What is SPF Permerror?

SPF=Permerror indicates that there is a fundamental problem with the SPF record, making it impossible to determine if the sending server is authorized or not.

What is the 10 DNS lookup limit?

During SPF check, every time an email is sent from your domain, your recipient’s email server performs DNS query requests, also known as DNS lookups to check the presence of authorized IP addresses in your DNS and match them to the ones in the received email’s return-path header. However, RFC limits the number of DNS lookups to 10. This is known as the 10 DNS lookup limit.

Am I exceeding SPF Too Many DNS Lookups limit?

If you are worried about exceeding the lookup limit for SPF, you can check your record instantly using our SPF record checker tool.

How to fix SPF Permerror?

A more effective way to avoid SPF errors is to deploy an SPF flattening tool that is automatic and hassle-free – like PowerSPF!

Salesforce DMARC, SPF, and DKIM Setup Guide

Ayan Bhuiya

2 days ago

Reading Time: 6 min

For Salesforce users who wish to take their email security to the next level, improve their email deliverability over time, and reach Google and Yahoo inboxes without getting blocked, this is the article for you! To further enhance email communication security, Salesforce supports email authentication protocols like DMARC, SPF, and DKIM. If you wish to protect your domain from email-based attacks and reduce spam complaints on your emails, it is essential to implement these authentication protocols. Setting them up with your Salesforce account can help verify that your emails are genuine and trustworthy.

Sender Policy Framework (SPF) ensures that only authorized servers can send emails on behalf of your domain, while DomainKeys Identified Mail (DKIM) uses cryptographic keys to verify whether your email has been tampered with. SPF and DKIM can be combined with DMARC (Domain-based Message Authentication, Reporting, and Conformance) to start preventing spoofing and phishing attacks.

This article explains how to add SPF, DKIM, and DMARC records to your Salesforce account. Let’s dive right in!

How to Add an SPF Record for Salesforce

Setting up an SPF record for your Salesforce account is essential, as Salesforce provides a dedicated SPF record that guarantees emails sent from your account pass security checks.

Find the instructions for adding Salesforce to your SPF record below.

1. Include Salesforce’s SPF Entry

Include the specific SPF entry in your domain’s SPF record to send emails from Salesforce:

_spf.salesforce.com

Sample SPF Record for Salesforce

A sample SPF record for Salesforce might look like this:

v=spf1 mx include:_spf.salesforce.com ~all

This is the simplest SPF record. It specifies that your domain is allowed to send emails through Salesforce. You can also configure multiple “include” mechanisms to authorize other third-party domains to send emails on your behalf. It’s important to authorize these sources in the same SPF record instead of creating a new record for the same domain.

2. Create Your SPF Record

To create an error-free SPF record, we recommend using an SPF Record Generator tool.

3. Test and Validate Your SPF Record

You must test your SPF record after setting it up to ensure proper functionality. An SPF Checker Tool can be used to help validate the record.

Here’s how to use the Tool:

Firstly, open the SPF Query Tool.
Enter your domain name.
Click the “Lookup” button.

You will get a “Valid” status if your SPF record is correct.

Additional Resources

For more information, check out Salesforce’s SPF setup guide.

How to Add a DKIM Record for Salesforce

Here are the instructions on creating DKIM keys in Salesforce.

1. Navigate to DKIM Settings

In the Salesforce setup, locate the Quick Find box. Enter “DKIM Keys” and select this option.

2. Create a New DKIM Key

After selecting “DKIM Keys”, click “Create New Keys”. This will create the DKIM key pair in an inactive state by default.

Select RSA Key Size

Select the RSA key size according to your organization’s requirements. Consider the limitations of your email recipients before you select a key. Also, be aware of the security regulations.

3. Enter a Selector Name

Your DKIM selector is a unique identifier that recognizes your DKIM key. Enter a unique name to differentiate this key from others.

4. Set an Alternate Selector

The Alternate selector allows Salesforce to automatically rotate your DKIM keys for enhanced security.

5. Enter the Domain Name

After that, you need to specify a domain name. This name is used to send emails from your Salesforce account. The domain name cannot be changed once set.

6. Define Domain Match Pattern

You can also control when Salesforce will sign an email with a DKIM key. This can be done with a domain match pattern. You need to use a comma-separated list of patterns.

7. Save Changes

Save your changes after you are done with all the above-mentioned steps. Your TXT record for the DKIM key will then be published by Salesforce on your DNS.

