Loading

Salesforce SPF and DKIM FAQ

Date de publication: Dec 20, 2024
Description

This article provides an overview of the most commonly asked questions on the Sender Policy Framework (SPF) and the Domain Key identification with links to helpful resources to address email validation.

Résolution


1. Sender Policy Framework (SPF)

Sender Policy Framework (SPF) is a simple email validation system designed to detect email spoofing. SPF provides a process to verify which providers can send emails on your behalf. It also aims to reduce spam and fraud by making it harder for anyone to hide their identity. 

See also:
Salesforce SPF Records
Sender Policy Framework (SPF) 
 

2. Domain Keys Identified Mail (DKIM)

Use the DKIM (Domain Keys Identified Mail) key feature to let Salesforce sign outbound emails sent on your company’s behalf. These signatures give recipients confidence that the email was handled in a way that’s consistent with your company.

See also:
Set Up Secure DKIM Keys
Best practices to setup DKIM
Considerations for Creating DKIM Keys 

3. Who signs (DKIM Sign) the email message?

The outgoing server that actually sends the email message by initiating an SMTP session does. It signs the message using a private key saved locally on the same machine.
 

4. Who is responsible for implementing SPF and DKIM on the DNS side?

SPF and DKIM should be implemented on Sender's Domain by the DNS/Email administrator.
 

5. Why do we even use SPF and DKIM?

These settings verify the sender’s identity and that the message was kept in the form initially intended. It also maximizes email deliverability, ensuring that emails will actually end up in the recipient’s Inbox. 
 

6. What if we want to include the IP addresses in the SPF record?

You can add only IP addresses however, it’s not recommended by Salesforce. Your SPF record would be similar to, Example: v=spf1 mx ip4:204.14.234.64/28 ip4:204.14.232.64/28 ~all
 

7. How SPF and DMARC (Domain-based Message Authentication, Reporting & Conformance) are related?

SPF is one of the authentication techniques on which DMARC is based. DMARC uses the result of the SPF checks and adds a check on the alignment of the domains to determine its results.

See also:
What is DMARC? 
 

8. How often do DKIM keys rotate?

30 Days

9. When DKIM keys automatically rotate, do I need to do anything?

No. Salesforce rotates your DKIM keys every 30 days.  When you activate your DKIM key, Salesforce creates a secondary inactive DKIM key for the next rotation.  There is no additional action required for these keys to rotate.

10. Do we need both SPF and DKIM, and what is the difference between SPF and DKIM?

Yes! We recommend implementing both as SPF allows senders to tell ISPs which IPs are able to send on their behalf. DKIM allows ISPs to verify that the content sent is what the original sender intended. Both are needed to be secure email sender.
 

11. Why activate button is still not active on the Salesforce DKIM setup page after setting up?

Activate button will only be available after the CNAME records are published correctly. Please reach out to your DNS/Email administrator to check further.
 

See also:
Unable to Activate the DKIM keys in Salesforce
 

12. Why are emails still having alignment failures with SPF and DKIM although it has been configured correctly?

If Bounce Management and/or Email Security Compliance settings is enabled in the organization deliverability setup, the return path in the header changes to a Variable Envelope Return Path (VERP) address. This can cause alignment to fail as in theory that the return path should be from the customer's domain.

See also:
SPF and DKIM Alignment Fails 

Ressources supplémentaires

Salesforce Help - Sender Policy Framework and Authentication FAQs

 

Numéro d’article de la base de connaissances

000389240

 
Chargement
Salesforce Help | Article