How to Setup Sender Policy Framework (SPF) for Salesforce

How to Setup Sender Policy Framework (SPF) for Salesforce

Last Updated on March 26, 2022 by Rakesh Gupta

Big Idea or Enduring Question:

  • How to set up Sender Policy Framework (SPF) feature to allow receiving message transfer agents (MTAs) to validate that the sending MTAs are authorized to send email from the Salesforce domain?


After reading this blog, you’ll be able to:

  • Understand different email authentication protocols
  • Understand Sender Policy Framework (SPF)
  • Enable Email Security Compliance in Salesforce
  • Setup Sender Policy Framework (SPF) for Salesforce

What are the available email authentication protocols?

There are several methods that focus on different aspects of email messages.

IP Authorization Check Message authenticity verification Additional layers of security
Must-Have Must-Have Highly Recommended
Use it to

  • Secure yourself from spoofing and phishing


Use it to

  • Prevent possible message modifications
  • Secure yourself from spam attacks
Use it to

  • Improve email fraud security
  • Set up own domain authentication procedure

Let’s now talk about Sender Policy Framework (SPF) methods in more detail.

What Does Sender Policy Framework (SPF) do?

The Sender Policy Framework (SPF) is an email authentication technique that is used to prevent spammers from sending messages on behalf of your domain. 

Let’s start with an example to understand it better – for example; You have sent an email to Jessica. But how does Jessica’s DNS server know that you sent the email? The issue is, it doesn’t really unless you have SPF set on your DNS server.

SPF defines the IP addresses that can send emails from your domain. A typical SPF record looks like this:

v=spf1 exists:%{i} ~all

How does Sender Policy Framework (SPF) work?

Here’s how it works:

Emails have two from email addresses: the envelope from address and the header from address. The header from address is what mail clients show to the person reading the email. The envelope from address is usually never seen by the user.

Both can be forged. But, it’s more common to forge the header from address, since the recipient can see it.

The SPF record for a domain is published in a Domain Name System (DNS) record. When you send an email, mail servers look up the domain listed in the envelope from address, and retrieve the associated SPF record. If your sender IP address isn’t listed in the SPF record on your envelope from domain, your email fails the SPF check.

If you send an email from a Salesforce application and your domain is, you can create an SPF record that authorizes mail servers as allowed for the domain. When the recipient receives your email, it checks the SPF record of to determine if it is a valid email. The message will have a high chance of delivery if it is validated using SPF.

In short, properly configured SPF records improve your email deliverability by providing recipient mail servers with clear guidelines about who is permitted to send emails from your domain name.

How to verify if SPF record is set up correctly?

There are various methods to find out if the SPF record is set up correctly and below are some tools that can be used for verification:

  1. Google Admin Toolbox
  2. MxToolbox.

Enable Email Security Compliance

Email Security Compliance updates the envelope from address in emails sent from Salesforce. With this feature enabled, the email header from address is your email address, but the envelope from address is * Salesforce’s Sender Policy Framework (SPF) record authorizes the IPs used by our message transfer agents (MTAs) to send email from our domain. Email sent from Salesforce passes SPF checks even if you don’t have an SPF record for your email domain.

Perform the steps below to enable email security compliance in Salesforce:

  1. Click Setup.
  2. In the Quick Find box, type Deliverability.
  3. Select Deliverability then click on the Email Security Compliance (Emails from Salesforce or Email Relay Only).
  4. Select Enable compliance with standard email security mechanisms.
  5. Optionally, select Enable Sender ID compliance to have receiving mail servers use the Sender ID email authentication protocol to verify the sender.
  6. Make sure to click Save, and you’re done.

Business Use case

Harmeet Kaur is working as a System administrator at Gurukul On Cloud (GoC). She wants to understand how to remove the via, from the emails that are received by our users from Salesforce.

Guided Practice (We-do):

The answer is she has to whitelist the Salesforce servers on the domain that reps are sending emails out on. To do this add a TXT SPF record to your email domain with the following:

"v=spf1 mx ~all"

Now Sign in to your domain management system and a TXT record to DNS.

Formative Assessment:

I want to hear from you!

What is one thing you learned from this post? How do you envision applying this new knowledge in the real world? Feel free to share in the comments below.

Have feedback, suggestions for posts, or need more information about Salesforce online training offered by me? Say hello, and leave a message!

One thought on “How to Setup Sender Policy Framework (SPF) for Salesforce

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.