Setting SPF and DKIM for Salesforce

When using an external email sender, like Salesforce, to send emails from addresses within your domain, it’s crucial to set up SPF and DKIM. Without these configurations, recipients’ inboxes may flag the emails as potential spoofing attempts. The impact varies: some corporate email servers automatically delete such emails, while others redirect them to the spam folder.

DKIM (RFC 6376) signs email messages cryptographically, and unlike SPF, the signature survives email forwarding — which is why DMARC alignment via DKIM is more reliable than SPF alignment for forwarded mail and mailing lists.

SPF Record for Salesforce

By default, Salesforce uses its own domain in the ‘Return-Path’ address, triggering DMARC to fail with respect to SPF. This disables the ‘Bounce Management’ and ‘Email Security Compliance’ from your Salesforce admin console.

Please note that if you disable Bounce Management, then Salesforce will stop handling your bounced addresses automatically. Rather, you will receive all the bounces or failed email deliveries to your address. 

Here’s how to set up SPF for Salesforce-

• Step 1: Click on Setup > Email Administration > Deliverability.

• Step 2: Unselect the checkbox that reads ‘Activate Bounce Management.’

• Step 3: Unselect the checkbox that reads ‘Enable compliance with standard email security mechanisms.’

• Step 4: Click ‘Save.’

• Step 5: Add Salesforce SPF mechanism “include:_spf.salesforce.com” to your SPF Record.

• Step 6: Log in to your domain provider’s platform and update the DNS TXT record for SPF.

Ensure there is only one SPF record corresponding to your domain; the existence of multiple records invalidates all of them, jeopardizing your domain’s security. Do include all the IPs, ESPs, and third-party vendors’ sending sources in a single record. If you spot multiple records, merge them into one, as shown here. 

DKIM Record for Salesforce

Here’s how to set up DKIM for Salesforce-

• Step 1: Click on Setup > Email Administration > DKIM Keys.

• Step 2: Generate a new DKIM key with Salesforce.

• Step 3: Click ‘Save.’

• Step 4: Go “Back to List” and click on your added selector.

• Step 5: Copy the CNAME records and add them to your DNS.

• Step 6: Once the changes are reflected, click ‘Activate.’

General DKIM-Key Best Practices

Adhering to the following best practices keeps your DKIM keys strong and less vulnerable to exploits.

• Key Length: The minimum key length should be 1024 bits, and 2048 bits and higher are even better. Shorter keys can be cracked in 72 hours using simple cloud services.

• Rotation: Rotate your keys at least twice a year so that malicious actors are not able to exploit them for long if they happen to crack them. 

• Expiration: Check and ensure the signatures’ expiration period is greater than the key’s rotation period.

• Test mode: The “t=y” declaration is for testing purposes only. Experience has shown that several mail providers ignore the DKIM signature when they detect “t=y.” This mode should be used only for a brief period during the initial DKIM ramp-up phase.

• Monitoring: To further strengthen your email infrastructure, deploy DMARC so that you can start receiving DMARC reports. These reports include insights into your domain’s email activities, allowing you to adjust email authentication protocols as and when required. 

For any assistance, on email security setups feel free to talk to us.