Loading

TLS connections for Salesforce Outbound Email and Email Services

Fecha de publicación: Mar 24, 2023
Descripción
As of April 2020 Salesforce only supports inbound and Outbound email connections using TLS 1.2.

At minimum, we recommend that you confirm your own mail service is supporting TLS 1.2 for quick and secure communication with Salesforce MTAs (Mail Servers).

Examples of Outbound Salesforce Emails:
  • Emails sent to Opportunity, Lead, or Case Contacts etc
  • API emails created and sent using custom code
  • Outbound emails triggered by workflows
  • Emailed reports
  • System emails like password reset notifications
  • Chatter notification emails

Examples of Inbound Salesforce Emails

  • Email to Case
  • Email to Apex
  • Email to Salesforce
  • Workflow replies by email
  • Reply to Chatter
  • Email to Groups
  • Out of band bounce processing

 

Solución

Check what version of TLS you are using for outbound emails

Email Log functionality (outbound emails) includes the version of TLS being used when mail is sent outbound from Salesforce. For more details review the article, TLS information added to Email Log functionality. An alternate method to check if you’re sending with TLS is to send yourself an email from Salesforce to your company's email address and look at the mail headers to see if TLS 1.2 is referenced.

An example of a Received header:
Received: from smtp16-dfw-sp2.mta.salesforce.com (136.147.62.207) by BY2NAM01FT064.mail.protection.outlook.com (10.152.69.129) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.1019.14 via Frontend Transport; Thu, 6 Apr 2017 16:53:53 +0000
You want the version of TLS to be TLS 1_2. If you do not see ‘TLS’ in the source of the mail, it may have been delivered unencrypted, which can happen if TLS is not used or "TLS preferred" is used (Opportunistic TLS).


Check if you’re still using TLS for inbound emails

Send an email from your company’s email account to a Salesforce Email service (ie. Email-to-Case) and then leverage the Inbound Email Snapshots tool.
To set up an Inbound Email Snapshot:
  • Log in to Salesforce as an Admin and navigate to Setup | Monitor(Classic UI) or Monitoring(Lightning UI) | Email Snapshots
  • Set up a new snapshot by specifying the address of the email service in the ‘To address’ and your address in the "From address" and then select "Request Snapshot".
  • From your company mail, send an email to the email service address you specified in the tool.
  • Return to the tool and refresh the page. You should see a list of Pending and Completed Snapshots.
  • Select ‘Download’ next to the most recent snapshot and view the file.
  • Look at the Received header to see if you are still using TLS.
  • There are 3 headers of interest you should look at:
a. X-SFDC-TLS-STATUS: (True if TLS was used)
b. X-SFDC-TLS-CIPHER: (Cipher used if TLS was true)
c. X-SFDC-TLS-VERSION (TLS Version used)
Número del artículo de conocimiento

000388995

 
Cargando
Salesforce Help | Article