Understand Authentication and SAP
Learning Objectives
After completing this unit, you’ll be able to:
- Understand the components of an SAP.
- Identify authentication types.
Authentication and DNS Records
To improve the likelihood that your email gets to the intended recipient, emails should be authenticated, not just validated. Google and other ISPs take authentication seriously. They check for all industry-accepted forms of authentication using your DNS record. Additionally, authentication reduces the likelihood of spam, spoofing, and phishing attacks, thus protecting your brand and reducing spam complaints.
Sample DNS Record
To better understand authentications in relation to DNS, let’s take a look at a sample DNS record for the domain: em.example.com.
| Host Name | Type | Value | Notes |
|---|---|---|---|
|
em.example.com |
MX 10 |
reply.s10.exacttarget.com |
This server captures replies using our reply mail management (RMM) feature. |
|
em.example.com |
A |
13.111.18.27 |
This prevents blocking by certain spam filters that require an A record instead of just an MX record. |
|
em.example.com |
TXT |
v=spf1 include:custo-spf.exacttarget.com -all |
This provides support for sender policy framework (SPF) authentication. |
|
bounce.em.example.com |
MX 10 |
bounces.s10.exacttarget.com |
This is the return-path (bounce-handling) domain. Uses variable envelope return path (VERP). |
|
bounce.em.example.com |
A |
13.111.18.10 |
This prevents blocking by certain spam filters that require an A record instead of just an MX record. |
|
bounce.em.example.com |
TXT |
v=spf1 include:custo-spf.exacttarget.com -all |
This provides support for SPF authentication. |
|
reply.em.example.com |
MX 10 |
reply.s10.exacttarget.com |
This server captures replies using our RMM feature. |
|
reply.em.example.com |
TXT |
v=spf1 include:custo-spf.exacttarget.com -all |
This provides support for SPF authentication. |
|
leave.em.example.com |
MX 10 |
reply.s10.exacttarget.com |
Handles unsubscribes using “list unsub” header functionality. |
|
image.em.example.com |
CNAME |
images.s10.exacttarget.com.edgesuite.net |
Image hosting using Akamai content delivery network (CDN) for caching. |
|
view.em.example.com |
CNAME |
view.virt.s10.exacttarget.com |
Handles “view as a webpage” application functionality. |
|
click.em.example.com |
CNAME |
click.virt.s10.exacttarget.com |
Handles click tracking application functionality. |
|
pages.em.example.com |
CNAME |
pages.virt.s1.exacttarget.com |
Handles landing pages application functionality. |
|
cloud.em.example.com |
CNAME |
pub.s10.exacttarget.com |
Handles CloudPages application functionality. |
|
10dkim1.domainkey.em.example.com |
TXT |
k=rsa; p=MIIBljANBgkqhkiG9w0BAQE... |
This is the public key information for DomainKeys identified mail (DKIM) email authentication. |
|
mta.em.example.com |
A |
13.111.1.2 |
This is the sending IP address of the specific mail transfer agent (MTA also known as mail server) used to serve mail for this particular customer. |
Want a deeper dive on authentication and DNS? Check out the help page on DNS record management.
If Salesforce isn’t managing your DNS records for you (self-hosting DNS), be sure your company’s IT department understands these authentication concepts and fills out these DNS entries correctly.
Sender Authentication Package (SAP)
While you can authenticate and register your domain independently, a Sender Authentication Package (SAP) through Salesforce ensures you have compliant, authenticated email messages when sending from our platform.
But what exactly do you get with an SAP? As mentioned in the previous unit, an SAP is a collection of products, including an authenticated private domain with link and image wrapping, a dedicated IP address, and reply mail management (RMM). While some of these products can be purchased individually, an SAP is best thought of as an account branding tool, as link and image wrapping is only offered with an SAP.
Private Domain
Message authentication helps ISPs know that your sends are legitimate. Private Domain is a paid product that provides Sender policy framework (SPF) and DomainKeys identified mail (DKIM) authentication to your Marketing Cloud Engagement sending domain.
- Sender policy framework (SPF) is a DNS-based email authentication feature that allows senders to publish a list of IP addresses that are used for sending.
- DomainKeys identified mail (DKIM) signs messages with a cryptographic signature that verifies the domain and prevents spoofing.
Together, these authentication methods satisfy Domain-based message authentication reporting and conformance (DMARC). DMARC is a protocol that determines the authenticity of an email message. A properly configured DMARC policy can tell a receiving server whether or not to accept email from a particular center. Not all receiving servers perform a DMARC check before accepting a message, but most major ISPs do.
Link and Image Wrapping
Branding matters when it comes to emails! When subscribers know who the email is coming from, it helps reduce spam complaints. Link and image wrapping removes all references to our default Marketing Cloud Engagement address (exacttarget.com) in favor of your authenticated domain.
So for example, once Get Cloudy Consulting obtains an SAP and selects a domain, its links might go from: http://image.s.qa12.exacttarget.com/example.png to http://images.getcloudyconsulting.com/123.png. This ensures all aspects of your email are on brand for your company.
An SAP Example
Now let’s take a look at two example emails for comparison with and without an SAP.
Without an SAP
- SAP domain: none
- RMM domain: none
- SPF/Bounce (1): bounce.exacttarget.com
- DKIM domain: none
- VAWP (view as webpage) domain (2): view.exacttarget.com
- Click domain(3): click.exacttarget.net
- Image library domain(4): image.exacttarget.net
- Sending IP address host: mtaX.exacttarget.com
With an SAP
- SAP domain(1): em.ntodemo.com
- RMM domain (2): reply.em.ntodemo.com
- SPF/Bounce (3): bounce.em.ntodemo.com
- DKIM domain (3): em.ntodemo.com
- VAWP (View as webpage) domain(4): view.em.ntodemo.com
- Click domain (5): click.em.ntodemo.com
- Image library domain(6): image.em.ntodemo.com
- Sending IP address host: mta.em.ntodemo.com
While an SAP alone won’t guarantee that your mail is never labeled as spam, it helps an ISP identify good senders from bad senders.
FAQs
We searched the vault, and here are some commonly asked questions surrounding DNS and SAPs.
| Question | Answer |
|---|---|
|
Who should purchase an SAP? |
An SAP is a great choice for anyone sending more than 100k messages/month (the minimum needed to keep a dedicated IP ramped up) who is also concerned about branding and wants to ensure ExactTarget domains aren’t visible in links or images. |
|
Can I use an SAP for the branding even though I don’t send emails at a high volume to warrant a dedicated IP? |
Absolutely. If you’re sending less than 100k per month, you can still benefit from authentication and branding aspects of an SAP. Low volume only impacts dedicated IP addresses. More on IP volume in the next unit. |
|
Can we put multiple SAPs on one account? |
No, a single Marketing Cloud Engagement account number (each MID) can support only one SAP, but you can have as many private domains on a single account as you wish. For example, Get Cloudy has a parent account and two child accounts. They have an SAP for each child account. Child account (MID 12345) uses an SAP for clients with the domain clients.getcloudyconsulting.com. The other child account (MID 23456) uses an SAP for internal emails with the domain consultants.getcloudyconsulting.com. All three accounts use the private domain pages.getcloudyconsulting.com for their landing pages. |
Now that you understand the features and benefits of an SAP, let’s focus on those dedicated IP addresses.
