Salesforce SPF, DKIM & DMARC Setup Guide

Overview

Salesforce (often abbreviated SFDC) is the dominant CRM platform, sending transactional email for workflow alerts, case notifications, approval processes, lead assignment rules, and task reminders. Its SPF record uses include:_spf.salesforce.com, costing 1 DNS lookup. Organizations using Salesforce Marketing Cloud or Pardot (Account Engagement) for marketing automation generate additional email volume through campaign sends, nurture sequences, and event-triggered messages — all sent from your domain.

DKIM Setup: The 3-Step Process

DKIM setup in Salesforce CRM requires choosing two custom selector names: a primary selector and an alternate selector. Salesforce keeps one key active at a time and rotates to the alternate selector when the primary key is refreshed, ensuring uninterrupted DKIM verification during rotation. Both 1024-bit and 2048-bit RSA keys are supported; 2048-bit is recommended for stronger cryptographic security.

Salesforce DKIM has a 3-step process that creates a common failure point: Create Key, Publish CNAME records, then Activate. The Activate step is frequently missed — administrators create the key and publish the CNAME records but never return to click Activate, leaving DKIM configured in Salesforce but not signing outbound messages. Until activation, messages leave Salesforce without DKIM signatures.

DMARC Alignment and Sending Addresses

DMARC alignment requires that Salesforce sends from your domain rather than the default noreply@salesforce.com address. Messages sent from the default address pass SPF for salesforce.com but fail DMARC alignment against your domain. Configure a verified sending domain in Salesforce and ensure all workflow email alerts, case notifications, and automated messages use addresses on your domain.

This is a critical point for Salesforce CRM administrators: workflow email alerts, case auto-responses, and approval notifications all have configurable From addresses. Each one must use an address on your verified domain. A single workflow rule left at the default noreply@salesforce.com creates DMARC failures that show up in your aggregate reports and may trigger recipient filtering.

Troubleshooting

DKIM Created But Not Activated

This is the most common Salesforce authentication error. The administrator navigates to Setup > Quick Find > DKIM Keys, creates the key pair, publishes the CNAME records, and considers the job done. But Salesforce does not sign outbound messages until the key status shows "Active." Navigate back to the DKIM Keys page, verify the CNAME records have propagated (status should show "Published"), and click Activate. Messages sent before activation have no DKIM signature — they are not signed with an invalid key, they are simply unsigned.

Emails Sent From noreply@salesforce.com

Salesforce defaults to noreply@salesforce.com for system-generated messages unless you explicitly configure Organization-Wide Email Addresses. Check Setup > Organization-Wide Email Addresses and ensure every address used by workflow rules, case auto-responses, and approval processes belongs to your domain. Also check individual workflow email alert definitions — each alert can override the From address independently.

SPF Include Confusion: CRM vs. Marketing Cloud vs. Pardot

The core Salesforce CRM uses include:_spf.salesforce.com. Pardot (Account Engagement) uses a different include, and Marketing Cloud has its own SPF mechanism. These are not interchangeable. Adding only _spf.salesforce.com does not authorize Pardot or Marketing Cloud sends. Check each product's documentation for the correct SPF include and add each one separately to your record.

DKIM Key Size and DNS Provider Limitations

Salesforce supports 2048-bit RSA keys, which produce TXT record values exceeding 255 characters. Some DNS providers have trouble with long TXT records, either truncating the value or requiring it to be split across multiple strings. If DKIM verification fails after publishing a 2048-bit key, check whether your DNS provider truncated the record. As a fallback, regenerate the key as 1024-bit — it is less secure but universally supported. Plan to move to 2048-bit when your DNS provider supports longer records.

Sandbox vs. Production DKIM Configuration

Salesforce sandboxes have separate DKIM configurations from production. If you test email flows in a sandbox, ensure DKIM is configured there as well — or use a different sending domain for sandbox email. Sandbox emails sent from your production domain without DKIM will generate DMARC failures in your aggregate reports, potentially skewing your metrics and triggering alerts.

Additional Setup Notes

Lookup Budget with Enterprise Salesforce Stacks

Enterprise Salesforce deployments frequently include Pardot or Marketing Cloud (marketing automation), a primary email platform, and a support desk. That stack alone consumes 3-4 SPF includes before counting transactional email senders or email security gateways. Salesforce + HubSpot + Google Workspace uses 3 lookups. Add a support desk and a transactional sender, and the total reaches 5 — halfway to the 10-lookup limit without any email filtering infrastructure.

Multiple Salesforce Products, Multiple SPF Includes

Pardot and Marketing Cloud each have their own SPF include mechanisms separate from the core Salesforce CRM include. Organizations using multiple Salesforce products need to account for each product's SPF requirements independently. It is a common mistake to assume that include:_spf.salesforce.com covers all Salesforce-family products — it does not. Each product sends from different infrastructure with different IP ranges.

Migrating CRMs: Salesforce to HubSpot or Vice Versa

When migrating between Salesforce and HubSpot (a common scenario during CRM consolidation), maintain both SPF includes during the transition period. Remove the old provider's include only after confirming all email — including automated workflow alerts and case notifications — has been fully migrated. DKIM records for the old provider should be left in DNS until you are certain no messages are still being signed with those keys. Premature removal creates a window of DKIM failures for in-flight messages.

Dedicated IP and Sender Authentication

Salesforce offers dedicated IP addresses for Marketing Cloud senders with sufficient volume. When using a dedicated IP, you may need to add that IP directly to your SPF record or use the Marketing Cloud-specific include. The SFDC CRM include does not cover Marketing Cloud dedicated IPs. Verify your configuration by sending a test message and inspecting the Received headers to confirm which IP the message originated from, then check that IP against your published SPF record.

Managed SPF can flatten nested includes into direct IP references, freeing up lookup budget for additional providers.