SPF(supported)
DKIM(recommended)


This article covers the SPF and DKIM authentication processes for Salesforce and how they are managed in Valimail Enforce. While only one of the two authentication methods is required for an email to pass DMARC, our recommendation is to configure both whenever possible.



TABLE OF CONTENTS




Configuring DKIM authentication for your Salesforce emails



1. Log into the Salesforce console, and then from Setup, enter DKIM Keys in the Quick Find box and then select DKIM Keys.


2. Click Create New Key.


3. Select the RSA key size. We recommend setting the keys to 2048-bit.


4. For Selector, enter a unique name.


5. For Alternate Selector, enter a unique name. The alternate selector allows Salesforce to auto-rotate your keys.


6. Enter your domain name.


7. Select the type of domain match you want to use.


8. Click Save.


9. It may take some time for Salesforce to generate the 2 CNAME records. Refresh your page until you see the records for the DKIM keys issued on the page.


10. Copy the values for your new records (the values are those after CNAME) and add the DKIM keys in Valimail Enforce.


11. After publishing the DKIM keys in Valimail Enforce, please return to the Salesforce console and click on the Activate button to activate the DKIM keys.



You can find these steps on the Salesforce page here.






Add a Salesforce DKIM key in Enforce


1. Go to your domain's Configuration page in Valimail Enforce and publish the newly created DKIM key.


    a. Scroll down and add the two DKIM keys in your configuration, by clicking on Add a DKIM key

    b. Enter the selector name, CNAME target value, associate the keys with Salesforce and then click Add.



You can find more detailed information on how to add a DKIM key in Valimail Enforce here.






Configuring SPF authentication for your Salesforce emails

Once you establish that Salesforce is an authorized sender for your domain, you will need to add the service in your Enabled Senders list in Enforce.


1. Please go to your domain's Configuration page in Enforce.

2. Click on the + sign from the Enabled Senders section:



3. Choose Salesforce from the list of configurable senders and then click Enable:




We encourage you to use the comment section for any useful information about your sending service, such as the name of the service owner, change request ticket numbers, etc.



You may notice that Salesforce emails are not authenticated via SPF, even after you have added Salesforce to your domain's configuration. This is likely caused by Salesforce not sending SPF aligned-mail and can be corrected by following the process detailed below.






Enable SPF alignment in Salesforce for your domain


Salesforce does not usually send SPF-aligned mail by default and the reason for that is that the Bounce Management and/or Email Security Compliance settings are enabled.


Steps to disable Bounce Management and Email Security Compliance:


In Salesforce Classic


1. Click on Setup -> Email Administration -> Deliverability

2. Deselect the checkbox for 'Activate bounce management' and 'Enable compliance with standard email security mechanisms'.

3. Click on Save.


In Lightning Experience


1. Click the Gear Icon -> Setup -> Email | Deliverability 

2. Deselect the checkbox for 'Activate bounce management' and 'Enable compliance with standard email security mechanisms'.

3. Click on Save.


You can find the above instructions on the Salesforce page here.





As always, if you have any questions, please don't hesitate to submit a ticket.