Start tracking your progress
Trailhead Home
Trailhead Home

Understand Authentication and SAP

Learning Objectives

After completing this unit, you’ll be able to:

  • Understand the components of an SAP.
  • Identify authentication types.

Authentication and DNS Records

To improve the likelihood that your email gets to the intended recipient (ahem, good deliverability), emails should be authenticated, not just validated. Google and other ISPs take authentication seriously. They check for all industry-accepted forms of authentication using your DNS record. Additionally, authentication reduces the likelihood of spam, spoofing, and phishing attacks, thus protecting your brand and reducing spam complaints. 

Sample DNS Record

To better understand authentications in relation to DNS, let’s take a look at a sample DNS record for the domain: em.example.com.

Host Name
Type
Value
Notes
em.example.com
MX 10
reply.s10.exacttarget.com
This server captures replies using our reply mail management (RMM) feature.
em.example.com
A
13.111.18.27
This prevents blocking by certain spam filters that require an A record instead of just an MX record.
em.example.com
TXT
v=spf1 include:custo-spf.exacttarget.com -all
This provides support for sender policy framework (SPF) authentication.
bounce.em.example.com
MX 10
bounces.s10.exacttarget.com

This is the return-path (bounce-handling) domain. Uses variable envelope return path (VERP).
bounce.em.example.com
A
13.111.18.10
This prevents blocking by certain spam filters that require an A record instead of just an MX record.
bounce.em.example.com
TXT
v=spf1 include:custo-spf.exacttarget.com -all
This provides support for SPF authentication.
reply.em.example.com
MX 10
reply.s10.exacttarget.com
This server captures replies using our RMM feature.
reply.em.example.com
TXT
v=spf1 include:custo-spf.exacttarget.com -all
This provides support for SPF authentication.
leave.em.example.com
MX 10
reply.s10.exacttarget.com
Handles unsubscribes using “list unsub” header functionality.
image.em.example.com
CNAME
images.s10.exacttarget.com.edgesuite.net
Image hosting using Akamai content delivery network (CDN) for caching.
view.em.example.com
CNAME
view.virt.s10.exacttarget.com
Handles “view as a webpage” application functionality.
click.em.example.com
CNAME
click.virt.s10.exacttarget.com
Handles click tracking application functionality.
pages.em.example.com
CNAME
pages.virt.s1.exacttarget.com
Handles landing pages application functionality.
cloud.em.example.com
CNAME
pub.s10.exacttarget.com
Handles CloudPages application functionality.
10dkim1.domainkey.em.example.com
TXT
k=rsa; p=MIIBljANBgkqhkiG9w0BAQE...
This is the public key information for DomainKeys identified mail (DKIM) email authentication.
mta.em.example.com
A
13.111.1.2
This is the sending IP address of the specific mail transfer agent (MTA also known as mail server) used to serve mail for this particular client.
Note

Note

Want a deeper dive on authentication and DNS? Check out the help page, DNS record management .

If Salesforce is not managing your DNS records for you (self-hosting DNS), be sure your company’s IT department understands these authentication concepts and fills out these DNS entries correctly. 

Sender Authentication Package (SAP)

While you can authenticate and register your domain independently, a Sender Authentication Package (SAP) through Salesforce ensures you have compliant, authenticated email messages. So... what exactly do you get with an SAP? As mentioned in the previous unit, an SAP is a collection of products, including private domain with link and image wrapping, a dedicated IP address, and reply mail management (RMM). While these products can be purchased individually, an SAP is best thought of as an account branding tool, as link and image wrapping is only offered with an SAP. 

Branding matters when it comes to emails! When subscribers know who the email is coming from, it helps reduce spam complaints. Link and image wrapping removes all references to our default Marketing Cloud address (exacttarget.com) in favor of your authenticated domain.

So for example, once Get Cloudy Consulting obtains an SAP and selects a domain, its links might go from: http://image.s.qa12.exacttarget.com/example.png to http://images.getcloudyconsulting.com/123.png. This ensures all aspects of your email are on brand for your company. 

Authentication Acronyms

In addition to the benefit of branding, SAP’s can also be considered a one-stop shop for email authentication as it includes the following types of authentication features and protocols. These should look familiar from the sample DNS record.

  • Sender policy framework (SPF): SPF is an DNS-based email authentication feature that allows senders to publish a list of IP addresses that are used for sending. Basically, SPF records are lists of Marketing Cloud IP addresses that are allowed to send email from your domain, which help ISPs know your mail is legitimate.
  • DomainKeys identified mail (DKIM):  DKIM is an authentication method designed to detect email spoofing. When DKIM is used, messages are signed with a cryptographic signature to verify a domain is from the authorized owner of that domain.
  • Domain-based message authentication, reporting, and conformance (DMARC): DMARC is an authentication protocol that uses both SPF and DKIM to determine the authenticity of an email message. A properly configured DMARC policy can tell a receiving server whether or not to accept an email from a particular sender. It is important to note that not all receiving servers perform a DMARC check before accepting a message, but most major ISPs do.

An SAP Example

Now let’s take a look at two example emails for comparison of with and without an SAP.

Without an SAP

Northern Trail Outfitters email with callouts for bounces, view online, clicks, and images.

  • SAP domain: none
  • RMM domain: none
  • SPF/Bounce (1): bounce.exacttarget.com
  • DKIM domain: none
  • VAWP (view as webpage) domain (2): view.exacttarget.com
  • Click domain(3): click.exacttarget.net
  • Image library domain(4): image.exacttarget.net
  • Sending IP address host: mtaX.exacttarget.com

With an SAP

Northern Trail Outfitters email with callouts for domains, RMM, bounces, view online, clicks, and images.

  • SAP domain(1): em.ntodemo.com
  • RMM domain (2): reply.em.ntodemo.com
  • SPF/Bounce (3): bounce.em.ntodemo.com
  • DKIM domain (3): em.ntodemo.com
  • VAWP (View as webpage) domain(4): view.em.ntodemo.com
  • Click domain (5): click.em.ntodemo.com
  • Image library domain(6): image.em.ntodemo.com
  • Sending IP address host: mta.em.ntodemo.com

While an SAP alone won’t guarantee that your mail is never labeled as spam, it helps an ISP identify good senders from bad senders.

FAQs

We searched the vault, and here are some of the most commonly asked questions surrounding DNS and SAPs.

Question Answer
Who should purchase an SAP?
An SAP is right for anyone sending more than 100k messages/month (the minimum needed to keep a dedicated IP ramped up) who is also concerned about branding and wants to ensure ExactTarget domains aren’t visible in links or images.
Can I use an SAP for the branding even though I don’t send emails at a high volume to warrant a dedicated IP?
Absolutely. If you are sending less than 100k per month, you can still benefit from authentication and branding aspects of an SAP. Low volume only impacts dedicated IP addresses. More on IP volume in the next unit.
Can we put multiple SAPs on one account?
No, a single Marketing Cloud account number (each MID) can support only one SAP, but you can have as many private domains on a single account as you wish.

For example, Get Cloudy has a parent account and two child accounts. They have an SAP for each child account. Child account (MID 12345) uses an SAP for clients with the domain clients.getcloudyconsulting.com. The other child account (MID 23456) uses an SAP for internal emails with the domain consultants.getcloudyconsulting.com. All three accounts use the private domain pages.getcloudyconsulting.com for their landing pages.

Now that you understand the features and benefits of an SAP, let’s focus on those dedicated IP addresses. Get ready to get cozy, as we cover IP warm-up in the next unit.

Resources