Sender Authentication Package (SAP)

What is the Marketing Cloud Sender Authentication Package (SAP)?

The Sender Authentication Package (SAP) is a collection of products in Marketing Cloud to provide branding for links to match your company name and help your emails get inboxed into email service providers — using the included Private Domain. It is a one-time set up and you should not have to reconfigure it. In fact, Salesforce will charge you to reconfigure it, so make sure you set it up properly the first time.

The Sender Authentication Package is essentially a branding tool that wraps your links with your domain or subdomain, i.e., or It is used to wrap your links, images, and headers and is the value associated with your brand.

Only one Sender Authentication Package is allowed for each business unit — meaning you cannot have more than one Sender Authentication Package on a single business unit. But you can have multiple Private Domains on a single business unit — this will be explained in detail below.

Choose a Domain or Subdomain

The first thing you’ll need to do is to decide on the domain or subdomain you want to use for Sender Authentication. This domain or subdomain will be used exclusively for Salesforce Marketing Cloud only. See Steps for Sender Authentication Profile (SAP) configuration below.

There are 4 options for your domain or subdomain:
(1) Letting Salesforce Marketing Cloud purchase the domain for you. i.e.,
(2) Purchase the domain yourself or use an unused domain you own,
(3) Delegate a subdomain you own — This is what I recommend and what I seen most clients use. i.e. More on Subdomain Delegation.
(4) Host all DNS records of a domain or subdomain you own.

Sender Authentication Package includes:

  • Private Domain
  • Dedicated IP Address (a minimum of 250,000 sends a month)
  • Reply Mail Management
  • Authentication

Private Domain

The private domain is used to send authenticated email and acts as your From Address. You can have multiple Private Domains on a single business unit for use in your From Address. The Private Domain does not include link or image-wrapping. It will be authenticated using Sender Policy Framework (SPF), Sender ID, and DomainKeys/DKIM authentication.

Dedicated IP Address

This IP address is unique to your account and all mail you send from SFMC will use this IP Address. The majority of your sender reputation will be based on this IP Address. If you send less than 250,000 messages a month, you will be on a shared IP address meaning other accounts (not just your company) may be on that same pool of IP addresses.

Reply Mail Management

When your customers receive an email, they can hit the reply button to send an email back. The reply mail management is the mechanism to control where those messages end up. The emails can be re-routed to an internal inbox and automatic triggers can be sent immediately.


For deliverability (to the get email inboxed), SFMC authenticates sends using Sender Policy Framework (SPF), Sender ID, and DomainKeys/DKIM authentication.

Steps for Sender Authentication Profile (SAP) configuration

1. Decide on what domain or subdomain you want to use your for Sender Authentication

If you pick a new domain name, make sure it looks similar to your current domain name and/or your company name. If you choose a subdomain, we suggest using a prefix such as email, em, mail or lists. If your domain is, choosing a subdomain prefix of “em” might be a good choice, giving you or to use as your subdomain for use in Marketing Cloud.

The subdomain used will need to be exclusive for Salesforce Marketing Cloud use only.

2. Decide if you want to delegate the subdomain or keep hosting DNS entries yourself.

As part of subdomain delegation, you point a specific subdomain, host or zone name, to Marketing Cloud DNS servers: – the domain name – the current website URL – the servers used by your domain – the subdomain used by Marketing Cloud

In this example, Marketing Cloud uses only the configured subdomain ( and nothing else. Your Marketing Cloud-related tasks do not impact any other portion of your domain. While the example uses the subdomain, you can specify a value other than email for the subdomain.

Choose a value that your subscribers recognizes, as this value appears in the From Name line in your email messages.

You need to delegate the subdomain using NS records, not CNAME. CNAME only “masks” behind your SAP domain, but you still remain in ownership of it. Delegating requires your IT team to delegate the entire subdomain, and you can only have your SAP DNS entries managed by Salesforce.

You will be given a zone file for your IT team to configure for your subdomain/domain. Example zone file:


@               IN MX 10
@               IN A  

bounce          IN MX 10
reply           IN MX 10
leave           IN MX 10

image           IN CNAME
view            IN CNAME
click           IN CNAME
pages           IN CNAME
cloud           IN CNAME

mta             IN A  

11dkim1._domainkey  IN TXT ( “v=DKIM1; k=rsa; p=DKIM Details here” )

##the above TXT record should be a single multi-line TXT record

@               IN TXT          “v=spf1 -all”
bounce          IN TXT          “v=spf1 -all”
reply           IN TXT          “v=spf1 -all”

_dmarc		IN TXT		“v=DMARC1; p=reject; pct=100;”
## the above TXT record is optional, but can serve as a placeholder to pass dmarc if you do not currently have a dmarc setting


If you want to keep hosting the DNS entries yourself, and possibly also have additional records created, there is an option of self-hosting. Here Salesforce will provide you with a list of entries to add to your DNS settings, to have all point to the right domains/IPs. However, if e.g. an IP is later changed by Salesforce, you will be notified and will need to update your DNS accordingly. This will not be needed if the subdomain is delegated.

Here is documentation of a “sample” list of settings you need to maintain, if you choose to self-host the DNS.

I will recommend full delegation anytime, as this is a one-off task, and leaves Salesforce with the responsibility of keeping the DNS records up to date.

3. Sending for success

For maximum deliverability success, we strongly recommend that you use your new subdomain as your FROM address in Salesforce Marketing Cloud, i.e. The private subdomain ( will be authenticated with DKIM, SenderID, and SPF.

Note that the domain you use with Sender Authentication Package can only be used for Salesforce emails.

Sender Profile

Sender profiles specifies the From Information for the email send such as:

From Name:

From Email Address:

Multiple sender profiles can be created depending on what type of email message is to be sent but the sending domain must remain the same (


The Sender Authentication Package is a relatively simple one-time set up. Please let me know if you have any questions in settings up the Sender Authentication Package in the comments below.


  1. Hi Jackson

    As a Marketing Cloud Consultant I always find explaining SAP in all it’s complexity to my clients fairly challenging as there is a lot of technical detail in a area most people find quite confusing.

    That said I find for most organisations delegating a subdomain seems like the best choice.

    Do you have a similar view or a different opinion?

    1. Yes I agree. Delegating the subdomain is what I see most often. SFMC requires that the domain/subdomain be used exclusively for ET servers so it makes sense to use a subdomain without having to essentially tie up the root level domain.

  2. Hi.

    We have a multiple business units, 4 to be exact. Top is our main account and 3 other business units. We would like to configure so that link and image wrapping are separate for each business unit with domain suffixes like *.si -> *.hr -> *.ba -> *.rs. Is that even possible?

    I’ve gone through their instruction a couple of times but they apparently changed the rule to SAP package/account and private domains for the rest.

    Would appreciate your response.


Leave a Reply

Your email address will not be published. Required fields are marked *