Guidelines for Configuring Deliverability Settings for Emails Sent from Salesforce | Salesforce
Guidelines for Configuring Deliverability Settings for Emails Sent from Salesforce
Email deliverability is affected by past bounced emails to the same email domain and email that doesn’t comply with a recipient's email security framework. Check out some guidelines to help you handle these roadblocks so your users’ emails get where they’re going fast.
Using the Deliverability page in Setup, you can improve email deliverability.
To control the type of email that your organization sends, use the Access level option in the Access to Send Email section. The available options include:
No access: Prevents all outbound email to and from users.
System email only: Allows only automatically generated emails, such as new user and password reset emails. Especially useful for controlling email sent from sandboxes so that testing and development work doesn’t send test emails to your users. Newly created sandboxes default to System email only.
All email: Allows all types of outbound email. Default for new, non-sandbox organizations. Sandboxes created before Spring ’13 default to All email.
When using bounce management:
If you also use Email Relay, make sure that your organization's email server allows the relaying of email sent from Salesforce.
If you send an email to the address for a contact, lead, or person account bounces, an alert shows up next to the address and other users can’t send an email to the address until it’s updated or confirmed.
Emails bounce to Salesforce and not to the sender's personal email account.
Use the Bounced Contacts and Bounced Leads standard report to view a list of email all addresses that have bounced email. The report includes the reason the email was bounced, the date the bounce occurred, and the contact, lead, or person account that bounced the email.
To comply with your recipients’ email security frameworks like SPF:
Check Enable compliance with standard email security mechanisms. This modifies the envelope From address of emails sent from Salesforce. The header From address remains set to the sender's email address. Usually security frameworks only check the envelope address.
If you have recipients using the sender ID email authentication protocol, which isn’t widely used, check Enable Sender ID compliance. This modifies the Sender field in the envelope of emails sent from Salesforce to automatically include no-reply@Salesforce. All replies from the recipients are still delivered to the sender's email address. The recipients’ email client (not Salesforce) may append the phrase “Sent on behalf of” to the From field of emails sent from Salesforce.
To specify how Salesforce uses the Transport Layer Security (TLS) protocol for secure email communication for SMTP sessions, select a TLS Setting. The available options include:
Preferred (default): If the remote server offers TLS, Salesforce upgrades the current SMTP session to use TLS. If TLS is unavailable, Salesforce continues the session without TLS.
Required: Salesforce continues the session only if the remote server offers TLS. If TLS is unavailable, Salesforce terminates the session without delivering the email.
Preferred Verify: If the remote server offers TLS, Salesforce upgrades the current SMTP session to use TLS. Before the session initiates, Salesforce verifies the certificate is signed by a valid certificate authority, and that the common name presented in the certificate matches the domain or mail exchange of the current connection. If TLS is available but the certificate is not signed or the common name does not match, Salesforce disconnects the session and does not deliver the email. If TLS is unavailable, Salesforce continues the session without TLS.
Required Verify: Salesforce continues the session only if the remote server offers TLS, the certificate is signed by a valid certificate authority, and the common name presented in the certificate matches the domain or mail exchange to which Salesforce is connected. If any of these criteria are not met, Salesforce terminates the session without delivering the email.
If you select a setting other than Preferred (the default setting), select Restrict TLS to these domains and specify a comma-separated domain list. The asterisk (*) wildcard is allowed; for example, *.subdomains.com matches email@example.com and firstname.lastname@example.org (but not email@example.com). If you don't specify domains, Salesforce uses the TLS setting you specify for all outbound emails, which may result in emails not being delivered.