Skip to main content

Configure Trusted and Compliant Email Sending

Learning Objectives

After completing this unit, you’ll be able to:

  • Configure sending identity for trusted email delivery.
  • Configure consent settings for compliant email sending.
  • Enable reply handling to manage responses and opt-out keywords.
  • Protect engagement accuracy by filtering nonhuman activity.

Set Up Trusted, Subscriber-Friendly Sending

Isabelle wants to establish a strong foundation of trust for Northern Trail Outfitters (NTO) email campaigns. She wants customers to trust the email they receive from NTO, and she wants the results from the email to deliver trustworthy results for NTO. To make this happen, she needs to set up a few key things that shape how email is sent, how subscribers interact with email, and how engagement is measured.

Building trust in the email and trust in the results takes a few intentional setup choices. That’s why you establish a trusted sending identity, configure consent and subscriptions, manage replies, and protect engagement data to support credible email and reliable results.

Marketing Cloud Next is the connected system that builds trust in the email and trust in the results.

Establish Your Trusted Sending Identity

A trusted sending identity helps inbox providers recognize your messages, helps customers feel confident opening them, and protects your brand from impersonation. You establish this identity by ensuring your org has a physical address attached, authenticating a sending domain, adding approved “from addresses,” and branding the links inside your email.

Include a Physical Address

Let’s start with something easy–including a physical mailing address for your org. Aside from being a legal requirement for commercial email sending under laws such as the CAN-SPAM Act (US), CASL (Canada), and GDPR (EU), a valid physical address builds trust with your audience and signals legitimacy to email clients and spam filters, which means your deliverability and sender reputation will stay healthy.

Here’s how to enter a physical mailing address for your org.

Important: Take these steps in your Trailhead playground to pass the hands-on challenge at the end of the unit.

  1. From Setup, search for and select Company Information.
  2. Click Edit.
  3. Under the Address section, enter the following information:
    • Street: 25 Pleasant Rd
    • City: San Francisco
    • State/Province: California
    • Zip/Postal Code: 12345
    • Country: USA
  4. Under Security Contact Information, enter any name, phone number, and email. This is a required field, but it’s not part of the challenge.
  5. Click Save.

Authenticate a Sending Domain

When you authenticate your sending domain, you prove to inbox providers that your organization is the legitimate sender of your email. This helps prevent spoofing—when someone tries to impersonate your brand—and protects your reputation so inbox providers are more likely to deliver your messages.

Note

Email sending is disabled in the Trailhead Playground–you will not be able to complete the steps in the next three sections for setting up authentication, adding authenticated from addresses, and creating tracking domains in your playground. But you can still follow along to explore the interface and navigation.

Before you begin, confirm the subdomain that your org uses for marketing email. You also want to identify the IT contact who’s responsible for your org’s domain name send (DNS) records. After you enter your domain details in Salesforce, Salesforce generates DNS records such as CNAME, DKIM, and DMARC. When you have those records, send them to your IT team contact so they can publish them with your domain registrar.

Follow these steps to set up authentication.

  1. From Setup, search for and select Authenticated Domains in the Quick Find box. You manage all sending domains from this page.
  2. Click Add Domain and then Continue.
  3. Enter your Subdomain name and click Submit.
  4. Enter a Display Name and Username and click Create New.
  5. Review the DNS instructions, go to the Update the DNS Records section, and click Download.
  6. Share the downloaded information with your IT team so they can publish the records with your domain registrar.
  7. After you confirm that your IT team has published these records, return to the Authenticated Domains page, check the box next to “I completed my changes with my DNS provider.”, and click Activate my Domain.
  8. Since DNS changes can take up to 48 hours to propagate, a window will pop up prompting you to enter your email address so that you can receive a notification when your DNS records are updated.
  9. Click Finish.
  10. If verification fails, return to the Authenticated Domains page to review the inline error messages for each DNS record. These messages tell you which record didn’t match what Salesforce expected. Share these details with your IT team. After IT updates the DNS entries, use the Verify DNS Entries option and select Retry to attempt verification again.

Once verification is complete, your domain is ready for authenticated email sending in Marketing Cloud Next.

Add Authenticated From Addresses

When you create an authenticated domain, you also create an initial from address. You can add additional from addresses that use the same authenticated domain so your marketing team can choose the sender that best fits each campaign.

Here’s how to add another from address.

  1. From Setup, enter and select Authenticated From Addresses in the Quick Find field.
  2. Click Add From Addresses.
  3. Enter a Display Name.
  4. Enter the Username, also known as the local part of the email.
  5. Select your authenticated domain; note that this field may already be populated.
  6. Click Save.

Each from address that you add becomes available for campaign sends that use the authenticated domain. This gives your marketing team flexibility while keeping a consistent, trusted sender identity.

Set Up Branded Tracking Domains

If you want to use a branded tracking domain, start by connecting with your Salesforce admin. They can work with IT or security teams to handle the certificate and DNS setup. Salesforce tracks when people click links in your email. After you set up your from addresses, you can use a branded tracking domain so those links reflect your brand instead of a generic address. This helps customers feel more confident clicking.

Before you create a branded tracking domain, confirm that your sending domain is fully authenticated.

Here’s how to create the certificate your branded tracking domain uses.

  1. From Setup, in the Quick Find box, search for and select Certificate and Key Management.
  2. Click Create Self-Signed Certificate.
  3. Enter a descriptive label for the Salesforce certificate in the Label field.
  4. Enter a unique name in the Unique Name field. You can also use the name that’s automatically populated based on the certificate label that you enter.
  5. Select a key size for your generated certificate and keys from the dropdown list. Note that after you save a Salesforce certificate, you can’t change its type or key size.
  6. Click Save.

