Email Relay best practices

What is Email Relay?

Email relay automatically routes Salesforce-generated emails through your company’s mail service. For more information on email relay, please review Set Up Email Relay.


Deliverability settings and mail relay

When email relay is enabled in Salesforce, companies do not necessarily need to use all of Salesforce’s Email Deliverability settings located under: Setup | Email Administration | Deliverability. This is because some of these settings (listed below) modify the envelope-from address of emails sent from Salesforce. The header From address remains set to the sender's email address. The return-path in the headers is also modified. This change in the email headers may affect email delivery to your email server, as the modified return-path includes a Variable Envelope Return Path value (VERP).  
 

Therefore, we recommend companies to disable the following two email deliverability options when using email relay. You can read more about these settings in Guidelines for Configuring Deliverability Settings for Emails from Salesforce.
 

1. Open Setup and search quick find for Deliverability
2. Turn OFF Activate Bounce Management
3. Turn OFF Enable compliance with standard email security mechanism and Enable Sender ID compliance

  After disabling these settings, the email sent from Salesforce to your relay server will show both envelope-from and return-path as <name@domain.com>.

For background information on IPs used for Email Relay see: Ensure you can receive email from the Salesforce application


Securing your Email Relay

Here are some suggestions for ensuring that your mail relay is secure and that you relay only mail that you intend to:

• Have your relay allowlist only the IPs you want to relay mail for (ours and any others)
• Only relay mail that is sent using your mail domain
• Enforce TLS (optionally set it to TLS required or required and verify the hostname on the certificate)
• Have your relay verify the hostname on our certificate
• Look for a header - X-SFDC-LK and ensure that it has your org id in it. Only relay mail from Salesforce when it has the proper org id
• Use DKIM signing in Salesforce and only relay mail if the DKIM signature passes

Bounce Management with Email Relay

Using Email Relay and Bounce Management together requires special care because it can cause Sender Policy Framework (SPF, a common email security standard) to fail to validate. The Salesforce bounce management feature relies on setting each outgoing email's return path (also called the "envelope from address") to an address at bnc.salesforce.com. SPF works by extracting the domain in the return path to find a set of authorized IP addresses. When you use Email Relay and Bounce Management, the IP address of your relay does not match the authorized IP addresses for the domain (bnc.salesforce.com). This results in an SPF "soft failure" -- it does not mark your message as invalid, but it may reduce your deliverability.

One solution is to establish a DMARC policy for your domain, and then use Salesforce's DKIM signing feature to sign outgoing mail. With this combination, your mail passes a DMARC check, even though it does not pass SPF.

Another solution is to turn off bounce management in Salesforce.



Email Relay with Office 365
For more details about relaying with Office 365 see Salesforce 'Email Relay' with Office 365

Email Relay with Gmail
For more details about relaying with Gmail see Salesforce 'Email Relay' with Gmail