Loading

Authenticating Marketing Cloud Next Emails

Julkaisupäivä: Apr 21, 2026
Kuvaus

Note: this information only applies to Marketing Cloud Next (Growth/Advanced editions) as well as Marketing Cloud Account Engagement customers using the new campaign experience in Marketing Cloud. For emails sent from the Marketing App from Salesforce Starter, Salesforce Pro Suite, and Salesforce Foundations, they are sent via a salesforce.com domain and all email authentication is automatically handled without any DNS setup.

Marketing Cloud  Next uses the Unified Messaging platform for sending email. See below about how email authentication works with Unified Messaging and Authenticated Domains.

Ratkaisu

Sender Policy Framework (SPF)

SPF is a form of email authentication that makes forging the sender of an email, or email spoofing, more difficult. SPF isn’t aimed at stopping spammers. Rather, it tightens loopholes used by spammers to spoof emails. SPF provides a list of all outbound email sources for a domain as a DNS TXT record. Emails you send through Marketing Cloud Next pass SPF automatically because an activated authenticated domain is required for email sending.

When a receiving mail server gets a message appearing to be sent from a certain domain, it checks the sender’s SPF statement to verify that information.

Once you have activated an authenticated domain, you can view the SPF records by looking up the DNS information for the bounce CNAME. The SPF records are managed by Salesforce and you do not need to set up any additional SPF records. Please note that there are a handful of layers of CNAME/TXT records before you arrive at the final SPF TXT record that contains the list of authorized IP addresses (work with your IT team if you have questions on reviewing this).

DomainKeys Identified Mail (DKIM)

DKIM is a common email authentication system that adds another layer of verifying ownership with DNS records. Emails you send through Marketing Cloud Next pass DKIM automatically because an activated authenticated domain is required for email sending. Marketing Cloud Next DKIM Keys are 2048-bit by default.

Specifically the 3 outbound CNAME records in the required DNS records are utilized for DKIM authentication.

Domain-Based Message Authentication, Reporting, and Conformance (DMARC)

With DMARC, you notify receiving servers that your messages use SPF and DKIM and instruct them on what to do if those checks fail. The Authenticated Domains setup experience provides a recommended DMARC record, however you should work with your IT team to understand what DMARC record is appropriate for your organization’s needs. A DMARC record is not required for activating an authenticated domain, but we do recommend you set up DMARC as it is as requirement for bulk senders set forth by major inbox providers (see joint statements released by Gmail and Yahoo in October 2023). Salesforce Support cannot assist with configuring or determining the appropriate DMARC record for your organization.

Knowledge-artikkelin numero

004576430

 
Ladataan
Salesforce Help | Article