Salesforce SPF and now DKIM support

Salesforce has published a SPF record for sending emails from Salesforce for years and with the Spring ’15 release, they will provide the option to sign with DKIM.

The SPF record is straight forward, which includes,, several IP address blocks, mx, and ends with a SoftFail ~all.

Salesforce Knowledge Article Number: 000006347 goes in-depth with information regarding their SPF Record.

With the Spring ’15 Release, Salesforce offers the ability sign outbound emails with DomainKeys (DKIM).

DKIM signing of outbound email is available for Enterprise, Unlimited, and Developer Editions.  Salesforce recommends that you add the public key to your DNS before activating DKIM signing.  There is a limit of 1 DKIM key per domain and Salesforce gives you the option to domain match and sign emails for the domain only, subdomain only, or domain and subdomains.  More information about Salesforce DKIM signing can be found within their Spring 15’ Release Notes.

The ability to sign with non-Salesforce DKIM keys means that Salesforce users now have the option to use DMARC. Prior to this change all mail was authenticated as coming from Salesforce, which is perfectly acceptable and how authentication works. The ability to sign with the users’ DKIM key and domain means large Salesforce users are now able to track authentication failures or publish DMARC policy requests.


  1. Deon Grobler says

    Adding: and then testing the SPF policy with:, the result is:

    The evaluation has exceeded the maximum allowed number of DNS-based SPF mechanisms or modifiers (10). To avoid unreasonable load on DNS, the evaluation is terminated (see RFC7208 Section 4.6.4.). Returning SPF “permerror”.

    The evaluation completed in 132 ms, with 2 errors and 1 warning.
    Result: SPF permerror

    What is the correct string to add in our SPF record to include all SALESFORCE IP’s and therefore authorizes mail servers as allowed mail servers for our domain?

  2. steve says

    I’d start with cleaning up your existing SPF record. shows you’re including’s SPF record, which probably isn’t what you want.


Your email address will not be published. Required fields are marked *