Step-by-Step Guide to Setting Up Salesforce Email Deliverability

Short Description: Learn how to stop your Salesforce emails from going to spam. This guide covers everything from basic access settings to configuring SPF and DKIM authentication step-by-step.

Index / Table of Contents

1. Introduction
2. Why Your Salesforce Emails Might Be Failing
3. Step 1: The Basics – Checking Access Levels
4. Step 2: The Technical Part – Setting Up SPF and DKIM
   • How to Configure SPF
   • How to Configure DKIM
5. Step 3: The Reality Check – Testing Deliverability
6. Common Mistakes & How to Fix Them
7. Conclusion

Introduction

You’ve built the perfect email template. You’ve segmented your list. You hit “Send” in Salesforce. And then… silence.

Nothing kills a sales process faster than an email landing in the spam folder.

If you are sending emails directly from Salesforce, you aren’t just competing for attention; you are competing for trust. Gmail, Outlook, and other providers need to know that the email coming from Salesforce is actually authorized by you.

This guide will walk you through the exact steps to set up your Salesforce email deliverability so your messages hit the inbox, not the junk pile.

Why Your Salesforce Emails Might Be Failing

By default, Salesforce sends emails using its own servers. To an outsider (like Google’s spam filters), this can look suspicious.

Imagine you receive a letter that says it’s from “Bank of America,” but the postmark says “Bob’s Mail Shack.” You’d be suspicious, right?

That is exactly what happens when you send an email from yourname@yourcompany.com via Salesforce without proper setup. The recipient’s email server sees that the email claims to be from your company, but it was physically sent by a Salesforce server.

To fix this, we need to give Salesforce an “ID card” (SPF) and a “digital signature” (DKIM) to prove it’s allowed to send mail on your behalf.

Step 1: The Basics – Checking Access Levels

Before we dive into the complex DNS settings, let’s make sure the door is actually open.

Salesforce has a global switch that controls whether emails can leave the system. This is the most common reason emails “just stop working” after a sandbox refresh.

How to check it:

1. Go to Setup.
2. In the Quick Find box, type Deliverability.
3. Click on Deliverability under Email Administration.
4. Look for the Access to Send Email section.

You will see three options:

• No access: Blocks all outbound emails. Good for data loads, bad for business.
• System email only: Only password resets and new user alerts go out. (Note: New Sandboxes default to this!)
• All email: This is what you want for Production. It allows all outbound emails.

Action: Ensure this is set to All email if you are in a live environment.

Step 2: The Technical Part – Setting Up SPF and DKIM

This is the most critical step for reputation. We need to update your domain’s DNS records. You might need help from your IT team or whoever manages your website domain (like GoDaddy, Cloudflare, or AWS).

How to Configure SPF (Sender Policy Framework)

SPF is basically a public list of IP addresses that are allowed to send email for you.

1. Log in to your DNS provider (e.g., GoDaddy, Namecheap).
2. Look for a TXT record that starts with v=spf1.
3. If you already have a record: You simply need to add Salesforce to the existing list. Do not create a second SPF record!
   • Add this snippet inside your existing record: include:_spf.salesforce.com
   • Example: Change v=spf1 include:spf.google.com ~all to v=spf1 include:spf.google.com include:_spf.salesforce.com ~all.
4. If you don’t have a record: Create a new TXT record with this value:
   • v=spf1 include:_spf.salesforce.com ~all

How to Configure DKIM (DomainKeys Identified Mail)

DKIM adds a digital signature to your emails. It prevents hackers from intercepting an email and changing the content.

Part A: Generate the Keys in Salesforce

1. In Salesforce Setup, search for DKIM Keys.
2. Click Create New Key.
3. Selector: Enter a simple name like sfdc1.
4. Alternate Selector: Enter sfdc2.
5. Domain: Enter your email domain (e.g., yourcompany.com).
6. Domain Match: Select “Exact domain only” (usually safest).
7. Click Save.

Part B: Add to DNS

Once you save, Salesforce will generate two CNAME records for you. It might take a moment to appear.

1. Copy the CNAME and Alternate CNAME records shown on the screen.
2. Go back to your DNS provider.
3. Create two new CNAME records and paste the values from Salesforce.
   • Note: Some DNS providers strictly require just the first part of the hostname (e.g., sfdc1._domainkey), while others want the full URL. Check your provider’s help docs if you get an error.

Part C: Activate

1. Wait! DNS changes can take anywhere from 5 minutes to 48 hours to propagate.
2. Go back to the DKIM Keys page in Salesforce.
3. If the button says Activate, click it. If it gives an error, wait a few more hours and try again.

Step 3: The Reality Check – Testing Deliverability

After doing the hard work, use Salesforce’s built-in tool to verify everything is connecting.

1. In Setup, type Test Deliverability in the Quick Find box.
2. Enter your own email address.
3. Click Send.

What happens next? Salesforce will send you roughly 32 emails instantly.

Don’t panic! This is normal. Salesforce sends one email from every single IP address range they own.

• If you get all (or most) of them: Great! Your whitelist is working.
• If you get none: Check your Spam folder. If they aren’t there, your corporate firewall might be blocking Salesforce IPs entirely.

Common Mistakes & How to Fix Them

• The “Sandbox Trap”: You refreshed a Sandbox and emails stopped.
  • Fix: Check the Access Level in Step 1. It likely reverted to “System email only.”
• Multiple SPF Records: You added a new SPF record instead of editing the old one.
  • Fix: A domain can only have one SPF record. Merge them into a single line.
• Assuming it’s instant: You added DKIM records but Salesforce won’t let you click Activate.
  • Fix: DNS takes time. Go grab a coffee and try again in an hour.
• Ignoring Compliance Settings:
  • Fix: In Deliverability settings, ensure “Enable compliance with standard email security mechanisms” is checked unless you have a very specific reason to disable it.

Conclusion

Setting up email deliverability in Salesforce isn’t the most exciting administrative task, but it is one of the most valuable. By configuring your Access Levels, SPF, and DKIM, you ensure that your automated alerts, approval requests, and sales emails actually reach their destination.

Take 30 minutes to audit these settings today. Your sales team (and your open rates) will thank you.