Since writing this Salesforce has released support for DKIM which is much better way of authenticating emails coming out of Salesforce which I would now use if your infrastructure allows it. Check out the release notes for more information.
@radnip what do you mean that email isn’t secure. Damn!
— Simon Goodyear (@simongoodyear) May 26, 2015
Yes Simon and his brilliant sarcastic wit 🙂 But I was talking to company that needed a copy of my passport as ID. They asked if I could email it to them as an image. Now around 40-50% of all emails going around the internet is not encrypted. Anyone sitting between my email server and the destination server would be able to read my email if not secured… (you can check if an email service supports encryption here).
The main reason for this is because when email was born on the internet no-one through that this would be a problem. In fact its incredibly easy to spoof emails and pretend they have come from someone else. BUT there are different ways you can protect yourself from this, and that’s by implementing SPF and setting it up in Salesforce.
An SPF record is a little text string that is stored on your domain name which essentially tells the world who is allowed to send emails on your behalf, and you want Salesforce to be one of those people! Without it providers receiving your emails would either have to guess that Salesforce is permitted to send email or mark the email as spam, effecting your email deliverability.
Once you have added the SPF record on your domain you then need to check the “Enable compliance with standard email security mechanisms” check box in Email Deliverability settings in Salesforce setup, and you’re done.
I don’t trust Salesforce.
Ok, I do… but I’m paranoid. The SPF record is all well and good but salesforce is a multi-tennant system with 1000s of other customers using the same systems as you. So I’m giving access to all those customers and Salesforce the ability to spoof emails on my behalf right?
Yes, but not quite, as you usually need to validate the email address within Salesforce before you can send using the particular email address. But I’m still paranoid and want to have extra reliable email and be more secure!… so you can implement email relaying.
Salesforce Email Relaying
Email relaying basically means that any email that Salesforce is going to send out is going to be sent directly to your own mail service and then your email service is sending the email out like any other regular email. The benefit of this is that email relaying is only configured in your Salesforce org(s) and you don’t have to implement and SPF record making it “more secure”, higher deliverability (as Salesforce is not spoofing your email), ability to store emails for email auditing and the ability of adding a standard email footer to all emails etc, etc…
You need to send a case to Salesforce to enable Salesforce email relaying but also needs you to configure an inbound mail server host to allow emails from Salesforce. More info can be found Salesforce email relaying.
One note, using email relaying doesn’t get around the email sending limits. They are still enforced.