Introduction
Salesforce sends mail from sales reps, automated workflows, and marketing automation. Each flow needs DMARC alignment. This article covers the setup.
Why this topic matters
Salesforce defaults to sending mail through Salesforce-owned servers. Without configuration, alignment fails. Properly configured, it aligns.
The Salesforce setup options
Three configurations:
Option 1: Email Relay through your own mail server
Salesforce sends mail through your SMTP infrastructure. Authentication uses your normal setup.
Option 2: Salesforce-managed sending with custom DKIM
Salesforce signs with your domain. Requires custom DKIM setup.
Option 3: Hybrid (some via relay, some via Salesforce)
Common; each flow needs separate authentication.
Step-by-step approach
- Decide architecture. Relay vs. Salesforce-managed.
- For relay: configure your SMTP, include in SPF.
- For Salesforce-managed: enable custom DKIM in Salesforce.
- Publish required DNS records.
- Verify alignment in DMARC reports.
Best practices
- Standardize architecture. Hybrid setups multiply complexity.
- Configure custom DKIM for Salesforce-managed sending.
- Pair with Salesforce administrator for setup.
- Watch SPF lookup budget when adding Salesforce.
- Document the configuration explicitly.
Recommended next step
Identify which Salesforce flows are active in your org. Each needs DMARC alignment.
FAQ
Does Salesforce support custom DKIM?
Yes — in Email Setup with proper configuration.
What about sales rep "from me" emails?
If sent through Salesforce infrastructure, same authentication applies.
Does Salesforce alignment work with strict mode?
Yes if signing exactly matches the From domain.
What about Pardot / Marketing Cloud?
Different products with own DKIM setup. Configure each.
How does Salesforce Inbox affect DMARC?
Salesforce Inbox is a productivity layer; underlying authentication follows whatever the org uses.
Final thoughts
Salesforce + DMARC requires deliberate configuration. Choose your architecture; configure once; verify continuously.