Source Guide: Salesforce
Last updated on November 15, 2023, to address alignment issues.
This guide describes the process for configuring Salesforce to send DMARC-compliant messages. You will need to configure this source, and others that send on your behalf, before advancing your DMARC policies to a more restrictive state, eg., quarantine and/or reject.
To bring this source into DMARC compliance, you will need access to Salesforce’s administrative account and the domain’s DNS management console.
From time to time, these instructions change with very little advance notice. Please always refer to documentation hosted by Salesforce for the most complete and accurate information.
Salesforce is a customer relationship management software that brings together sales, customer service, marketing automation, analytics, and application development. Many departments, such as Sales, Marketing, IT, Support and HR use this tool. Salesforce supports DMARC compliance through SPF and DKIM alignment.
To configure SPF, add a DNS TXT record at your domain’s DNS provider:
- Login to the management console of your domain’s DNS provider
- Locate the page where you manage DNS records for your domain
- Add “_spf.salesforce.com” to your domain’s SPF TXT record
Salesforce notes to “only use _spf.salesforce.com as there are a variety of SPF records for the salesforce.com domain that are for other uses and are not relevant to sending mail from the Salesforce application.”
Following are examples of SPF records:
- v=spf1 include:_spf.salesforce.com ~all
- v=spf1 mx ip4:126.96.36.199/28 ip4:188.8.131.52/28 ip4:184.108.40.206/28 ip4:220.127.116.11/31 ip4:18.104.22.168/31 include:_spf.salesforce.com ~all
Note: If you encounter alignment issues with SPF, and your MAIL FROM domain shows bnc.salesforce.com, Salesforce cannot make these emails pass SPF due to alignment, so there’s no need to add Salesforce to your SPF record. Or, you may need to disable the Bounce Management and Email Security Compliance features in your Salesforce account settings. See Salesforce’s article for more information.
Reference: Salesforce’s SPF directions
Before you start with DKIM, make sure you have the user permissions to Manage DKIM keys.
To configure DKIM:
- From Setup, enter “DKIM Keys” in the Quick Find box, and then select DKIM Keys.
- Click Create New Key.
- Select the RSA key size. We recommend using a 2048 bit key whenever possible.
- For Selector, enter a unique name.
- For Alternate Selector, enter a unique name. The alternate selector allows Salesforce to auto-rotate your keys.
- Enter your domain name.
- Select the type of domain match you want to use.
- Click Save. Salesforce publishes your TXT records to DNS. Your CNAME and alternate CNAME records appear on the DKIM Key Details page when the DNS publication is complete. It can take time for DNS publication to finish.
- Publish the CNAME and alternate CNAME records to your domain’s DNS.
- Select Activate on the DKIM Key Details page.
Reference: Salesforce’s DKIM directions
If you have a dmarcian account, it may take a few days to see these changes reflected in the dmarcian platform. You can look in the Detail Viewer (shown below) to check SPF and DKIM alignment required for DMARC.
With a team of email security experts and a mission of making email and the internet more trustworthy through domain security, dmarcian is here to help assess an organization’s domain catalog and implement and manage DMARC for the long haul.
Want to continue the conversation? Head over to the dmarcian Forum.