Salesforce Email Deliverability Tips (All you need to know about SPF, DKIM and DMARC)

Salesforce Email Deliverability Tips (All you need to know about SPF, DKIM and DMARC)


Email remains a cornerstone of modern communication despite its origins dating back to the early 2000s. The Covid-19 pandemic underscored its enduring importance, with email volumes doubling and sustaining growth ever since. However, ensuring emails sent through platforms like Salesforce reach their intended recipients and avoid spam filters requires diligent attention to security and authentication protocols.

In the world of Salesforce, adapting to enhance email deliverability is critical. Similar to the rollout of Multi-Factor Authentication (MFA), neglecting these aspects could jeopardize effective communication channels. This guide explores essential strategies and best practices to bolster Salesforce email deliverability, focusing on key protocols such as BCC Email, SPF, DKIM, and DMARC.

Strategies to Enhance Salesforce Email Deliverability:

Email deliverability is an individual’s email reaching its intended recipient. To improve the deliverability of email you send through Salesforce, Salesforce has several settings and compliance options.

  • Compliance BCC – a simple solution to track and understand the emails being sent from Salesforce.
  • SPF – verify that Salesforce is authorized to send emails on your behalf.
  • DKIM – Ensures that your emails have not been tampered with from the time they are sent until they reach the recipient’s email server.
  • DMARC – Instructs other email systems to reject messages that do not come from a trusted source.

Compliance BCC Email

Start by setting up Compliance BCC in Salesforce. This feature provides visibility into all emails sent from the platform, including automated alerts triggered by workflows or individual communications. Designate a dedicated email address, such as, to receive copies of these emails. This proactive measure allows administrators to track email activity and troubleshoot delivery issues promptly.

To enable compliance BCC emails :

  1. From the Setup menu, type Compliance BCC Email into the Quick Find search bar, and then choose Compliance BCC Email from the results.
  2. Select the Enable checkbox.
  3. Enter your compliance email address.

Click Save.

SPF (Sender Policy Framework)

Implementing Sender Policy Framework (SPF) is crucial for email authentication. SPF verifies that Salesforce is authorized to send emails on behalf of your domain, significantly reducing the risk of emails being flagged as spam or rejected by recipient servers.

SPF helps prevent spammers from sending emails on behalf of your domain. Here’s how to set it up:

  1. Access Your Domain’s DNS Settings
    • Log in to your domain registrar or hosting provider’s control panel.
    • Navigate to the DNS management or DNS settings section.
  2. Add a TXT Record
    • Locate the option to add a new TXT record.
    • Enter the following details:
      • Name/Host/Alias: @ or your domain name
      • Value: v=spf1 ~all
    • Save the changes.

This configuration informs email servers that Salesforce is a trusted sender for your domain, enhancing email credibility and deliverability.

How SPF Works

At the most basic level, SPF email establishes a method for receiving servers to verify that incoming email from a domain was sent from a host authorized by that domain’s administrators.

Here are three steps that explain how SPF functions work:

  1. A domain administrator creates a policy that specifies which mail servers are permitted to send emails from that domain. This policy, known as an SPF record, is included in the domain’s DNS records.

  2. When an incoming mail server receives an email, it checks the DNS for the rules of the bounce (Return-Path) domain. The server then compares the sender’s IP address with the authorized IP addresses listed in the SPF record.

  3. Based on the rules in the sending domain’s SPF record, the receiving mail server determines whether to accept, reject, or flag the email.

DomainKeys Identified Mail (DKIM) Definition & Salesforce Setup :

DKIM (DomainKeys Identified Mail) is a protocol that adds a digital signature to emails sent from Salesforce. This signature verifies that the email content remains unchanged from the sender to the recipient, enhancing email security and authenticity. Follow these steps to set up DKIM in Salesforce:

  1. Navigate to Setup:
    • Log in to your Salesforce account and navigate to Setup by clicking on your profile icon and selecting Setup from the dropdown menu.

  2. Access Email Settings:
    • In the Quick Find box, type “DKIM” and select “DKIM Keys” under the Email section.

  3. Generate DKIM Keys:
    • Click on the “Create New Key” button to generate a new DKIM key for your domain.

  4. Enter DKIM Key Details:
      • Fill out the following details for the DKIM key:
        • Key Size: Select a key size. It’s recommended to use 2048-bit for enhanced security.
        • Selector: Choose a selector name. This is typically a short alphanumeric string (e.g., “sf1”).
        • Alternate Selector: Optionally, you can provide an alternate selector name (e.g., “sf2”).
        • Domain: Enter the domain name from which you are sending emails (e.g.,
        • Domain Match: Choose the appropriate option based on your email sending practices:
          • “Exact Domain” if emails are sent from the main domain (e.g.,
          • Other options if emails are sent from subdomains or other configurations.

  5. Save the DKIM Key:
    • After entering the details, click “Save” to generate and save the DKIM key in Salesforce.

  6. Configure DNS Settings:
    • Now, you need to configure DNS settings for DKIM. Salesforce provides you with CNAME records that you must add to your domain’s DNS settings.
    • Salesforce will display the CNAME record details required for DKIM setup. These records typically look like:

      Name: [selector]

      Target/Value: [DKIM Key provided by Salesforce]

  7. Add CNAME Records to DNS:
      • Log in to your domain’s DNS management portal (provided by your domain registrar or hosting provider).
      • Add the CNAME records provided by Salesforce to your DNS settings. This typically involves:
        • Setting the Name or Host field to the selector and domain information provided by Salesforce.
        • Setting the Target or Points To field to the DKIM key value provided by Salesforce.

  8. Publish DKIM Keys:
    • After adding the CNAME records, publish the DKIM keys in your DNS settings. This action ensures that recipient email servers can verify the DKIM signatures when emails are sent from Salesforce.

  9. Activate DKIM Keys:
    • Return to Salesforce Setup → Email → DKIM Keys.
    • Click on the selector (e.g., “sf1”) you configured earlier.
    • Click “Activate” to activate the DKIM key.

  10. Verification and Propagation:
    • It may take up to 48 hours for DNS changes, including DKIM records, to propagate across the internet. During this time, monitor the DKIM setup for any issues or errors.

  11. Confirmation:
    • Once DNS propagation is complete, verify the DKIM setup by sending test emails and checking DKIM signatures in the email headers.

By following these steps, you can successfully set up DKIM for your Salesforce organization, enhancing email security and ensuring that emails sent from Salesforce are authenticated and trusted by recipient email servers.

DMARC (Domain-based Message Authentication, Reporting & Conformance)

DMARC is an essential email authentication, policy, and reporting protocol built on top of SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail). If neither SPF nor DKIM authentication passes, the DMARC policy dictates the action to take with the email. Salesforce recommends and supports DMARC, but its implementation is up to you.

For DMARC to function effectively, you need both SPF and DKIM records set up for all email-sending sources in your domain. Configuring your DNS is a critical part of this setup. Here are the basic components for constructing a DMARC string:

  1. Version:
    • v=DMARC1: This signifies the DMARC version number, which is currently 1.

  2. Policy Options:
    • p=none: Allows the email through even if it doesn’t align with SPF and/or DKIM, recommended initially for identifying all email-sending sources.
    • p=quarantine: Recommends the receiving server to quarantine the email if it doesn’t align with SPF and/or DKIM.
    • p=reject: Recommends the receiving server to reject the email if it doesn’t align with SPF and/or DKIM.

  3. SPF Alignment:
    • aspf=s: Strict SPF policy, rejecting emails if SPF is incorrect.
    • aspf=r: Relaxed SPF policy.

  4. DKIM Alignment: