Email Security Mechanisms

Salesforce supports several email security mechanisms: Transaction Layer Security (TLS), Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC). Each mechanism protects different aspects of an email message.

• Set Up Transaction Layer Security (TLS)
  Transaction Layer Security (TLS) encrypts the contents of an email transaction during transmission. The sender and receiver can also use it to verify each other's identity. You can choose a TLS setting when sending email through Salesforce or through an email relay.
• Sender Policy Framework (SPF)
  The Sender Policy Framework (SPF) email authentication method aims to reduce spam and fraud by making it harder for email senders to hide their identity. SPF detects email spoofing by providing a process to verify who is permitted to send emails on your behalf. SPF improves message deliverability, protects the credibility and reputation of your domains, and enhances user trust and confidence. Salesforce uses SPF and recommends that you do, too.
• DomainKeys Identified Mail (DKIM) Keys
  Use the DKIM key feature so Salesforce can sign outbound email sent on your company’s behalf. These signatures give recipients confidence that the email was handled in a way that’s consistent with your company. An active DKIM key also verifies your domain ownership so that Salesforce can send email for your users.
• What Is DMARC?
  Domain-based Message Authentication, Reporting, and Conformance (DMARC) is an email authentication, policy, and reporting protocol. It’s built on top of Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) protocols. If neither of those authentication methods passes, the DMARC policy determines what to do with the message. Salesforce supports and recommends DMARC. It’s up to you to determine whether you implement it for your domain.