Website: https://www.salesforce.com/products/marketing-cloud/overview/

Aligned Authentication method:


SPF - Yes, with dedicated IP, otherwise no

DKIM - Yes TXT record

  • Salesforce Marketing Cloud almost always uses a dedicated subdomain. There are a few very old implementations that do not but any new implementation will use a dedicated subdomain

  • Salesforce Marketing Cloud has multiple ways to set up their service in DNS. The preferred option is to delegate the subdomain to Salesforce Marketing Cloud which allows Salesforce Marketing Cloud to host all DNS records on their DNS servers. This means that Salesforce Marketing Cloud will host SPF and DKIM

  • The subdomain must be added to the Enforce configuration as a Single Sender Subdomain

  • In order to send authenticated emails, the customer will need to purchase a Sender Authentication Package (SAP) from Salesforce: https://help.salesforce.com/s/articleView?id=sf.mc_es_sender_authentication_package.htm&type=5

  • Salesforce Marketing Cloud uses a single TXT DKIM key with a selector of 200608. This same key is used for all Salesforce Marketing Cloud customers and was created in Aug 2006. Since this is a TXT record, DKIM key rotation is problematic.

  • Salesforce Marketing Cloud can apparently create customized DKIM keys/ selectors based on some data we have seen in the wild but how this works in practice is unknown