several weeks to confirm alignment.
Move from p=none to p=quarantine to p=reject.
Yes. DKIM provides alignment when keys are configured. SPF alignment requires a custom return-path domain.
DMARC is per domain, not per service. One record covers all email from your domain. But both services must be authenticated.
If SPF and DKIM are properly configured, no. Automated emails use the same authentication as manual ones.
Once your SPF, DKIM, and DMARC records are in place, run a full domain scan to confirm everything is configured correctly. DNS changes typically propagate within minutes but can take up to 48 hours.