Now you’re ready to create a branded tracking domain for your links. Here’s what to do.

  1. From Setup, in the Quick Find box, search for and select Links.
  2. In Manage Domains, click Create New.
  3. Enter your domain name.
  4. Select your DNS certificate—this is the certificate you just created.
  5. Click Save. If you receive a generic error at this point, check that your sending domain is fully authenticated before trying again.

Once your branded tracking domain is in place, every tracked link in your email carries your org’s name instead of a generic redirect. You now give customers a consistent, trustworthy experience from the moment your message hits their inbox to the moment they click.

It’s important to set up consent so that NTO only emails people who intentionally opted in. Consent settings define how subscribers give permission, update preferences, and unsubscribe. This helps NTO comply with email and privacy regulations—such as GDPR and CAN-SPAM—and gives customers control over what they receive.

You manage consent through communication subscriptions. A best practice is to separate subscriptions by message type, such as marketing or product updates, so subscribers can control what they receive.

Here’s how to configure consent.

Important: Take these steps in your Trailhead playground to pass the hands-on challenge at the end of the unit.

  1. From Setup, in the Quick Find box, search for and select Consent under Unified Messaging.
  2. Select Subscriptions.
  3. Click New Subscription to create a new communication subscription.
  4. Enter Marketing under Subscription Name, and select Email under Channels.
  5. Click Save.
  6. In the Email Preference Page section, click View Page to review the default Preference Manager page and confirm the opt-in and opt-out subscriber experience.
Note

You may already have a configured Subscription in your org. Use the dropdown menu to select Edit and confirm that email has been selected as a channel.

After you review the preference page, Marketing Cloud Next uses it to manage opt-ins and opt-outs across campaigns. You can link to this page in your email so that subscribers can manage their preferences at any time.

Managing consent at the subscription level creates a clear, consistent way to determine who can receive your messages and how those preferences apply across campaigns. When you send email, Marketing Cloud Next delivers messages only to subscribers who have opted in.

Optional: Import Existing Consent

If you’ve already been managing an email program and have an existing list of subscribers who have given consent, you can import consent records so that Marketing Cloud Next continues honoring those opt-ins and opt-outs.

Here’s an example of how that works.

  1. In Consent, select Consent Imports.
  2. Click Import, select Email under Channel.
  3. Select your subscription under Communication Subscription, choose Opt In, and click Next.
  4. Upload a CSV file with the contacts you want to update, click Next, and then click Import.
    • For best results, use the consent sample file available during the import process as a starting point, and replace the sample values with contacts from your org when you’re ready.
  5. After the import finishes, open the Preference Manager page again to preview how the opt-in and opt-out options appear for those subscribers, based on the active communication subscriptions you’ve configured. Confirm that the correct options are visible.

Now you can send email while honoring your subscribers’ existing consent choices.

Enable Reply Mail Management

Now that you can email people who opted in, you also need a simple way to manage replies. Customers send all kinds of responses—questions, out-of-office notices, and even unsubscribe requests—and you don’t want those messages sitting in an unmonitored inbox. Reply Mail Management filters automatic replies, routes real messages to the inboxes that your team monitors, and processes common opt-out keywords so that customers stay in control.

To enable Reply Mail Management, take these steps. (You won’t be able to enable Reply Mail Management in your Trailhead playground.)

  1. From Setup, in the Quick Find box, search for and select Authenticated Domains. Confirm that your authenticated sending domain is active.
  2. In the All Authenticated Domains section, select Show Details from the dropdown menu for your domain.
  3. Select the Reply Mail Management tab.
    • If your authenticated domain isn’t active, the configuration options won’t appear.
  4. Choose how you want Salesforce to handle automatic replies. Set up:
    • Delete Auto-Responses to remove common out-of-office and bounce messages.
    • Auto-Response to send an optional acknowledgment to replies that aren’t filtered out.
    • Routing to forward meaningful replies to a monitored inbox or designated user.
  5. Click Save.

Reply Mail Management helps reduce manual cleanup, respond to real customer messages, and process unsubscribe requests quickly and consistently, without extra steps for your team.

Note

Reply Mail Management automatically processes common opt-out keywords such as stop, unsubscribe, or remove to manage unsubscribe requests without manual intervention. It applies to all messages sent from your authenticated domain and can’t be turned on per campaign.

Turn On Einstein Metrics Guard

After you start sending more email, you want reporting that reflects real customer engagement—not bot scans or automated security checks. Einstein Metrics Guard helps you do that by using AI to identify and filter out activity that’s unlikely to have come from humans, so your open and click rates stay meaningful.

Here’s how to turn on Einstein Metrics Guard.

  1. From Setup, in the Quick Find box, enter Unified Messaging and select Settings.
  2. Locate and click the Einstein Metrics Guard toggle so that it’s enabled.

After activation, you can review your engagement reports with greater confidence that your metrics reflect interactions from real customers.

Let’s Recap

You’ve set the guardrails that support both trust in the email and trust in the results. By establishing a trusted sending identity, honoring subscriber choices, managing replies, and protecting engagement data, you ensure email feels credible to customers and produces results your business can rely on. With this foundation in place, you’re ready to move into building and sending campaigns with confidence.

Resources

Salesforce 도움말에서 Trailhead 피드백을 공유하세요.

Trailhead에 관한 여러분의 의견에 귀 기울이겠습니다. 이제 Salesforce 도움말 사이트에서 언제든지 새로운 피드백 양식을 작성할 수 있습니다.

자세히 알아보기 의견 공유하기