SPF for Salesforce: Setup Guide and Best Practices
Configure SPF for Salesforce with the correct include statement. Covers Sales Cloud vs Marketing Cloud and adding to existing records.
Last updated: 2026-04-13
Salesforce sends email on behalf of your business every day: lead notifications, workflow alerts, case updates, and marketing campaigns. If your SPF record does not include Salesforce, those emails may land in spam or get rejected entirely. For a comprehensive overview of SPF, see our complete SPF guide. This guide shows you exactly how to set it up.
The Salesforce SPF Include
To authorize Salesforce to send email for your domain, add this include statement to your SPF record (Salesforce Help):
include:_spf.salesforce.com
This single include covers Salesforce's email-sending infrastructure and lets receiving mail servers know that Salesforce is authorized to send on your behalf.
Sales Cloud vs. Marketing Cloud
The include _spf.salesforce.com works for Salesforce Sales Cloud (the standard CRM). If you use Salesforce Marketing Cloud (formerly ExactTarget), you may need additional or different include statements. See the Marketing Cloud section below.
Setting Up SPF for Salesforce
If Salesforce is your only email-sending service (unlikely, but possible), your SPF record would look like:
v=spf1 include:_spf.salesforce.com ~all
More realistically, you will combine Salesforce with your primary email provider. Here is an example with Google Workspace:
v=spf1 include:_spf.google.com include:_spf.salesforce.com ~all
Adding Salesforce to an Existing SPF Record
Most businesses already have an SPF record when they set up Salesforce. The key rule: do not create a second SPF record. Instead, edit your existing one.
Check your current SPF record
Use the lookup tool above to see what your SPF record currently contains. Note down the full value.
Log into your DNS provider
This is wherever your domain's DNS is managed — see our guides for Cloudflare, GoDaddy, or Namecheap. This is not Salesforce itself.
Find your existing SPF TXT record
Look for a TXT record that starts with v=spf1. This is the record you need to edit.
Add the Salesforce include
Add include:_spf.salesforce.com to the record, placing it before the ~all or -all at the end.
Save and wait for propagation
Save the record. DNS changes typically propagate within 1 to 4 hours, though it can take up to 48 hours.
Example: Before and after adding Salesforce
Before:
v=spf1 include:_spf.google.com include:sendgrid.net ~all
After:
v=spf1 include:_spf.google.com include:sendgrid.net include:_spf.salesforce.com ~all
The order of include statements does not matter. Just keep v=spf1 at the beginning and the all mechanism at the end.
If you are not sure how to build the right SPF record for your combination of services, SPF Creator can generate it for you.
Salesforce Marketing Cloud SPF
Salesforce Marketing Cloud (formerly ExactTarget) uses different sending infrastructure than Sales Cloud. The SPF setup depends on how your Marketing Cloud account is configured.
| Product | SPF Include | Notes |
|---|---|---|
| Sales Cloud | include:_spf.salesforce.com | Standard CRM emails, workflow alerts, notifications |
| Marketing Cloud (SAP) | include:_spf.salesforce.com | Uses Sender Authentication Package with your domain |
| Marketing Cloud (shared IP) | Varies by account | Check your Marketing Cloud setup documentation |
If you use the Sender Authentication Package (SAP) in Marketing Cloud, Salesforce configures DNS records on a subdomain they manage on your behalf. The standard _spf.salesforce.com include typically covers this.
If you are on shared IPs without SAP, check your Marketing Cloud account settings or contact Salesforce support for the exact include statement your account requires.
When in doubt, start with the standard include
For most Salesforce customers, include:_spf.salesforce.com is the correct include. Add it, verify with the checker tool, and send a test email. If emails still fail SPF, contact Salesforce support for your specific sending configuration.
Common Salesforce SPF Mistakes
Using the wrong include domain
The correct include is exactly _spf.salesforce.com. Common mistakes include:
salesforce.com(missing the_spf.prefix)spf.salesforce.com(missing the underscore)_spf.force.com(wrong domain)include:salesforce.com(too generic, will not work)
Always use _spf.salesforce.com with the leading underscore.
Creating multiple SPF records
This is the most common DNS mistake across all email services, not just Salesforce. Your domain can only have one SPF record. If you add a second one, both records become invalid and all SPF checks return a PermError.
Wrong (two separate records):
v=spf1 include:_spf.google.com ~all
v=spf1 include:_spf.salesforce.com ~all
Correct (one combined record):
v=spf1 include:_spf.google.com include:_spf.salesforce.com ~all
Forgetting about DNS lookup limits
Each include statement uses at least one DNS lookup, and the included domain's own SPF record may trigger additional lookups. You have a maximum of 10 DNS lookups per SPF evaluation. Salesforce's include typically uses 2 to 3 lookups.
If you are using many email services (Google Workspace, Salesforce, a marketing platform, a support tool), you may approach or exceed the limit. Check your total with the lookup tool above or read our 10 DNS lookup limit guide. For tips on combining providers, see our guide on SPF for multiple ESPs.
Not configuring the sending domain in Salesforce
Adding the SPF record to your DNS is only half the setup. You also need to tell Salesforce which domain you are sending from.
In Salesforce:
- Go to Setup
- Search for Organization-Wide Email Addresses or Email Deliverability
- Ensure your sending domain matches the domain where you added the SPF record
If Salesforce sends email from [email protected], then yourdomain.com needs the SPF record.
Verifying Your Salesforce SPF Setup
After adding the record and waiting for DNS propagation, verify everything is working.
1. Check with the free tool. Use the lookup widget above to confirm your SPF record includes _spf.salesforce.com.
2. Send a test email from Salesforce. Trigger an email from Salesforce, such as a workflow alert or a manual email from a lead record. Send it to an address you can inspect, like a personal Gmail account.
3. Check the email headers. In Gmail, open the test email, click the three dots, and select "Show original." Look for:
spf=pass
If you see spf=pass, your Salesforce SPF is working correctly.
4. Review Salesforce email logs. In Setup, go to Email Log Files to see delivery status for emails sent by Salesforce. Look for any bounce or authentication failure messages.
Complete Your Email Authentication
SPF alone does not provide full email authentication. For the best protection and deliverability, you should also configure:
- DKIM for Salesforce. In Salesforce Setup, search for "DKIM Keys" to generate and publish DKIM records for your domain. Verify your setup with DKIM Test.
- DMARC to enforce your authentication policy. A DMARC record tells receiving servers what to do when SPF or DKIM fail. Check your DMARC record with DMARC Record Checker.
Together, SPF, DKIM, and DMARC form a complete email authentication framework. Learn more in our guide on SPF, DKIM, and DMARC explained.
Monitor Your SPF Records
DNS records can change unexpectedly. A colleague might edit the wrong record, or a DNS migration might drop your SPF. Continuous monitoring catches these issues before they affect your email delivery.
References
- RFC 7208: Sender Policy Framework (SPF) — The current SPF specification
- Salesforce Help: SPF Include Value — Official Salesforce SPF include documentation
Never miss an SPF issue
Monitor your SPF, DKIM, DMARC and MX records daily. Get alerts when something breaks.
Start Monitoring