Enhanced Email Security in Salesforce

Enhanced Email Security in Salesforce

Gmail and Yahoo have recently unveiled modifications to their spam prevention measures, introducing new requirements for bulk email senders to enhance email security.

To ensure your emails stay clear of spam filters and adhere to best practices in email deliverability, it is crucial to update your sending domain with a verified DKIM record.

Introduction to SPF, DKIM and DMARC:

The Sender Policy Framework (SPF) functions by verifying the authorization of the sender to dispatch emails on behalf of a particular domain. This verification entails scrutinizing the IP address of the sending server in comparison to a predefined list of authorized servers for the domain.

Concurrently, DomainKeys Identified Mail (DKIM) contributes to email authentication by affixing a digital signature to emails, thereby confirming their authenticity. This process employs a pair of cryptographic keys – one private and one public – for the signing and verification of emails.

Domain-based Message Authentication, Reporting, and Conformance (DMARC) integrates SPF and DKIM to establish a comprehensive policy framework for email authentication. This amalgamation empowers domain owners to stipulate how email receivers should handle messages that fall short of meeting SPF or DKIM checks.

Salesforce SPF

SPF records should include all authorized servers, so make sure they are correctly configured. Emails sent from servers that aren’t authorized in the SPF record may fail SPF checks and be rejected by email receivers.

You should include the necessary information in your SPF record so that the domain’s servers can send emails on your behalf.

Please refer to: the Sender Policy Framework

Salesforce DKIM

DomainKeys Identified Mail (DKIM) assures that your email remains unaltered during its journey from the sender to the recipient’s email server. Introduced after SPF, DKIM represents an advancement in securing emails against tampering.

Moreover, DKIM is integrated into a domain’s DNS settings. If you cannot manage your DNS settings, coordination with your IT department is necessary for the configuration of DKIM on your behalf.

To set up DKIM in Salesforce, follow these steps:

Go to Setup and navigate to Email to select DKIM Keys.

Want to Learn Salesforce Flows?Β Checkout our Salesforce Flow Course

Configure the following settings:

  • Key Size: Opt for increased security by selecting 2048-bit. Note that 1024-bit is suitable for older DNS systems, but using it may lead to errors.
  • Selector: Enter “sg1” While other inputs are acceptable, avoiding using a full stop is advisable.
  • Alternate Selector: Input “sg2” for the same reason mentioned above.
  • Domain: Specify the domain name from which your emails are being sent (e.g., salesforcegeek.com).
  • Domain Match: If your emails are sent from the main domain (e.g., example@salesforcegeek.com) without any subdomain (e.g., example.subdomain.salesforcegeek.com), choose “Exact Domain.” Otherwise, select an appropriate option based on your configuration.

Email Security


Email Security

DKIM Domain Settings:

Setting up DKIM for your domain requires attention to your DNS configuration, which may involve collaboration with your IT department.

Identify the CNAME record in your DNS settings and extract the first part before the domain name, highlighted in blue. This extracted part is the “Record Name” in the DNS settings.

Next, take the portion following “CNAME” in the provided screenshot, which becomes the target or content in the DNS settings. Locate the corresponding field in the third column of your domain hosting company’s DNS setup screen.

The configuration will resemble the example provided, and you can leave the TTL (time to live) as the default value.

Ensure the configuration is saved.

Allow 48 hours for the settings to take effect (this step is crucial).
Return to Salesforce and navigate to the DKIM Keys screen. Locate and click on the applicable “selector” (refer to the pink highlight in the screenshot below).

Email Security

Select “Activate.”
Additionally, if you are sending from multiple domains, you must perform this process separately for each domain.

For more information, you can also refer: Considerations for Creating DKIM Keys

Configure DMARC :

SPF demonstrates the validity of the sender, and the assurance that the email remains unaltered is provided by DKIM. However, the question arises concerning the authenticity of other emails from your domain.

Transitioning to Domain-based Message Authentication, Reporting, and Conformance (DMARC) provides clarity on this matter.

The recipient email server is directed to the appropriate course of action by DMARC.

DMARC, however, operates effectively only when both SPF and DKIM records have been established, ideally encompassing all sources dispatching emails under your domain.

In configuring the DMARC policy in Salesforce, the following steps should be adhered to:

Firstly, in the Salesforce setup, the path to access DMARC configuration options is through Email Administration > DMARC Policy.

Secondly, the desired DMARC policy for the domain needs to be selected. The available policy options include “none,” “quarantine,” and “reject.”

The “none” policy allows monitoring email authentication without specific actions. The “quarantine” policy instructs the receiving server to treat suspicious emails as spam. The “reject” policy directs the receiving server to reject emails failing authentication.

Finally, after determining the DMARC policy, the next step involves the publication of the DMARC record to the DNS configuration. This is achieved by adding it as a TXT record, ensuring that the configured policy takes effect.

Also Read – Different ways to create a Validation Rule for a Phone number in Salesforce

How does the recipient’s mail server handle email messages that fail authentication?

Bounce Back: Enabled Bounce Processing: Flags the contact or lead record as having a bad address.

Disabled Bounce Processing or not sent to a contact/lead: Sends a bounce notification to the sender.

Discarded: The email is dismissed, and the sender cannot confirm its delivery to the recipient.

Marked as Spam: The email may be categorized as spam.

Delivered: The email successfully reaches the recipient.


1. Is the setup of DMARC mandatory, or can SPF and DKIM be initiated first?

While email security is bolstered by SPF and DKIM, an additional layer of protection is provided by DMARC. It is recommended to implement all three for comprehensive email security; however, SPF and DKIM can be initiated first if necessary.

2. Why is SPF crucial?

SPF holds significance as it guarantees that only sanctioned email servers can send emails on your behalf. This not only enhances email deliverability but also diminishes the likelihood of engaging in fraudulent activities.

3. What makes email authentication crucial for Salesforce users?

Email authentication plays a pivotal role in establishing trust for emails originating from Salesforce, thereby minimizing the vulnerabilities associated with email fraud and phishing scams.

4. How do I set up SPF, DKIM, and DMARC in Salesforce?

To establish SPF, DKIM, and DMARC in Salesforce, begin by generating SPF and DKIM records in your DNS. Afterwards, proceed to configure DMARC within the Salesforce settings.


The implementation of SPF, DKIM, and DMARC collectively serves as a robust strategy for shielding your domain against email spoofing and phishing attacks.

This multi-layered approach ensures that only duly authorized servers can dispatch emails on behalf of your domain and, concurrently, guarantees the integrity of emails throughout their transit.

Get a complete Roadmap To Learn Salesforce Admin And Development

Share Now

Similar Posts

One thought on “Enhanced Email Security in Salesforce

Leave a Reply

Your email address will not be published. Required fields are marked *