Salesforce SPF and now DKIM support

BLOG

Salesforce SPF and now DKIM support

February 24, 2015 by josh in Technical

Salesforce has published a SPF record for sending emails from Salesforce for years and with the Spring ’15 release, they will provide the option to sign with DKIM.

The SPF record is straight forward, include:_spf.salesforce.com which includes _spf.google.com, _spfblock.salesforce.com, several IP address blocks, mx, and ends with a SoftFail ~all.

Salesforce Knowledge Article Number: 000006347 goes in-depth with information regarding their SPF Record.

With the Spring ’15 Release, Salesforce offers the ability sign outbound emails with DomainKeys (DKIM).

DKIM signing of outbound email is available for Enterprise, Unlimited, and Developer Editions. Salesforce recommends that you add the public key to your DNS before activating DKIM signing. There is a limit of 1 DKIM key per domain and Salesforce gives you the option to domain match and sign emails for the domain only, subdomain only, or domain and subdomains. More information about Salesforce DKIM signing can be found within their Spring 15’ Release Notes.

The ability to sign with non-Salesforce DKIM keys means that Salesforce users now have the option to use DMARC. Prior to this change all mail was authenticated as coming from Salesforce, which is perfectly acceptable and how authentication works. The ability to sign with the users’ DKIM key and domain means large Salesforce users are now able to track authentication failures or publish DMARC policy requests.

2 comments

Deon Grobler says

Adding: and then testing the SPF policy with: https://vamsoft.com/support/tools/spf-policy-tester, the result is:

The evaluation has exceeded the maximum allowed number of DNS-based SPF mechanisms or modifiers (10). To avoid unreasonable load on DNS, the evaluation is terminated (see RFC7208 Section 4.6.4.). Returning SPF “permerror”.

TEST SUMMARY
The evaluation completed in 132 ms, with 2 errors and 1 warning.
Result: SPF permerror

What is the correct string to add in our SPF record to include all SALESFORCE IP’s and therefore authorizes Salesforce.com mail servers as allowed mail servers for our domain?

February 25, 2018, 10:17 pm
steve says

I’d start with cleaning up your existing SPF record.

http://tools.wordtothewise.com/spf/check/enett.com shows you’re including outlook.com’s SPF record, which probably isn’t what you want.

February 26, 2018, 12:14 pm

Comment: Cancel reply

Aetna, phishing and securityBack from M3AAWG

Yahoo List-Unsub header
Last week some folks were mentioning a spike in unsubscribes from Yahoo. This is being investigated. No Comments
It's not a technical problem
You can't technical your way out of the bulk folder. I wrote that a year and a half ago, and it's even more true today. Filters at the big webmail providers continue to evolve to meet new threats and new spamming techniques. Sending technically perfect mail won't get your mail into the inbox. Recipients have to want the mail and interact with the mail for good delivery. No Comments
Edison acquires part of Return Path
Today Matt Blumberg announced that Edison Software acquired Return Path's Consumer Insight division, current customers and some Return Path staff. Congrats to everyone involved.1 Comment

Donnie G Rutherford on What does mitigation really mean?
Stefano Bagnara on What’s up with microsoft?
Brad on Is harvesting illegal under CAN SPAM
John Levine on List the world!
jeff on Is harvesting illegal under CAN SPAM

2018 (71)
2017 (180)
2016 (209)
2015 (205)
2014 (209)
2013 (208)
2012 (228)
2011 (232)
2010 (240)
2009 (247)
2008 (233)
2007 (56)

BLOG