In simple terms, email authentication is a process that enables businesses to send messages securely. It also works with recipients’ email servers to determine if a message comes from a real account and if the sender is legitimate.
If you use Salesforce to send emails, it’s essential to consider your SPF, DKIM, and DMARC settings to ensure they are delivered correctly.
In this guide, we’ll review each authentication method and provide guidelines for implementing SPF and DKIM policies in Salesforce.
Email authentication definitions
- DMARC (Domain-based Message Authentication, Reporting, and Conformance): It has been created to empower owners to control their email domain and prevent unauthorized use (email spoofing). This protocol tells the receiving email servers how to handle emails coming from the company’s domain.
- DKIM (Domain Keys Identified Mail): It is a protocol that allows a company to assume responsibility for the transmission of a message by signing it , allowing mailbox providers to verify it. Therefore, DKIM requires a public key in the DNS, and the recipient’s email server uses this information to accept emails with the corresponding private key.
- SPF (Sender Policy Framework): is an email authentication technique used to prevent spammers from sending messages on behalf of your domain. Similar to the DKIM configuration, SPF will ask you to add its records to your DNS to authorize Pardot or Salesforce to send emails from the company’s own domain.
These protocols initially originated as a measure to strengthen the security of the Simple Mail Transfer Protocol (SMTP) and address the rise of spam, since SMTP itself lacks authentication mechanisms. Each of these protocols has its own configuration and must be implemented and verified before sending emails from each platform.
How does email authentication work?
SPF is responsible for confirming that the email is sent from an authorized sender , while DKIM performs email authentication by comparing and validating public and private keys.
Why is it advisable to implement authentication protocols?
There are multiple reasons why we should implement these protocols:
- The proper implementation of SPF, DKIM and DMARC can save the reputation of your brand, as well as the trust of your clients and leads.
- They affect the delivery capacity of the email . If email authentication protocols are not configured properly, there is a high probability that customers will not receive emails, and they will end up in the spam folder.
- These email authentication methods prevent phishing attempts by allowing email servers to reject messages that were not actually generated by your company.
Preparing to configure SPF/DKIM
Before starting the SPF and DKIM adjustment process, it is crucial to establish contact with the IT department. This will allow you to obtain a list of available domains and understand in detail the procedure necessary to make changes to the DNS. The time required for this process may vary, estimated between 2 and 4 weeks, depending on internal IT policy.
How to configure SPF and DKIM in Salesforce
- Settings > search for “DKIM” > navigate to DKIM Keys in Email > click Generate New Key.
2. Selector > Alternative Selector and Domain for the required field > select the preferred Domain Matching policy.
3. Once published, you should see the following message “Salesforce has published the TXT records for this DKIM key to DNS. Before activating this key, add the CNAME and Alternate CNAME records to DNS for your domain.” Copy the values from the CNAME and Alternate CNAME records > send to IT in step 4.
4. Update the text below with the appropriate information for your organization and send it to the IT team.
Hello [name],
I’m working with the Salesforce team to allow Salesforce to send emails from @yourdomain.com. To ensure high email deliverability, we need to make the following changes.
We need to configure SPF and DKIM so that Salesforce is authorized to send emails on our behalf.
-
- To configure SPF, you must add the following to your DNS entries:
- Type: TXT
- Entry: v=spf1 mx include:_spf.salesforce.com ~all
- If an SPF record already exists in the DNS entry, just add the following: _spf.salesforce.com
- To configure DKIM, you must create two CNAME entries
- CNAME record
- Domain: [insert host record here]._domainkey.yourdomain.com
- Type: CNAME
- Input: [enter host value here].
- Alternative CNAME record
- Domain: [insert alternate host record here]._domainkey.yourdomain.com
- Type: CNAME
- Input: [insert host value here].
- CNAME record
- Type: TXT
- To configure SPF, you must add the following to your DNS entries:
Please let me know when these steps are complete so we can complete the setup process within Pardot. If you have any questions, please feel free to contact me.
Greetings,
Marketing operations
When the IT team adds the CNAME entries, return to the DKIM Keys page. DNS changes can take up to 72 hours . If Salesforce finds relevant CNAME entries in DNS, you can click the Activate button and you can start sending emails from Salesforce.
If the Activate button is still gray after the IT team confirms the configuration and 72 hours have passed, you can use the DKIM Record Lookup tool to validate these records.
You can also review the published DNS record through a DNS interface, but this view will only be accessible to the IT team, so you can ask them for a screenshot.
Email authentication is an essential part of secure communication with recipients. If you’re still having trouble validating your SPF or DKIM records in Salesforce, please contact us and we’ll be happy to help.
If you liked this article, you might also be interested in: