Since writing this Salesforce has released support for DKIM which is much better way of authenticating emails coming out of Salesforce which I would now use if your infrastructure allows it. Check out the release notes for more information.
@radnip what do you mean that email isn’t secure. Damn!
— Simon Goodyear (@simongoodyear) May 26, 2015
Yes Simon and his brilliant sarcastic wit 🙂 But I was talking to company that needed a copy of my passport as ID. They asked if I could email it to them as an image. Now around 40-50% of all emails going around the internet is not encrypted. Anyone sitting between my email server and the destination server would be able to read my email if not secured… (you can check if an email service supports encryption here).
The main reason for this is because when email was born on the internet no-one through that this would be a problem. In fact its incredibly easy to spoof emails and pretend they have come from someone else. BUT there are different ways you can protect yourself from this, and that’s by implementing SPF and setting it up in Salesforce.
An SPF record is a little text string that is stored on your domain name which essentially tells the world who is allowed to send emails on your behalf, and you want Salesforce to be one of those people! Without it providers receiving your emails would either have to guess that Salesforce is permitted to send email or mark the email as spam, effecting your email deliverability.
I answered a question on SPF records in Salesforce back in 2012 and also there is more information here: Salesforce SPF Record details.
Once you have added the SPF record on your domain you then need to check the “Enable compliance with standard email security mechanisms” check box in Email Deliverability settings in Salesforce setup, and you’re done.
I don’t trust Salesforce.
Ok, I do… but I’m paranoid. The SPF record is all well and good but salesforce is a multi-tennant system with 1000s of other customers using the same systems as you. So I’m giving access to all those customers and Salesforce the ability to spoof emails on my behalf right?
Yes, but not quite, as you usually need to validate the email address within Salesforce before you can send using the particular email address. But I’m still paranoid and want to have extra reliable email and be more secure!… so you can implement email relaying.
Salesforce Email Relaying
Email relaying basically means that any email that Salesforce is going to send out is going to be sent directly to your own mail service and then your email service is sending the email out like any other regular email. The benefit of this is that email relaying is only configured in your Salesforce org(s) and you don’t have to implement and SPF record making it “more secure”, higher deliverability (as Salesforce is not spoofing your email), ability to store emails for email auditing and the ability of adding a standard email footer to all emails etc, etc…
You need to send a case to Salesforce to enable Salesforce email relaying but also needs you to configure an inbound mail server host to allow emails from Salesforce. More info can be found Salesforce email relaying.
One note, using email relaying doesn’t get around the email sending limits. They are still enforced.
Radnip
June 1, 2015 at 5:30 pm
Chris Ferraro has posted about DKIM support: https://blog.internetcreations.com/2015/05/improving-outbound-mail-delivery-in-salesforce/
Jaseem Prem
June 15, 2015 at 8:42 pm
Emails stored on some third party servers can never be secure. Binfer is a better way to send secure email. It does not store emails anywhere. Check it out: http://www.binfer.com.
William Smith
December 1, 2015 at 5:28 pm
Hi. I realise this article is quite old but I’m actually needing to set something like this up on a project. You mention Email Relaying which would be perfect. What I can’t quite figure out is how this could be in any way secure…
As far as I can gather you don’t set up any sort of authentication so you are relying on the SMTP server to be completely open. So in theory anyone who knows the SMTP server details could starting sending anything out. We can obviously limit the IP range but that still leaves the issue to do with Salesforce’s multi-tenanted architecture. It’s so unlikely that someone would spam the SMTP from within a Salesforce account but it’s still not something you can take lightly when suggesting changes to a client’s infrastructure.
Does anyone know if I’m looking at this in the wrong way? Or is it indeed actually insecure?
James Melville
January 27, 2016 at 7:11 pm
You’re right it’d be insecure, I posted an answer here:
http://salesforce.stackexchange.com/questions/11563/how-to-do-email-relaying-in-a-safe-way/106941#106941
Radnip
February 8, 2016 at 11:30 am
Yes agree but I would say using email relaying reduces the risk of using something like SPF so ends up making it a bit more secure. Anyone could take a look at your Domain’s DNS and see that you are whitelisting Salesforce using SPF and then in theory use their own Salesforce org. So using email relaying can masquerade this. But saying all this is a bit of a mute subject as you can now use DKIM which can be used to authenticate emails coming out of Salesforce (http://releasenotes.docs.salesforce.com/en-us/spring15/release-notes/rn_general_domain_keys.htm#rn_general_domain_keys). Which is MUCH better 🙂