8. Add CNAME Records to Your DNS

Add the CNAME and alternate CNAME records to your domain’s DNS before activating the DKIM key on your domain.

9. Wait for DNS Publication

DNS records take some days to publish. CNAME and alternate CNAME records will appear on the DKIM Key Details page after the DNS propagation time is completed.

10. Activate the DKIM Key

Get back to the DKIM Key details page after publishing the record. Activate the DKIM key.

Note: Salesforce rotates keys after 30 days. Therefore, once you activate the key, your secondary, inactive key will automatically be generated.

How to Set Up DMARC for Salesforce

DMARC instructs recipient servers on how to handle emails that fail SPF and DKIM authentication checks. Note that Salesforce cannot supply DMARC authentication so they recommend working with an outside vendor like PowerDMARC to configure the protocol.

The correct DMARC implementation is necessary to prevent any configuration issues. Here are the instructions on how to add a DMARC record for Salesforce.

1. Select a DMARC Version

The standard version of DMARC is version 1, which looks like this:v=DMARC1

2. Choose a DMARC Policy

There are three DMARC policies that dictate how recipient servers should handle emails failing authentication checks.

p=none

This is the first policy to be activated. With this policy, emails pass the DMARC authentication even if they fail SPF and DKIM checks. This policy must be used when initially setting up DMARC.

p=quarantine

The policy quarantines the emails that fail the SPF and DKIM authentication. It marks the emails as spam to alert the user about suspicious emails.

p=reject

As the name indicates, this policy rejects the emails that fail the authentication. It is usually the last goal to achieve after implementing DMARC.

3. Choose SPF and DKIM Alignment Modes (Optional)

Here’s a breakdown of how SPF policies work with DMARC:

aspf=s

The strict SPF alignment mode requires an exact match between the domain in the “Return-Path” (envelope sender) and the domain in the “From” header.

aspf=r

The SPF relaxed alignment mode allows for a pass even if the “Return-Path” domain (envelope sender) and the “From” header domain are an organizational match an organizational match, and not an exact match.

adkim=s

The domain in the DKIM signature (the d= tag in the DKIM header) must exactly match the domain in the “From” address.

adkim=r

In relaxed mode, the domain in the DKIM signature can either be the same or share the same top-level domain as the domain in the “From” address.

4. Specify a Percentage Tag (Optional)

This specifies the percentage of emails required to comply with the DMARC policy. A pct=100 means that the defined policy will be applied to 100% of emails. Start with a lower percentage when setting up DMARC. After regular monitoring, you can increase this percentage.

5. Enable DMARC Reporting (Optional but Recommended)

Aggregate Reporting

The DMARC aggregate report provides valuable data on your email authentication results. Receiving an aggregate report requires setting up the RUA tag. Aggregate reports are received either daily or weekly, come in XML format, and do not contain PII (Personally Identifiable Information).

The report provides information such as the sending IP address, email count, SPF/DKIM identifiers and results, etc. The DMARC record points the rua tag to the email specified by the domain owner to receive aggregate reports. Here is an example:

rua=mailto:reports@yourdomain.com.

Forensic Reporting

DMARC forensic report includes information on individual emails. It requires setting the RUF tag in your DMARC record. In contrast with DMARC aggregate reports which are received every 24 hours, a DMARC forensic report is obtained whenever the email fails DMARC authentication. Forensic reports come in plain text and may contain sensitive information.

ruf=mailto:reports@yourdomain.com.

It is also important to note that not all DMARC-compliant mailbox providers support the generation of DMARC forensic reports.

Define the Time to Live (TTL)

When initially configuring DMARC, you can set the Time to Live (TTL) to 600 seconds. This is helpful for quicker propagation. You can adjust the TTL later to 3600 seconds, to reduce the frequency of DNS queries, which reduces the load on the DNS server.

DMARC Generators and Tools

You can use PowerDMARC’s automated DMARC record generator tool to simplify the DMARC record generation process. PowerDMARC offers various managed DMARC solutions, along with granular monitoring, and reporting options. The combined effort of these advanced options helps you configure technical protocols like DMARC, without the hassle or added complexity.

Final Words

Implementing email authentication is vital for strengthening the security of your Salesforce emails. It is up to you to protect your domains from email-based threats.

The setting up of these email authentication protocols can also be made easier with PowerDMARC. For more details on implementation, you can contact us or start your free trial now!

About
Latest Posts