Loading

How Salesforce Handles DMARC Policy Enforcement from Yahoo, AOL, and Other Email Service Providers

Data pubblicazione: Jun 12, 2026
Descrizione

DMARC (Domain-based Message Authentication, Reporting & Conformance) is an email validation protocol that allows email service providers to reject messages that do not originate from the sender's authorized mail servers. Starting in April 2014, Yahoo.com and other providers including AOL.com adopted a strict DMARC policy ("p=reject") to prevent spam and phishing scams.


This policy affects Salesforce users who have configured a FROM email address using a Yahoo, AOL, or similarly DMARC-strict domain, because Salesforce delivers those emails from Salesforce mail servers — not from Yahoo's or AOL's servers. DMARC-compliant receiving mail servers will reject these emails.


Example: If a Salesforce user record is configured with a FROM address of user@yahoo.com, and a customer's email server enforces DMARC validation, the email sent from Salesforce will be rejected because it originates from Salesforce mail infrastructure, not from Yahoo's authorized servers.

Risoluzione

This article describes how the DMARC policy enforcement by major email providers affects Salesforce email delivery, and the options available to resolve email delivery failures caused by DMARC rejection.

What This Means for Salesforce Users

If a Salesforce User record is configured to send email with a FROM address using a domain managed by a DMARC-strict provider (such as @yahoo.com or @aol.com), emails sent from Salesforce may be rejected by DMARC-compliant receiving mail servers. This is because Salesforce delivers emails using its own mail infrastructure and the DMARC policy of the FROM domain prevents third parties from sending on its behalf.

Recommended Solutions for Organizations That Own Their Domain

Organizations that control their own email domain can use the following options in Salesforce to comply with DMARC requirements and prevent email delivery failures:

  • Create a DKIM Key in Salesforce: DKIM (DomainKeys Identified Mail) allows Salesforce to cryptographically sign outgoing emails on behalf of your domain. This tells receiving mail servers that the email is authorized by your domain, satisfying DMARC alignment requirements.
  • Configure an SPF Record: SPF (Sender Policy Framework) is a DNS record that authorizes Salesforce mail servers to send emails on behalf of your domain. Adding Salesforce's mail servers to your domain's SPF record helps prevent DMARC rejection.
  • Set Up Email Relay: Email Relay routes outgoing Salesforce emails through your organization's own mail server. This ensures emails are delivered from your authorized mail infrastructure rather than Salesforce's servers, fully satisfying DMARC requirements.

Recommended Solution for Users Without a Custom Domain

If a user's FROM email address uses a consumer domain such as @yahoo.com or @gmail.com that the organization does not control, the recommended solution is to register a new email address using a domain your organization owns. Update the Salesforce User record to use this organization-owned address as the FROM address for all outgoing emails.

For Organizations that own their domain, options to mitigate:



Additional Resources:

Numero articolo Knowledge

000387241

 
Caricamento
Salesforce Help | Article