SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) Alignment Fails in Salesforce Email Delivery

To avoid email spoofing, we encourage our customers to include the Sender Policy Framework (SPF) record of Salesforce in their domain's SPF record. In addition to an SPF record, we also encourage customers to implement the DomainKeys Identified Mail (DKIM) feature. This allows Salesforce to sign outbound emails sent on your company’s behalf.

However, if the email domain has a Domain-based Message Authentication Reporting & Conformance (DMARC) policy, then either SPF or DKIM must not only pass, but also be in alignment, as defined by DMARC.

Root Cause of SPF Alignment failures: Bounce Management and Email Security Compliance or either setting enabled. As long as DKIM signing passes in alignment, DMARC does not require SPF to also be aligned. So for customers who want to continue using Bounce Processing, we recommend setting up DKIM.
 

If any of these two settings are enabled in your organization, the envelope sender address changes to a Variable Envelope Return Path (VERP) address such as "sampleemail=salesforce.com__abc123@abc123.bnc.salesforce.com". This does not meet DMARC's alignment requirement because the Envelope Sender does not match the domain in the From header.

NOTE: Leaving Bounce Management active in Salesforce does not ensure a successful email delivery because of the mismatch between the Envelope Sender and the From header. Emails can be rejected or sent to spam folders depending upon the recipient's email server policies.

Root Cause of DKIM Alignment failures: The Domain field in the DKIM Key does not match the domain in the From header.

Note: To confirm if there’s an alignment issue, use various web-based header analyzers such as Message Head Analyzer tool.