How to Configure DMARC for Salesforce Email Sending

Salesforce sends a lot of email on behalf of your domain — sales outreach from CRM, automated workflows, case notifications, and full-scale campaigns from Marketing Cloud. Without proper DMARC setup, those emails are at risk of failing authentication checks and landing in spam or being rejected entirely.

The challenge with Salesforce is that it has multiple ways to send email, and each one handles authentication differently. This guide walks you through configuring DMARC so that all your Salesforce email passes authentication, whether it is coming from Sales Cloud, Service Cloud, or Marketing Cloud. If you manage Salesforce instances for multiple clients, our DMARC for agencies guide covers multi-domain best practices.

How Salesforce Sends Email

Salesforce has two main email sending paths, and understanding the difference is key to getting DMARC right.

Salesforce CRM (Sales Cloud, Service Cloud) sends email from Salesforce's own mail servers by default. When a sales rep sends an email from a Salesforce record, or an automated workflow triggers a notification, the message goes through Salesforce's infrastructure. The "From" address shows your domain, but the envelope sender (return path) is a Salesforce address. This mismatch is what causes SPF alignment to fail under DMARC.

Salesforce Marketing Cloud operates separately and has its own email infrastructure. Marketing Cloud uses a Sender Authentication Package (SAP) that gives you a custom return path domain and dedicated IP addresses. When properly configured, Marketing Cloud can achieve both SPF and DKIM alignment.

Setting Up SPF for Salesforce

For Salesforce CRM emails to pass SPF, your SPF record needs to include Salesforce's mail servers. Add the following to your domain's SPF record:

include:_spf.salesforce.com

A complete SPF record for a domain using Salesforce and Google Workspace might look like this:

v=spf1 include:_spf.google.com include:_spf.salesforce.com ~all

If you use additional sending services, they need to be included as well. You can build a complete SPF record at spfcreator.com.

For Marketing Cloud, the SPF include depends on your configuration. If you have a Sender Authentication Package, your Marketing Cloud consultant or documentation will provide the specific SPF include to use.

The Email Relay Option

Salesforce offers an alternative to sending directly from its servers: email relay. With email relay, Salesforce routes outgoing email through your own mail server (or a service like Google Workspace or Microsoft 365) before it reaches the recipient. This means the email goes out from your authorized servers, making SPF alignment much simpler.

To set up email relay in Salesforce, go to Setup > Email > Email Relay. You will need to configure the relay host and optionally restrict which emails use the relay. Email relay is especially useful if you have a strict DMARC policy because it gives you direct control over the sending infrastructure.

Setting Up DKIM for Salesforce

Salesforce CRM supports DKIM signing natively. Here is how to enable it.

For Marketing Cloud, DKIM is configured through the Sender Authentication Package. Your Marketing Cloud account manager or setup process will guide you through the specific DNS records to publish. You can generate additional DKIM records at dkimcreator.com.

The Recommended DMARC Record for Salesforce Users

For organizations using Salesforce, we recommend starting with a monitoring-only policy:

v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; pct=100;

This gives you visibility into how all your Salesforce-originated emails are performing against SPF and DKIM checks without risking delivery failures. Replace the email address with one you monitor regularly.

Adding the DMARC Record to DNS

Add a TXT record to your domain's DNS with the name _dmarc and the value set to your DMARC record string. If you are not sure how to add DNS records, see our step-by-step DMARC setup guide for detailed instructions for common DNS providers.

After saving, verify the record is live at dmarcrecordchecker.com. Most DNS changes take effect within a few minutes to an hour.

Common Salesforce DMARC Failures and Fixes

SPF Alignment Fails for CRM Emails

This is the most common Salesforce DMARC issue. Salesforce CRM sends email from its own servers using a Salesforce return path, which means the envelope sender domain does not match your "From" domain. SPF passes (because Salesforce's servers are authorized by their own SPF record), but SPF alignment fails because the domains do not match.

Fix: Make sure DKIM is enabled and working. If DKIM alignment passes, your DMARC result will still be a pass even if SPF alignment fails. Alternatively, set up email relay so that messages route through your own servers, which fixes SPF alignment entirely. For a clear explanation of how SPF and DKIM each contribute to DMARC, read SPF vs DKIM vs DMARC.

Marketing Cloud Emails Fail DMARC

If Marketing Cloud emails are failing DMARC, the usual cause is an incomplete Sender Authentication Package setup. The SAP configures your custom return path domain and DKIM signing, and both are needed for alignment. Check with your Marketing Cloud admin to confirm the SAP is fully deployed and the DNS records are live.

Automated Notifications Fail Authentication

Salesforce sends various automated emails — case notifications, workflow alerts, approval requests. These often use the running user's email address as the "From" address. If DKIM is not enabled for your domain in Salesforce, these messages will fail DKIM alignment. And if the return path is Salesforce's own domain, SPF alignment fails too.

Fix: Enable DKIM signing in Salesforce Setup (see the steps above). This ensures all outgoing email from Salesforce, including automated messages, carries a valid DKIM signature for your domain.

Moving to Enforcement

After collecting DMARC reports at p=none for at least two to three weeks, review the data carefully. Look for:

• CRM emails that pass DKIM but fail SPF (normal, and fine as long as DKIM passes)
• Marketing Cloud emails that pass both SPF and DKIM (expected with a complete SAP)
• Any Salesforce-originated email that fails both SPF and DKIM (this needs to be fixed before enforcing)

When you are confident that all Salesforce email is passing DMARC through at least one alignment mechanism, move to p=quarantine; pct=25; and gradually increase the percentage. Monitor for a week at each level before tightening further. The goal is to reach p=reject without disrupting your sales team's email or your marketing campaigns.

For a detailed breakdown of each policy level, see our guide on DMARC policy levels.

Monitor Your DMARC Record

You've created your DMARC record — now make sure it keeps working. The Email Deliverability Suite watches your SPF, DKIM, DMARC, and MX records daily and alerts you when something breaks.