Salesforce SPF and now DKIM support
Salesforce has published a SPF record for sending emails from Salesforce for years and with the Spring ’15 release, they will provide the option to sign with DKIM.
The SPF record is straight forward,
include:_spf.salesforce.com which includes
_spf.google.com, _spfblock.salesforce.com, several IP address blocks, mx, and ends with a SoftFail
Salesforce Knowledge Article Number: 000006347 goes in-depth with information regarding their SPF Record.
With the Spring ’15 Release, Salesforce offers the ability sign outbound emails with DomainKeys (DKIM).
DKIM signing of outbound email is available for Enterprise, Unlimited, and Developer Editions. Salesforce recommends that you add the public key to your DNS before activating DKIM signing. There is a limit of 1 DKIM key per domain and Salesforce gives you the option to domain match and sign emails for the domain only, subdomain only, or domain and subdomains. More information about Salesforce DKIM signing can be found within their Spring 15’ Release Notes.
The ability to sign with non-Salesforce DKIM keys means that Salesforce users now have the option to use DMARC. Prior to this change all mail was authenticated as coming from Salesforce, which is perfectly acceptable and how authentication works. The ability to sign with the users’ DKIM key and domain means large Salesforce users are now able to track authentication failures or publish DMARC policy requests.