Setup Guide

How to Set Up SPF, DKIM, and DMARC for Salesforce

Salesforce sends email on your behalf through multiple channels — workflow alerts, case notifications, marketing emails (via Marketing Cloud or Pardot), and direct user-sent emails from the CRM. Each of these needs to be covered by your authentication records.

SPF Configuration

Salesforce's core platform uses a single SPF include.

DNS Record:

Type:  TXT
Host:  @
Value: v=spf1 include:_spf.salesforce.com ~all

Important: If you also use Salesforce Marketing Cloud (formerly ExactTarget), it uses a different sending infrastructure and may require an additional include:

v=spf1 include:_spf.salesforce.com include:cust-spf.exacttarget.com ~all

Verify your total lookup count with the SenderClarity SPF Checker after making changes.

DKIM Configuration

Salesforce supports DKIM through the Email Administration settings.

  1. In Salesforce, go to Setup → Email → DKIM Keys.
  2. Click Create New Key.
  3. Choose a key size (2048-bit recommended).
  4. Enter your domain name and a selector name.
  5. Salesforce will generate a CNAME or TXT record:
Type:  TXT
Host:  yourSelector._domainkey
Value: (provided by Salesforce — unique to your org)
  1. Add the record to your DNS.
  2. Return to Salesforce and activate the DKIM key.

For Marketing Cloud, DKIM is configured separately through the Sender Authentication Package (SAP) or Self-Service Authentication, which uses its own set of DNS records.

DMARC Configuration

Start with monitoring mode:

Type:  TXT
Host:  _dmarc
Value: v=DMARC1; p=none; rua=mailto:your-address@reports.senderclarity.com; fo=1

Move toward enforcement after reviewing reports:

  1. p=quarantine; pct=25
  2. p=quarantine; pct=100
  3. p=reject

DMARC Considerations for Salesforce

  • CRM and Marketing Cloud are entirely separate systems for DMARC purposes: Salesforce CRM sends through salesforce.com infrastructure while Marketing Cloud (formerly ExactTarget) uses exacttarget.com infrastructure. They require different SPF includes, different DKIM configurations, and appear as completely distinct senders in your DMARC reports. Authenticating one does not cover the other.

  • Email relay configuration changes the authentication picture entirely: If Salesforce CRM is configured to relay outbound email through your corporate mail server (Microsoft 365, Google Workspace), the SPF check runs against your mail server's IP — not Salesforce's. In this configuration, the Salesforce SPF include is unnecessary, but DKIM must still be configured in Salesforce to maintain alignment.

  • Marketing Cloud's Sender Authentication Package (SAP) is a significant investment: Full DMARC alignment for Marketing Cloud typically requires the Sender Authentication Package, which includes a dedicated sending domain, custom return-path, and DKIM signing. Without SAP, Marketing Cloud emails use ExactTarget's domain infrastructure and won't align with your DMARC policy. Factor this cost into your DMARC enforcement timeline.

  • Pardot (Marketing Cloud Account Engagement) is yet another system: If you use Pardot alongside Salesforce CRM and Marketing Cloud, that's three separate email-sending systems to authenticate — each with its own SPF and DKIM configuration, and each appearing distinctly in DMARC reports. Organizations that add Pardot later often miss this, creating DMARC failures that only surface once enforcement begins.

Verification

  • Check your SPF record →
  • Send a test email from Salesforce and inspect headers
  • Confirm dkim=pass is aligned with your domain
  • Monitor DMARC reports in SenderClarity, paying attention to both Salesforce CRM and Marketing Cloud sources

Common Issues

Two separate Salesforce products, two SPF includes: Salesforce CRM (_spf.salesforce.com) and Marketing Cloud (cust-spf.exacttarget.com) are separate sending systems. Missing one of them means emails from that product will fail SPF.

SPF alignment with Salesforce CRM: By default, Salesforce CRM uses a return-path domain under salesforce.com, not your domain. DKIM alignment is typically the reliable path to DMARC compliance for Salesforce-originated emails.

Email relay configuration: If you've configured Salesforce to relay through your corporate mail server (e.g., Microsoft 365 or Google Workspace), the SPF check will be against your mail server's IP, not Salesforce's. In this case, you may not need the Salesforce SPF include at all — but you do still need DKIM configured.

SPF Lookup Impact

Include Estimated Lookups
_spf.salesforce.com 1–2
cust-spf.exacttarget.com (Marketing Cloud) 2–3