Salesforce Email Setup Guide: Authentication, Deliverability Settings & Configuration

Salesforce Can Send Emails Out of the Box. But “Out of the Box” Lands in Spam.

Complete Salesforce email setup guide. Covers deliverability settings, SPF/DKIM/DMARC authentication, Org-Wide Email Addresses, email relay configuration, templates, bounce management, and testing.

A default Salesforce org can send email the moment you activate it. But without configuring authentication, deliverability settings, and sender addresses, those emails face rejection from Gmail, Yahoo, and Microsoft before they reach a single inbox. The gap between “Salesforce says sent” and “recipient saw it” is entirely configurable. This Salesforce email setup guide walks through every step—from enabling deliverability access to verifying authentication with test sends—so your org is production-ready before your first campaign goes out.

Set the Deliverability Access Level to “All Email”

Salesforce controls whether your org can send external email at all through a single setting: Setup → Email → Deliverability → Access Level. Production orgs default to “All Email,” but sandboxes and newly provisioned orgs often default to “System Email Only,” which blocks every marketing email, workflow alert, and campaign send. This is the most common reason emails never leave Salesforce, and the fix takes 10 seconds.

Set the access level to “All Email” for production environments. Leave sandboxes on “System Email Only” to prevent test data from reaching real recipients. Also, enable TLS encryption under the same Deliverability page—this encrypts email in transit and is required by most enterprise recipients. If your org was cloned from a sandbox, verify this setting immediately: sandbox restrictions carry over to production and silently block all outbound email until corrected.

Configure SPF, DKIM, and DMARC Authentication

Authentication tells mailbox providers that Salesforce is authorized to send on behalf of your domain. Without it, Gmail and Yahoo reject or spam-filter your emails regardless of content quality. SPF authorizes Salesforce’s servers—add include:_spf.salesforce.com to your domain’s DNS TXT record and keep the total number of DNS lookups under 10. DKIM signs each message cryptographically—navigate to Setup → Email → DKIM Keys, create a 2048-bit key, and publish the CNAME records in DNS. DMARC tells receivers what to do when authentication fails—start with p=none, then tighten to p=quarantine.

Since February 2024, Google’s sender guidelines require SPF, DKIM, and DMARC for bulk senders (5,000+ daily messages to Gmail), with active SMTP rejections for non-compliance since November 2025. DNS changes can take up to 48 hours to propagate, so configure authentication before you need to send. As Salesforce Ben’s deliverability guide details, consolidate all authorized senders into a single SPF record—multiple records invalidate each other. For a complete walkthrough, see our Salesforce email authentication guide.

Register Org-Wide Email Addresses

Org-Wide Email Addresses let your team send from shared addresses like support@yourcompany.com or marketing@yourcompany.com instead of individual user emails. Navigate to Setup → Email → Organization-Wide Addresses and add each address you need. Salesforce sends a verification email—click the confirmation link to activate. Unverified addresses cannot be used for sending, and emails from unregistered addresses fail silently in workflow alerts and Flow sends.

Register addresses for every department that sends email: sales, marketing, support, billing, and notifications. Set a Display Name that recipients will recognize—“Your Company Support” builds more trust than “admin@yourcompany.com.” Org-Wide Addresses also determine which “From” address appears on automated emails. If you use email automation via Flow Builder, every Send Email action should reference an Org-Wide Address to ensure consistent branding and proper authentication alignment.

Configure Email Relay for Domain Control

Email relay routes Salesforce-generated emails through your company’s own mail server instead of Salesforce’s shared infrastructure. This gives you control over sending IPs, content filtering, archiving, and compliance—and removes the “via salesforce.com” label that triggers spam suspicion in some clients. To set up relay: navigate to Setup → Email → Email Relays, enter your SMTP host and port, enable TLS, and optionally configure SMTP authentication.

