Sender Authentication Package (SAP)

What is the Marketing Cloud Sender Authentication Package (SAP)?

The Sender Authentication Package (SAP) is a collection of products in Marketing Cloud to provide branding for links to match your company name and help your emails get inboxed into email service providers — using the included Private Domain. It is a one-time set up and you should not have to reconfigure it. In fact, Salesforce will charge you to reconfigure it, so make sure you set it up properly the first time.

The Sender Authentication Package is essentially a branding tool that wraps your links with your domain or subdomain, i.e. links.email.ampscript.com, or images.email.ampscript.com. It is used to wrap your links, images, and headers and is the value associated with your brand.

Only one Sender Authentication Package is allowed for each business unit — meaning you cannot have more than one Sender Authentication Package on a single business unit. But you can have multiple Private Domains on a single business unit — this will be explained in detail below.

Choose a Domain or Subdomain

The first thing you’ll need to do is to decide on the domain or subdomain you want to use for Sender Authentication. This domain or subdomain will be used exclusively for Salesforce Marketing Cloud only. See Steps for Sender Authentication Profile (SAP) configuration below.

There are 4 options for your domain or subdomain:
(1) Letting Salesforce Marketing Cloud purchase the domain for you. i.e. ampscript-email.com,
(2) Purchase the domain yourself or use an unused domain you own,
(3) Delegate a subdomain you own — This is what I recommend and what I seen most clients use. i.e. email.ampscript.com. More on Subdomain Delegation.
(4) Host all DNS records of a domain or subdomain you own.

Sender Authentication Package includes:

  • Private Domain
  • Dedicated IP Address (a minimum of 250,000 sends a month)
  • Reply Mail Management
  • Authentication

Private Domain

The private domain is used to send authenticated email and acts as your From Address. You can have multiple Private Domains on a single business unit for use in your From Address. The Private Domain does not include link or image-wrapping. It will be authenticated using Sender Policy Framework (SPF), Sender ID, and DomainKeys/DKIM authentication.

Dedicated IP Address

This IP address is unique to your account and all mail you send from SFMC will use this IP Address. The majority of your sender reputation will be based on this IP Address. If you send less than 250,000 messages a month, you will be on a shared IP address meaning other accounts (not just your company) may be on that same pool of IP addresses.

Reply Mail Management

When your customers receive an email, they can hit the reply button to send an email back. The reply mail management is the mechanism to control where those messages end up. The emails can be re-routed to an internal inbox and automatic triggers can be sent immediately.

Authentication

For deliverability (to the get email inboxed), SFMC authenticates sends using Sender Policy Framework (SPF), Sender ID, and DomainKeys/DKIM authentication.

Steps for Sender Authentication Profile (SAP) configuration

1. Decide on what domain or subdomain you want to use your for Sender Authentication

If you pick a new domain name, make sure it looks similar to your current domain name and/or your company name. If you choose a subdomain, we suggest using a prefix such as email, em, mail or lists. If your domain is example.com, choosing a subdomain prefix of “em” might be a good choice, giving you em.example.com or email.example.com to use as your subdomain for use in Marketing Cloud.

The subdomain used will need to be exclusive for Salesforce Marketing Cloud use only.

2. Decide if you want to delegate the subdomain or keep hosting DNS entries yourself.

As part of subdomain delegation, you point a specific subdomain, host or zone name, to Marketing Cloud DNS servers:

ampscript.com – the domain name

www.ampscript.com – the current website URL

server.ampscript.com – the servers used by your domain

email.ampscript.com – the subdomain used by Marketing Cloud

In this example, Marketing Cloud uses only the configured subdomain (email.ampscript.com) and nothing else. Your Marketing Cloud-related tasks do not impact any other portion of your domain. While the example uses the subdomain email.ampscript.com, you can specify a value other than email for the subdomain.

Choose a value that your subscribers recognizes, as this value appears in the From Name line in your email messages.

You need to delegate the subdomain using NS records, not CNAME. CNAME only “masks” ns2.exacttarget.com behind your SAP domain, but you still remain in ownership of it. Delegating requires your IT team to delegate the entire subdomain, and you can only have your SAP DNS entries managed by Salesforce.

You will be given a zone file for your IT team to configure for your subdomain/domain. Example zone file:

					
$TTL 1H
$ORIGIN email.ampscript.com.


@               IN MX 10        reply.s11.exacttarget.com.
@               IN A            13.111.67.8

bounce          IN MX 10        bounce.s11.exacttarget.com.
reply           IN MX 10        reply.s11.exacttarget.com.
leave           IN MX 10        reply.s11.exacttarget.com.

image           IN CNAME        images.s11.exacttarget.com.edgesuite.net.
view            IN CNAME        view.virt.s11.exacttarget.com.
click           IN CNAME        click.virt.s11.exacttarget.com.
pages           IN CNAME        pages.virt.s11.exacttarget.com.
cloud           IN CNAME        pub.s11.exacttarget.com.

mta             IN A            13.111.xxx.xxx


11dkim1._domainkey  IN TXT ( “v=DKIM1; k=rsa; p=DKIM Details here” )

##the above TXT record should be a single multi-line TXT record


@               IN TXT          “v=spf1 include:cust-spf.exacttarget.com -all”
bounce          IN TXT          “v=spf1 include:cust-spf.exacttarget.com -all”
reply           IN TXT          “v=spf1 include:cust-spf.exacttarget.com -all”

_dmarc		IN TXT		“v=DMARC1; p=reject; pct=100;”
## the above TXT record is optional, but can serve as a placeholder to pass dmarc if you do not currently have a dmarc setting

If you want to keep hosting the DNS entries yourself, and possibly also have additional records created, there is an option of self-hosting. Here Salesforce will provide you with a list of entries to add to your DNS settings, to have all point to the right domains/IPs. However, if e.g. an IP is later changed by Salesforce, you will be notified and will need to update your DNS accordingly. This will not be needed if the subdomain is delegated.

Here is documentation of a “sample” list of settings you need to maintain, if you choose to self-host the DNS.

I will recommend full delegation anytime, as this is a one-off task, and leaves Salesforce with the responsibility of keeping the DNS records up to date.

3. Sending for success

For maximum deliverability success, we strongly recommend that you use your new subdomain as your FROM address in Salesforce Marketing Cloud, i.e. welcome@email.ampscript.com. The private subdomain (email.ampscript.com) will be authenticated with DKIM, SenderID, and SPF.

Note that the domain you use with Sender Authentication Package can only be used for Salesforce emails.

Sender Profile

Sender profiles specifies the From Information for the email send such as:

From Name: AMPscript.com

From Email Address: email@email.ampscript.com

Multiple sender profiles can be created depending on what type of email message is to be sent but the sending domain must remain the same (email.ampscript.com).

Conclusion

The Sender Authentication Package is a relatively simple one-time set up. Please let me know if you have any questions in settings up the Sender Authentication Package in the comments below.

2 comments

  1. Hi Jackson

    As a Marketing Cloud Consultant I always find explaining SAP in all it’s complexity to my clients fairly challenging as there is a lot of technical detail in a area most people find quite confusing.

    That said I find for most organisations delegating a subdomain seems like the best choice.

    Do you have a similar view or a different opinion?

    1. Yes I agree. Delegating the subdomain is what I see most often. SFMC requires that the domain/subdomain be used exclusively for ET servers so it makes sense to use a subdomain without having to essentially tie up the root level domain.

Leave a Reply

Your email address will not be published. Required fields are marked *