Salesforce Outbound Emails Impacted by Google DMARC Policy Adoption

1. What is the change and impact?

Google has announced that they will implement a strict email authentication Domain-based Message Authentication, Reporting & Conformance (DMARC) policy in June 2016. This policy advises DMARC-compliant email servers to reject emails with @gmail.com in the “from” address, when such emails do not originate from Google’s mail servers. 

Impacted emails include those sent from your Salesforce org where the “from” address displays your organization’s @gmail.com address, but the email originates from our mail servers. Recipients of these emails with mail servers that are DMARC-compliant may reject such emails.    

2. What action do I need to take?

To prepare for this change, you need to register for a domain that you control, and use this new domain for all of your emails sent from Salesforce. Review the Changing user email addresses help article for more details on how to make the update. 

As an email security best practice, Salesforce also encourages customers to implement a DomainKeys Identified Mail (DKIM) and/or Sender Policy Framework (SPF) to further protect against email fraud. See the Create a DKIM and Configure Deliverability Settings help topics for more details.  

To ensure the delivery of your emails, you should refrain from sending any email through our service from any domain that you do not control, including but not limited to other major service providers domains such as Gmail, Outlook.com, and more. To date, Yahoo, AOL and Google have or will implement this strict email policy, and other domain owners will likely do so in the future.  

3. How can I tell if my recipients are not receiving emails sent from the Salesforce service?

The way these emails are handled by the receiver’s mail server depends on the receiver’s mail server DMARC configuration for how to handle email messages that fail the authentication checks.  

Behavior can include the following:

• Bounce back
• When Bounce Processing is enabled and an email is sent to a Contact or Lead — The contact or lead record is flagged as having a bad address
• When Bounce Processing is off or when Bounce Processing is enabled but an email was not sent to a Contact or Lead —A bounce notification is sent back to the From address (sender)
• Discarded — The mail is dismissed and the sender is not able to confirm if the mail has reached the recipient.
• Marked as spam
• Delivered

4. What if I already own and control my own domain?

If you already own and control your own domain and are using this domain for your emails from Salesforce, no action is required. Google’s upcoming implementation of this strict email policy only impacts email addresses with @gmail.com in the From address where the mail is originating from Salesforce email servers. 

5. What can I tell my recipients to do on their end to mitigate this impact?

You should not direct your mail recipients to change their email server DMARC configuration for security best practices. It is not recommended for email recipients to switch to an email provider that does not implement DMARC or adjust their own mail server DMARC policy. There is a growing trend for more companies to adopt DMARC and email authentication for security best practices.