After creating the relay, add an Email Domain Filter (Setup → Email → Email Domain Filters) to specify which sender or recipient domains route through the relay. Test in a sandbox first—misconfigured relay settings can block all outbound email. Note that email relay doesn’t bypass Salesforce’s 5,000 daily email limit—it changes the delivery path, not the capacity. For organizations needing both relay control and unlimited volume, our email relay setup guide covers integration with native platforms that eliminate volume caps.

Set Up Email Templates for Consistent Messaging

Templates ensure every email leaving your org follows brand guidelines and includes required elements like unsubscribe links and physical addresses. Salesforce offers four template types: Text (plain text), HTML with Classic Letterhead (legacy), Custom HTML (full code control), and Lightning Email Templates (drag-and-drop builder with automatic mobile responsiveness). Lightning templates are recommended for most use cases—they require no coding and produce professional, mobile-optimized emails.

Organize templates into folders by function: Sales, Marketing, Support, and Notifications. Use merge fields to personalize with the recipient's name, company, role, and record-specific data. Every marketing template must include a one-click unsubscribe link—Gmail and Yahoo now require this in List-Unsubscribe headers for bulk senders. Test each template across Gmail, Outlook, and Apple Mail before launching campaigns. For detailed instructions, see our template creation guide.

Enable Bounce Management and Compliance Settings

Bounce management automatically flags invalid email addresses on Contact and Lead records when emails hard-bounce. Enable it under Setup → Email → Deliverability → Activate Bounce Management. Without this, Salesforce keeps sending to dead addresses—accumulating hard bounces that erode sender reputation and trigger ISP throttling. When bounce management is active, Salesforce marks records and excludes them from future mass email sends.

On the same Deliverability page, enable “Email Security Compliance” to enforce standard security mechanisms. Configure Compliance BCC Email to automatically copy a designated address on every outbound email—essential for regulated industries requiring communication audit trails. Set up email opt-out handling so the Email Opt Out checkbox is enforced across all sending methods. Review bounce reason codes regularly to distinguish hard bounces (permanent—suppress immediately) from soft bounces (temporary—retry then suppress).

Test Deliverability Before Launching Campaigns

Salesforce includes a built-in testing tool: Setup → Email → Test Deliverability. Send test messages to email addresses you control across Gmail, Outlook, and Yahoo. Check whether messages arrive in the inbox or spam folder, verify the From address displays correctly, confirm DKIM signatures pass (check email headers for “dkim=pass”), and ensure SPF authentication succeeds. This test validates your entire configuration chain—deliverability settings, authentication, Org-Wide Addresses, and relay routing.

Beyond Salesforce’s built-in test, use Google Postmaster Tools to monitor ongoing domain reputation and authentication pass rates with Gmail. Check MXToolbox for blacklist status. The Salesforce Trailhead deliverability module walks through remediation when test results reveal issues. For comprehensive deliverability monitoring, see our deliverability best practices guide.

Extend Your Setup with Dedicated Infrastructure

Native Salesforce email setup handles authentication, templates, and basic sending—but leaves gaps that grow as volume increases. You share IPs with thousands of other Salesforce orgs, so a neighbor’s poor practices can damage your deliverability. There’s no built-in email verification to catch invalid addresses before sending. Tracking is fragmented across sending methods. And the 5,000 daily limit caps all teams at the same ceiling regardless of business size.

Native AppExchange platforms like MassMailer close these gaps without leaving Salesforce: dedicated IPs with automated warm-up isolate your sender reputation, built-in email verification catches invalid addresses before they become bounces, unlimited daily sending eliminates capacity constraints, and real-time engagement tracking writes opens, clicks, and bounces directly to Salesforce records. For organizations evaluating their options, see our comparison of the best email marketing tools for Salesforce.

