Setup Guide

How to Set Up SPF, DKIM, and DMARC for Salesforce

Salesforce sends email on your behalf through multiple channels — workflow alerts, case notifications, marketing emails (via Marketing Cloud or Pardot), and direct user-sent emails from the CRM. Each of these needs to be covered by your authentication records.

SPF Configuration

Salesforce's core platform uses a single SPF include.

DNS Record:

Type:  TXT
Host:  @
Value: v=spf1 include:_spf.salesforce.com ~all

Important: If you also use Salesforce Marketing Cloud (formerly ExactTarget), it uses a different sending infrastructure and may require an additional include:

v=spf1 include:_spf.salesforce.com include:cust-spf.exacttarget.com ~all

Verify your total lookup count with the SenderClarity SPF Checker after making changes.

DKIM Configuration

Salesforce supports DKIM through the Email Administration settings.

  1. In Salesforce, go to Setup → Email → DKIM Keys.
  2. Click Create New Key.
  3. Choose a key size (2048-bit recommended).
  4. Enter your domain name and a selector name.
  5. Salesforce will generate a CNAME or TXT record:
Type:  TXT
Host:  yourSelector._domainkey
Value: (provided by Salesforce — unique to your org)
  1. Add the record to your DNS.
  2. Return to Salesforce and activate the DKIM key.

For Marketing Cloud, DKIM is configured separately through the Sender Authentication Package (SAP) or Self-Service Authentication, which uses its own set of DNS records.

DMARC Configuration

Start with monitoring mode:

Type:  TXT
Host:  _dmarc
Value: v=DMARC1; p=none; rua=mailto:your-address@reports.senderclarity.com; fo=1

Move toward enforcement after reviewing reports:

  1. p=quarantine; pct=25
  2. p=quarantine; pct=100
  3. p=reject

Verification

  • Check your SPF record →
  • Send a test email from Salesforce and inspect headers
  • Confirm dkim=pass is aligned with your domain
  • Monitor DMARC reports in SenderClarity, paying attention to both Salesforce CRM and Marketing Cloud sources

Common Issues

Two separate Salesforce products, two SPF includes: Salesforce CRM (_spf.salesforce.com) and Marketing Cloud (cust-spf.exacttarget.com) are separate sending systems. Missing one of them means emails from that product will fail SPF.

SPF alignment with Salesforce CRM: By default, Salesforce CRM uses a return-path domain under salesforce.com, not your domain. DKIM alignment is typically the reliable path to DMARC compliance for Salesforce-originated emails.

Email relay configuration: If you've configured Salesforce to relay through your corporate mail server (e.g., Microsoft 365 or Google Workspace), the SPF check will be against your mail server's IP, not Salesforce's. In this case, you may not need the Salesforce SPF include at all — but you do still need DKIM configured.

SPF Lookup Impact

Include Estimated Lookups
_spf.salesforce.com 1–2
cust-spf.exacttarget.com (Marketing Cloud) 2–3