Salesforce email authentication for Marketing Cloud

Broadly speaking, email authentication is a procedure that allows companies to securely send messages and collaborate with recipients’ email servers to verify the authenticity of the sender and the legitimacy of the message.

If you use Marketing Cloud to send emails, it is imperative to take SPF, DKIM, and DMARC settings into account to ensure proper delivery. In this guide, we will examine each authentication method and provide step-by-step instructions for implementing SPF and DKIM policies.

How does email authentication work?

SPF verifies that the email originates from an authorized sender , while DKIM authenticates the email by comparing and validating public and private keys.

Autenticación email Marketing Cloud

Why is it advisable to implement authentication protocols?

There are several reasons to adopt these protocols:

  • The correct implementation of SPF, DKIM and DMARC can safeguard the reputation of your brand and strengthen the trust of clients and leads .
  • These authentication methods affect the deliverability of mail . Improper configuration of email authentication protocols increases the likelihood that customers will not receive emails and, therefore, that they will end up in the spam folder.
  • They prevent phishing attempts by allowing mail servers to reject messages that have not been genuinely generated by your company.

How to configure SPF and DKIM in Marketing Cloud

The email authentication process is different in Marketing Cloud, compared to Pardot and Salesforce .

Sender authentication package

The first step in setting up Marketing Cloud email deliverability is to configure the Sender Authentication Package (SAP) (your organization must purchase one from Salesforce, so contact your account executive for options). ). SAP will allow you:

  • Send authenticated emails from Salesforce, on behalf of your domain.
  • Set the click path on links and the location of images on your company’s domain.
  • Assign a dedicated IP* to your SFMC configuration .
  • Configure response email management .

*Although shared IP configuration is also possible, the steps described here focus on dedicated IPs.

SAP requires that you choose a domain or subdomain that will be assigned for your use by the SAP team . Both SPF and DKIM authentication will be configured by Salesforce as part of the SAP package.

Portada SFMC email

IP warm-up period

When SAP is configured, you will need to “warm up” the IP address. Once the email servers have received the email from the new IP address, they will need some time to get used to it. They will evaluate your domain based on the volume of messages you send and how users interact with your messages.

Dedicated IP and reputation

When using a dedicated IP, deliverability will depend on the reputation of the sender. Over time, you can build your reputation by, for example, avoiding shipping practices that damage your reputation, as these can have long-lasting effects.

Critical factors that can affect your reputation are:

  • Subscriber Engagement: How do subscribers react to emails over time? Do they open the message and are interested in it, do they send it to the trash or complain about spam?
  • Legitimacy: Can the receiving domain validate that you have the right to send from the sending domain you are using?
  • Blacklists: Are you on blacklists?
  • Frequency: How many emails are sent in a specific time period? Tolerance will be higher for “regular” senders than for “new” IPs
  • Regulatory Compliance: Are you compliant with CAN-SPAM and other regulations? These establish rules for the content of the email, such as the inclusion of a physical postal address and an unsubscribe link. How did you get the email address data?
  • Caught SPAM: How many emails bounce or get caught by spam filters?

If you carry out bad practices, your emails may be reported, which may cause your IP to be blacklisted or temporarily deleted. If you suspect you have reputation problems, check to see if your IP address is on a blacklist and if it is, you can ask to be removed from the list.

Troubleshoot Marketing Cloud email delivery issues

Marketing databases can come from legacy systems. Here’s how to identify and fix problems:

Email Studio Reports: These reports track email performance and analyze domain issues. Must take into account:

  • Bounce rate and delivery rate: Block bounces and hard bounces are telltale signs of poor listing quality and domain/reputation issues. Try to achieve delivery rates greater than 99.5%; Anything less than 98% indicates you have a deliverability problem.
  • Click rate: A good click rate indicates that emails are received and subscribers are interacting with the content. Some receiving domains do not report deliverability to Salesforce Marketing Cloud (this can occur when blocked by Microsoft-related domains).
  • Tracking report for a job ID (My tracking): Provides the basic data (volume, bounces, clicks, etc.) of an email sending. Multiple submissions/job IDs can be selected to compare results. Journey Builder also has email analytics when you click on a Journey’s email.
  • Email Performance by Domain and Email Performance for All Domains: Provides a breakdown, by domain, for a specific send. This is useful to analyze if you have domain-specific deliverability issues.
  • Bounce events extraction file: Provides detailed SMTP error codes for each bounced email. This is generated from Automation Studio activities, select: New → Data Extract (more instructions here). Note: This feature must be enabled by Salesforce Support.
  • Spam complaints over time : If you receive spam complaints from subscribers, this may result in a (temporary) block. Some email service providers (Hotmail, Gmail, Yahoo) have “spam compatible” buttons on their interface.

Register a case with Salesforce Support : If you complete the necessary tasks to reduce poor delivery patterns and are specific in your case description, there should be no issues, but if domain-specific issues arise, the Salesforce Support can help you analyze them and even contact your email service provider to mitigate them.

Mitigate Marketing Cloud deliverability issues

  • Frequency: Send emails only to people who have opted to receive them. You can define your own rules, for example, “You have clicked >5 times in the last 6 months” or “You have received <5 emails in the last 7 days.” Alternatively, you can take advantage of Einstein Email Frequency to let the AI ​​calculate “oversaturated” subscribers in a more sophisticated way.
  • Delete subscribers : With no engagement in the last x months/years, you should delete these subscribers from receiving emails. You don’t have to delete these subscribers immediately; Create a campaign with all inactive subscribers to evaluate if they re-engage.
  • Content testing: Test your email to evaluate whether the content will trigger spam filters in actual emails.
  • Add DMARC to your DNS : Salesforce will configure SPF and DKIM authentication as part of the sender authentication package. What about DMARC? It is not included in SAP, so it must be implemented separately. Who can make the changes will depend on whether you have chosen to manage the domain’s DNS yourself or have delegated this task to Salesforce.
  • Data Cleansing Services: Use these services to check if email addresses are still valid.
  • Saturation: Avoid sending large volumes of email at once.

Email authentication is an essential part of secure communication with recipients. If you are still having trouble validating your SPF or DKIM records in Marketing Cloud, please contact us and we will be happy to help.


If you liked this article, you might also be interested in:

Últimas entradas
Suscríbete a nuestra newsletter

Post relacionados de Salesforce Email Authentication que pueden ser de tu interés