Done configuring, but still dealing with shared IPs, sending limits, and fragmented tracking? MassMailer picks up where native setup ends—dedicated IPs, automated warm-up, built-in verification, unlimited sends, and full analytics inside Salesforce. Schedule a walkthrough to see how MassMailer completes your email setup →

Key Takeaways

Set deliverability access to “All Email” in production immediately—sandboxes default to “System Email Only” and this setting carries over when cloning to production, silently blocking all outbound email.
Configure SPF, DKIM, and DMARC before your first send—Gmail, Yahoo, and Microsoft reject unauthenticated bulk email with permanent SMTP errors since November 2025.
Register and verify Org-Wide Email Addresses for every department that sends email—unverified addresses fail silently in workflow alerts and Flow-triggered sends.
Enable bounce management to automatically suppress invalid addresses—without it, Salesforce keeps sending to dead addresses, accumulating hard bounces that damage sender reputation.
Test deliverability across Gmail, Outlook, and Yahoo before launching campaigns—check email headers for “dkim=pass” and “spf=pass” to confirm authentication works end-to-end.
Native setup handles basics but leaves gaps at scale—shared IPs, no email verification, fragmented tracking, and the 5,000 daily limit require dedicated infrastructure to resolve.

Frequently Asked Questions

What are the first steps to set up Salesforce email?

Set deliverability access to “All Email,” configure SPF/DKIM/DMARC authentication in DNS, register Org-Wide Email Addresses, enable bounce management and TLS encryption, then test deliverability across Gmail, Outlook, and Yahoo.

Why are my Salesforce emails not sending?

Most common cause: deliverability access set to “System Email Only” or “No Access.” Check Setup → Email → Deliverability. Also, verify that Org-Wide Email Addresses are confirmed, authentication is configured, and you haven’t hit the 5,000 daily limit.

How do I set up SPF for Salesforce?

Add include:_spf.salesforce.com to your domain’s existing SPF TXT record in DNS. Keep one SPF record per domain—multiple records invalidate each other. Stay under 10 DNS lookups total. Changes take up to 48 hours to propagate.

How do I configure DKIM in Salesforce?

Go to Setup → Email → DKIM Keys → Create New Key. Select 2048-bit key size, enter your domain, publish the CNAME records in DNS, wait for propagation, then activate the key in Salesforce.

Do I need email relay in Salesforce?

Relay is optional but recommended for organizations needing domain control, email archiving, compliance filtering, or removal of the “via salesforce.com” label. It routes emails through your own server without bypassing sending limits.

How do I test Salesforce email deliverability?

Use Setup → Email → Test Deliverability to send test messages. Check inbox placement, verify authentication by inspecting email headers for “dkim=pass” and “spf=pass,” and monitor Google Postmaster Tools for ongoing reputation.

What Salesforce email limits should I know during setup?

5,000 mass emails per organization per day (shared across all users and sending methods). 5,000 single emails per user per day. 25 MB maximum email size. 500 recipients per List Email send.

MassMailer

MassMailer Verifier

MassMailer Alerts

Email Monitor

Email Template Builder

MassMailer Docs

Salesforce Mass Email Marketing

Salesforce Email Deliverability

Salesforce Email Verification

Salesforce Email Attachments

Salesforce Email Alerts

Salesforce Email Integration

Blog

Case Study

Podcast

Glossary

Video

Presentation

Success as a Service

Success Packages

Support

Join Webinar

About

Customers

Partners

Why MassMailer

MassMailer vs Mailchimp

MassMailer vs Constant Contact

MassMailer vs iContact

MassMailer vs ActiveCampaign

MassMailer vs Campaign Monitor

MassMailer vs Salesforce Engagement Studio

MassMailer vs Salesforce Marketing Cloud

MassMailer vs Oracle Eloqua Marketing Automation

MassMailer vs Adobe Marketo Engage

MassMailer vs SendGrid

MassMailer Vs Emma

MassMailer Vs Brevo

MassMailer vs Klaviyo

MassMailer vs Vertical Response

MassMailer vs Outlook for Salesforce

MassMailer vs Salesforce Email

MassMailer vs Gmail for Salesforce

MassMailer vs Hubspot Marketing

Education

Non-Profits

Financial Services

Real Estate

Healthcare

Legal Services

Health & Fitness

Event Management

Public Sector

Manufacturing

Energy & Utilities

Technology

Salesforce Email Setup Guide

Table of Contents

Related Glossary Terms