Salesforce email authentication plays a crucial role in ensuring the secure transmission of emails for your organization. It serves to help recipient email servers distinguish whether an email originates from a genuine account and if the sender’s identity is authentic, without any attempt at spoofing.

When sending emails from platforms like Pardot (Account Engagement), Salesforce, or Marketing Cloud on behalf of your organization’s domain, it is imperative to have SPF, DKIM, and DMARC configurations completed.

In the following section, we will explore each authentication method, providing a step-by-step guide to implementing SPF and DKIM policies across Pardot (Account Engagement), Salesforce, and Marketing Cloud.

Salesforce Email Authentication Definitions


Email authentication protocols were developed to enhance the security of Simple Mail Transfer Protocol (SMTP) and combat spam. These protocols require careful implementation and verification before sending emails from each platform.

  • SPF (Sender Policy Framework):
    • Purpose: Prevents spammers from sending messages on behalf of your domain.
    • Implementation: Requires adding SPF records in your DNS to authorize platforms like Pardot or Salesforce to send emails on your organization’s domain.
  • DKIM (DomainKeys Identified Mail):
    • Purpose: Allows an organization to take responsibility for transmitting a message by signing it for verification.
    • Implementation: Involves publishing a public key in DNS, with the recipient email server validating emails using the corresponding private key.
  • DMARC (Domain-based Message Authentication, Reporting, and Conformance):
    • Purpose: Protects email domain owners from unauthorized use (email spoofing).
    • Implementation: Guides recipient email servers on how to handle emails from your organization’s domain.

How Does Salesforce Email Authentication Work?

SPF verifies the email’s authorization by an authenticated sender (Pardot, Marketing Cloud, or Salesforce), while DKIM authenticates the email through the validation of public and private keys.

An analogy to gaining access to a nightclub illustrates this process. Like providing a photo ID at a nightclub entry prevents unauthorized entry, SPF and DKIM ensure the legitimacy of the sender.

Why Implement Authentication Protocols?

Implementing SPF, DKIM, and DMARC offers several benefits:

  • Protects Brand Image: Successfully implemented protocols safeguard your business’s brand image, customers, and potential prospects.
  • Prevents Spoofing Attempts: These authentication methods thwart attempts at email spoofing, ensuring that mail servers deliver only genuine emails from your organization.
  • Enhances Email Deliverability: Properly configured authentication protocols positively impact email deliverability. Misconfigurations may lead to emails being marked as spam or missing client inboxes.

Preparing for SPF/DKIM Setup

Before initiating the SPF and DKIM configuration process, collaborate with your organization’s IT department. Obtain a list of domains available for use in the new platform and understand the process of making DNS changes.

Salesforce email authentication

Align with your IT team on timelines, and communicate your implementation deadline. Depending on your IT policy, the process may take 2-4 weeks.

How to Set Up SPF and DKIM in Pardot (Account Engagement)

  • Navigate to Pardot Settings > Domain Management > Add New Domain.
  • Enter the domain name and click Create domain.
  • Access Expected DNS Entries and copy SPF, DomainKey_Policy, and DomainKey Domain and Entry values to be sent to IT.
  • Optionally, configure a tracker domain.
  • Note the validation key for the tracker domain.
  • Send a template to IT with the necessary DNS entries and validation key.
  • Validate DNS entries in Pardot Settings after IT completes the setup.

How to Set Up SPF and DKIM in Salesforce

  • Access Setup, search for “DKIM,” navigate to DKIM Keys under Email, and Generate New Key.
  • Copy CNAME and Alternate CNAME record values.
  • Send a template to IT with required DNS entries.
  • Validate CNAME entries in Salesforce DKIM Keys after IT completes the setup.
  • Activate DKIM in Salesforce once DNS changes propagate.

How to Set Up SPF and DKIM in Marketing Cloud

  • Configure Sender Authentication Package (SAP) to enable authenticated emails from Salesforce on behalf of your domain.
  • Follow the SAP setup process for SPF and DKIM configuration.
  • Implement IP warm-up period to acclimate email servers to your new IP.
  • Monitor sender reputation, engagement, and compliance factors.
  • Troubleshoot and mitigate deliverability issues using Salesforce tools.
  • Collaborate with Salesforce Support for domain-specific issues.
  • Implement recency and frequency rules for email recipients.
  • Regularly suppress inactive subscribers to maintain list quality.
  • Test email content to avoid triggering spam filters.
  • Add DMARC to DNS separately, if not included in SAP.

Thorough email authentication implementation across all Salesforce platforms ensures secure communication and reliable email deliverability. Regular monitoring, troubleshooting, and adherence to best practices contribute to maintaining a positive sender reputation and optimizing email performance.

Confused yet?  Tectonic can assist with all your Salesforce email authentication needs. 

Content updated May 2023 to reflect product name changes.

Related Posts
Salesforce Jigsaw
Salesforce Jigsaw, a prominent figure in cloud computing, has finalized a deal to acquire Jigsaw, a wiki-style business contact database, for Read more

What is a Salesforce Jumpstart?
Salesforce Quickstart

A Salesforce Jumpstart is a program designed to help businesses quickly and efficiently implement Salesforce, which is a powerful customer Read more

50 Advantages of Salesforce Sales Cloud
Salesforce Sales Cloud

According to the Salesforce 2017 State of Service report, 85% of executives with service oversight identify customer service as a Read more

Salesforce Artificial Intelligence
Salesforce CRM for AI driven transformation

Is artificial intelligence integrated into Salesforce? Salesforce Einstein stands as an intelligent layer embedded within the Lightning Platform, bringing robust Read more