Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM)
Email Deliverability Explained: In this series, we explore how to improve inbox placement for your marketing and fundraising campaigns
Email Deliverability Explained
You can send as many clever, elegantly crafted marketing emails as you like — but none of your work matters if these messages don’t appear in your recipients’ inboxes.
How do we land messages in inboxes, rather than spam folders or promotions tabs? In this series, we explore how to improve inbox placement for your marketing emails.
Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM)
Email Spoofing is Very Easy
Email spoofing — that is, sending messages ‘from’ a fake sender address — is very easy to do. I could fire off an email today and say it’s coming ‘from’ an address at @yourorganization.org. Obviously, I don’t work for your organization, and I don’t have access to an email address on your organization’s domain. Sending this message would make me an imposter.
However, the ability to send an email ‘from’ whoever, on whatever platform, is a useful feature. This flexibility lets you send email from real persons @yourorganization.org through Gmail, Outlook, Salesforce, MailChimp, Constant Contact, Emma, a custom script, or whatever other platform you’d like to use, whenever you’d like to use them.
So then, how do we weed out spoofed messages?
DKIM and SPF Work Together to Thwart Email Spoofing
In order to keep spammy, malicious, or phishing messages out of your inbox, mail service providers (MSPs) rely upon a lock-and-key system for senders to prove that they really do have the approval and authority to send messages ‘from’ a given domain.
DomainKeys Identified Mail (DKIM) is the key, and Sender Policy Framework (SPF) is the lock. Once you setup DKIM Keys for your email marketing platform, each outgoing message will be affixed with a digital signature — a DKIM Key — that ‘unlocks’ a lock you’ve published in your domain configuration (an SPF record). Recipient’s MSPs can take the key received alongside your email message, and look up whether it’s legit by checking DNS records.
Below, you’ll find step-by-step instructions to configure DKIM Keys in Salesforce, SPF records for your domain, and activate this lock-and-key system.
To configure DKIM Keys for Salesforce, and their corresponding SPF records on your domain, you’ll need to be a system administrator in Salesforce, and have login access to the platform where your organization has registered its domain (which may or may not be the same as your web host or content management system). You’ll also need a dab of patience, as the configuration process involves up to 2 days of waiting for various records to propagate.
Configuring DKIM Keys in Salesforce
To create DKIM Keys in Salesforce, navigate to Setup > Email > DKIM Keys (or search for “DKIM Keys” in the Quick Find box). Click “Create New Key” to get started.
The Selector and Alternate Selector are up to you — they’re names for your keys. (If you’re creating keys for many different domains, subdomains, and platforms, you might want to come up with a good naming convention to keep it all straight! But otherwise, you can choose something generic, like, YourOrganization001 and YourOrganization002.)
The domain is the part of your email addresses that come after the @ sign. For example, in the email address allison@yourorganization.org, yourorganization.org is the domain.
Subdomains may appear before before the domain, to subdivide it. For example, in the addresses allison@mail.yourorganization.org and allison@students.yourorganization.org, mail and students are subdomains.
Depending on your organization’s email address conventions and subdomain setup, you may wish to configure a Domain Match on “exact domain only” (meaning, exactly what you entered into the box above, no subdomains allowed), “subdomains of the domain only” (meaning, only subdomains allowed), or “exact domain and subdomains” (meaning, anything goes, so long as the domain is correct).
After you hit save, Salesforce will begin generating DKIM Key(s). It takes about a minute, so now is a great time to grab another cup of coffee. ☕ Then come back, and hit refresh on the results page. You’ll find a CNAME Record, and potentially an Alternate CNAME Record if you chose to configure an Alternate Selector. This is the exact syntax you’ll need to setup your SPF records.
Configuring SPF Records for Your Domain
A Canonical Name (CNAME) record is a type of DNS record that maps a domain alias to your domain. It’s what you’ll use to create the SPF record that says “this over here from Salesforce is approved to map to this over here on my domain.”
Depending on what platform you use to manage your domain, creating a CNAME record may be done via a user interface or a text file. Follow instructions provided by your domain management platform for creating CNAME records, and input the text that Salesforce generated when you setup your DKIM Key(s).
Depending on your organization, this may be a step that you hand-off to an IT department. Make sure you give them the exact text that Salesforce generated for CNAME Record and Alternate CNAME Record.
Activating DKIM Keys in Salesforce
Once you’ve published your SPF record(s), Salesforce needs between 2 - 48 hours to read and validate these records. Once validated, you can return to your DKIM Key setup and you should see an option to Activate your DKIM Keys.
If it has been more than two days since you published your SPF (CNAME) record(s) and you do not see an option to activate your DKIM Keys, then something has gone wrong with the configuration of your CNAME record(s). Double-check the syntax provided by Salesforce against what was entered in your CNAME record(s).
Your DKIM Keys do need to be activated in order to work! But once they are, you’re ready to send email through Salesforce without your recipients’ MSPs questioning the legitimacy of your messages.