BLOG

Salesforce SPF and now DKIM support

February 24, 2015 by in Technical

Salesforce has published a SPF record for sending emails from Salesforce for years and with the Spring ’15 release, they will provide the option to sign with DKIM.
The SPF record is straight forward, include:_spf.salesforce.com which includes _spf.google.com, _spfblock.salesforce.com, several IP address blocks, mx, and ends with a SoftFail ~all.
Salesforce Knowledge Article Number: 000006347 goes in-depth with information regarding their SPF Record.

With the Spring ’15 Release, Salesforce offers the ability sign outbound emails with DomainKeys (DKIM).

DKIM signing of outbound email is available for Enterprise, Unlimited, and Developer Editions.  Salesforce recommends that you add the public key to your DNS before activating DKIM signing.  There is a limit of 1 DKIM key per domain and Salesforce gives you the option to domain match and sign emails for the domain only, subdomain only, or domain and subdomains.  More information about Salesforce DKIM signing can be found within their Spring 15’ Release Notes.
The ability to sign with non-Salesforce DKIM keys means that Salesforce users now have the option to use DMARC. Prior to this change all mail was authenticated as coming from Salesforce, which is perfectly acceptable and how authentication works. The ability to sign with the users’ DKIM key and domain means large Salesforce users are now able to track authentication failures or publish DMARC policy requests.

2 comments

  1. Deon Grobler says

    Adding: and then testing the SPF policy with: https://vamsoft.com/support/tools/spf-policy-tester, the result is:
    The evaluation has exceeded the maximum allowed number of DNS-based SPF mechanisms or modifiers (10). To avoid unreasonable load on DNS, the evaluation is terminated (see RFC7208 Section 4.6.4.). Returning SPF “permerror”.
    TEST SUMMARY
    The evaluation completed in 132 ms, with 2 errors and 1 warning.
    Result: SPF permerror
    What is the correct string to add in our SPF record to include all SALESFORCE IP’s and therefore authorizes Salesforce.com mail servers as allowed mail servers for our domain?

    February 25, 2018, 10:17 pm
  2. steve says

    I’d start with cleaning up your existing SPF record.
    http://tools.wordtothewise.com/spf/check/enett.com shows you’re including outlook.com’s SPF record, which probably isn’t what you want.

    February 26, 2018, 12:14 pm

Comment:

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Aetna, phishing and securityBack from M3AAWG

Archives