Providers

Salesforce SPF Setup

Salesforce sends email from Salesforce infrastructure and needs SPF authorization for marketing, sales, and automated CRM messages.

Intermediate · 7 min read · Reviewed Jul 4, 2026

Quick answer

Salesforce sends mail from its cloud infrastructure for CRM workflows, Marketing Cloud, and Pardot-branded experiences. SPF authorization typically uses Salesforce-provided include hostnames on your sending or bounce domain. Marketing Cloud and Account Engagement may use different return-path patterns, so verify DNS for each product line rather than assuming one include covers all Salesforce email.

Beginner explanation

Salesforce is not a single mail pipeline. Sales Cloud alerts, Marketing Cloud journeys, and Pardot campaigns may use different envelope domains and IP pools. SPF must cover the domains those products actually use in SMTP.

Administrators often authenticate a corporate domain in one Salesforce product while another product still sends from a default Salesforce hostname. Receivers then see inconsistent authentication results across what users perceive as the same brand.

Treat each Salesforce sending configuration as its own DNS project, then consolidate into a coherent SPF strategy at the domain level.

Technical explanation

Salesforce documentation references include mechanisms such as include:_spf.salesforce.com for certain products, while Marketing Cloud may require SPF on a custom bounce subdomain configured during Sender Authentication Package setup. Pardot historically used distinct SPF and DKIM instructions that may differ from core Salesforce.

Because Salesforce messages are automated at scale, SPF failures quickly affect lead nurturing, case notifications, and commerce workflows. Align DKIM selectors provided in each product's admin UI and confirm MAIL FROM domains via message headers in a test inbox.

Use DMARC aggregate reports to separate Salesforce sending streams from employee mail. Distinct reporting rows help you identify which product's envelope domain is failing SPF without disabling authorization for the entire CRM stack.

Business impact

Salesforce SPF issues degrade revenue operations. Lead follow-up sequences and order confirmations that fail authentication reduce conversion and increase support tickets when customers never receive automated responses.

CRM mail failures are especially visible to sales leadership because they surface as missed SLAs and pipeline stagnation rather than traditional bounce reports.

Common mistakes

- Configuring SPF only in Sales Cloud while Marketing Cloud uses an unauthenticated bounce domain
- Copying outdated Pardot SPF values after Salesforce branding consolidation
- Exceeding SPF lookup limits after adding Salesforce includes on top of many other SaaS tools

How SPF Manager helps

SPF Manager maps Salesforce-related includes to product families and checks for missing authorization on bounce subdomains used by Marketing Cloud. Lookup analysis helps you fit Salesforce into a crowded SPF record safely.

Ongoing monitoring catches when Salesforce infrastructure changes affect nested includes your domain depends on.

Recommended next step

See how this applies to your domain before you change DNS.

Analyze my domain

Related articles

Providers

SPF Email Providers

Email providers publish SPF include hostnames or IP ranges that you must add to your domain policy to authorize their outbound mail.

Beginner 6 min read

Providers

Provider SPF Synchronization

Provider SPF synchronization keeps your DNS policy aligned with the email services your organization actually uses.

Intermediate 7 min read

Providers

Mailchimp SPF Setup

Mailchimp sends from its own infrastructure and requires SPF authorization via include or authenticated sending domain configuration.

Beginner 5 min read

Deliverability

SPF and Email Deliverability

Correct SPF improves deliverability by giving receivers a trusted signal that your mail comes from authorized infrastructure.

Beginner 7 min read