wiki:Saleforce Improper Email setup(s)

Version 8 (modified by Paul Kulda, 2 years ago) ( diff )

--

Saleforce Improper Email setup(s)

see : https://help.salesforce.com/s/articleView?id=000316016&type=1

Email Relay best practices Publish Date: May 13, 2022 Description Below are some best practices that need to be considered when setting up email relay for your organization.

For additional information, please review the Considerations for Setting up Email Relay documentation.

https://help.salesforce.com/s/articleView?id=sf.emailadmin_email_relay_considerations.htm&type=5&language=en_US Resolution

Note: Information in this article applies to both Classic and Lightning Experience

What is Email Relay

Email relay automatically routes Salesforce-generated emails through your company’s mail service. For more information on email relay, please review Set Up Email Relay.

Deliverability settings and mail relay

Once email relay is enabled in Salesforce, companies do not necessarily need to use all of Salesforce’s Email Deliverability settings located under: Setup | Email Administration | Deliverability. This is because some of these settings (listed below) modify the envelope-from address of emails sent from Salesforce. The header From address remains set to the sender's email address. The return-path in the headers is also modified. This change in the email headers may affect email delivery to your email server, as the modified return-path will include a Variable Envelope Return Path value (VERP). Example standard return-path: <name@…> Example of Variable Envelope Return Path (VERP): <name=domain.com__x@…>

Therefore, we recommend companies to disable the following two email deliverability options when using email relay. You can read more about these settings in Guidelines for Configuring Deliverability Settings for Emails from Salesforce. In Salesforce Classic: Navigate to Setup | Email Administration | Deliverability In Lightning Experience: Navigate to Gear icon | Setup | Email | Deliverability a) Turn OFF Activate Bounce Management. b) Turn OFF Enable compliance with standard email security mechanism and Enable Sender ID compliance

After disabling these settings, outbound email sent from Salesforce to your relay server will show both envelope-from and return-path as <name@…>.

For background information on IPs used for Email Relay see: Ensure you can receive email from the Salesforce application

Securing your Email Relay

Here are some suggestions for ensuring that your mail relay is secure and that you relay only mail that you intend to:

Have your relay allowlist only the IPs you want to relay mail for (ours and any others) Only relay mail that is sent using your mail domain Enforce TLS (optionally set it to TLS required or required and verify the hostname on the certificate) Have your relay verify the hostname on our certificate Look for a header - X-SFDC-LK and ensure that it has your orgid in it. Only relay mail from salesforce if it has the proper orgid Use DKIM signing in salesforce and only relay mail if the DKIM signature passes

Bounce Management with Email Relay

Using Email Relay and Bounce Management together requires special care because it can cause Sender Policy Framework (SPF, a common email security standard) to fail to validate. The Salesforce bounce management feature relies on setting each outgoing email's return path (also called the "envelope from address") to an address at bnc.salesforce.com. SPF works by extracting the domain in the return path to find a set of authorized IP addresses. When you use Email Relay and Bounce Management, the IP address of your relay will not match the authorized IP addresses for the domain (bnc.salesforce.com). This will result in an SPF "soft failure" -- it does not mark your message as invalid, but it may reduce your deliverability.

One solution is to establish a DMARC policy for your domain, and then use Salesforce's DKIM signing feature to sign outgoing mail. With this combination, your mail will pass a DMARC check, even though it does not pass SPF.

Another solution is to turn off bounce management in Salesforce.

Email Relay with Office 365 For more details about relaying with Office 365 see Salesforce 'Email Relay' with Office 365

Email Relay with Gmail For more details about relaying with Gmail see Salesforce 'Email Relay' with Gmail Knowledge Article Number

000382778

Considerations for Setting Up Email Relay

Before setting up Email Relay, review details about bounce management and spam. Available in: Salesforce Classic and Lightning Experience Available in: Professional, Enterprise, Performance, Unlimited, and Developer Editions

Email Relay is a good option if:

You want to route email sent from Salesforce through your company’s mail service, such as for compliance. Your company owns its domain (mycompany.com).

Salesforce send limits still apply to email relaying. Email Relay requires some technical expertise to set up.

Bounce Management with Email Relay

To use Bounce Management, your email server must allow the relaying of email sent from Salesforce with a salesforce.com domain.

Use Email Relay and Bounce Management with care as it can cause Sender Policy Framework (SPF), a common email security standard, to fail to validate. The Salesforce bounce management feature relies on setting each outgoing email's return path, the envelope from address, to an address at bnc.salesforce.com. SPF works by extracting the domain in the return path to find a set of authorized IP addresses.

When you use Email Relay and Bounce Management, the IP address of your relay doesn’t match the authorized IP addresses for the domain (bnc.salesforce.com). This mismatch results in a SPF soft failure. It doesn’t mark your message as invalid, but it reduces your deliverability.

There are two solutions:

Establish a DMARC policy for your domain, and use Salesforce's DKIM signing feature to sign outgoing mail. With this combination, your mail passes a DMARC check even though it doesn’t pass SPF. Turn off bounce management in Salesforce.

Deliverability Settings and Email Relay

When email relay is enabled in Salesforce, companies don’t always need all the Salesforce Email Deliverability settings from Setup. Some of these settings modify the envelope-from address of emails sent from Salesforce. The header From address remains set to the sender's email address. The return-path in the headers is also modified. This change in the email headers may affect email delivery to your email server because the modified return-path includes a Variable Envelope Return Path value (VERP).

Example of a standard return-path: <name@…> Example of a VERP return-path: <name@…x@…>

Disable these email deliverability options when using email relay.

Turn off Enable compliance with standard email security mechanisms. Consider turning off Activate Bounce Management.

After disabling the settings, outbound email sent from Salesforce to your relay server shows the envelope-from and the return-path as <name@…>. Securing Your Email Relay

Follow these suggestions to ensure that your mail relay is secure and that you relay only the mail that you intend to.

Include only the IPs that you want to use to relay mail for ours and any others in your relay’s allowlist. Only relay mail that’s sent using your mail domain. Enforce TLS. Optionally set it to TLS required or required and verify the hostname on the certificate. Have your relay verify the hostname on our certificate. Look for a header - X-SFDC-LK and ensure that it has your orgid in it. Only relay mail from Salesforce if it has the proper orgid. Use DKIM signing in Salesforce and only relay mail if the DKIM signature passes. Enable SMTP authentication between Salesforce mail servers and your email relay host. Test this feature in a sandbox to ensure that it works as expected. Some email services don’t support SMTP authentication for email relays.

Copying Sandbox with Email Relay

When you copy a sandbox, Email Relay data is copied to the sandbox org. This data includes authentication data stored on an Email Relay record, such as IsRequireAuth, Password, and Username. If you don’t want production authentication data in your sandbox copy, modify the Email Relay in Setup.

Alternatively, you can execute this sample Apex code in your Sandbox Developer Console to remove authentication data from the EmailRelay records.

System.debug('Executing sandbox postcopy update for EmailRelay');

Query all EmailRelay objects with non-empty credentials and reset.

List<EmailRelay> relays = [SELECT Id FROM EmailRelay WHERE IsRequireAuth = true OR Username != null];

for (EmailRelay relay : relays) {

relay.IsRequireAuth = false;

relay.Username = null;

relay.Password = null;

}

update relays;

System.debug('Updated ' + relays.size() + ' EmailRelay objects'); See Also

Note: See TracWiki for help on using the wiki.