What is the Marketing Cloud Sender Authentication Package (SAP)?
The Sender Authentication Package (SAP) is a collection of products in Marketing Cloud to provide branding for links to match your company name and help your emails get inboxed into email service providers — using the included Private Domain. It is a one-time set up and you should not have to reconfigure it. In fact, Salesforce will charge you to reconfigure it, so make sure you set it up properly the first time.
The Sender Authentication Package is essentially a branding tool that wraps your links with your domain or subdomain, i.e. links.email.ampscript.com, or images.email.ampscript.com. It is used to wrap your links, images, and headers and is the value associated with your brand.
Only one Sender Authentication Package is allowed for each business unit — meaning you cannot have more than one Sender Authentication Package on a single business unit. But you can have multiple Private Domains on a single business unit — this will be explained in detail below.
Choose a Domain or Subdomain
The first thing you’ll need to do is to decide on the domain or subdomain you want to use for Sender Authentication. This domain or subdomain will be used exclusively for Salesforce Marketing Cloud only. See Steps for Sender Authentication Profile (SAP) configuration below.
There are 4 options for your domain or subdomain:
(1) Letting Salesforce Marketing Cloud purchase the domain for you. i.e. ampscript-email.com,
(2) Purchase the domain yourself or use an unused domain you own,
(3) Delegate a subdomain you own — This is what I recommend and what I seen most clients use. i.e. email.ampscript.com. More on Subdomain Delegation.
(4) Host all DNS records of a domain or subdomain you own.
Sender Authentication Package includes:
- Private Domain
- Dedicated IP Address (a minimum of 250,000 sends a month)
- Reply Mail Management
The private domain is used to send authenticated email and acts as your From Address. You can have multiple Private Domains on a single business unit for use in your From Address. The Private Domain does not include link or image-wrapping. It will be authenticated using Sender Policy Framework (SPF), Sender ID, and DomainKeys/DKIM authentication.
Dedicated IP Address
This IP address is unique to your account and all mail you send from SFMC will use this IP Address. The majority of your sender reputation will be based on this IP Address. If you send less than 250,000 messages a month, you will be on a shared IP address meaning other accounts (not just your company) may be on that same pool of IP addresses.
Reply Mail Management
When your customers receive an email, they can hit the reply button to send an email back. The reply mail management is the mechanism to control where those messages end up. The emails can be re-routed to an internal inbox and automatic triggers can be sent immediately.
For deliverability (to the get email inboxed), SFMC authenticates sends using Sender Policy Framework (SPF), Sender ID, and DomainKeys/DKIM authentication.
Steps for Sender Authentication Profile (SAP) configuration
1. Decide on what domain or subdomain you want to use your for Sender Authentication
If you pick a new domain name, make sure it looks similar to your current domain name and/or your company name. If you choose a subdomain, we suggest using a prefix such as email, em, mail or lists. If your domain is example.com, choosing a subdomain prefix of “em” might be a good choice, giving you em.example.com or email.example.com to use as your subdomain for use in Marketing Cloud.
The subdomain used will need to be exclusive for Salesforce Marketing Cloud use only.
2. Decide if you want to delegate the subdomain or keep hosting DNS entries yourself.
As part of subdomain delegation, you point a specific subdomain, host or zone name, to Marketing Cloud DNS servers:
ampscript.com – the domain name
www.ampscript.com – the current website URL
server.ampscript.com – the servers used by your domain
email.ampscript.com – the subdomain used by Marketing Cloud
In this example, Marketing Cloud uses only the configured subdomain (email.ampscript.com) and nothing else. Your Marketing Cloud-related tasks do not impact any other portion of your domain. While the example uses the subdomain email.ampscript.com, you can specify a value other than email for the subdomain.
Choose a value that your subscribers recognizes, as this value appears in the From Name line in your email messages.
You need to delegate the subdomain using NS records, not CNAME. CNAME only “masks” ns2.exacttarget.com behind your SAP domain, but you still remain in ownership of it. Delegating requires your IT team to delegate the entire subdomain, and you can only have your SAP DNS entries managed by Salesforce.
You will be given a zone file for your IT team to configure for your subdomain/domain. Example zone file:
$TTL 1H $ORIGIN email.ampscript.com. @ IN MX 10 reply.s11.exacttarget.com. @ IN A 188.8.131.52 bounce IN MX 10 bounce.s11.exacttarget.com. reply IN MX 10 reply.s11.exacttarget.com. leave IN MX 10 reply.s11.exacttarget.com. image IN CNAME images.s11.exacttarget.com.edgesuite.net. view IN CNAME view.virt.s11.exacttarget.com. click IN CNAME click.virt.s11.exacttarget.com. pages IN CNAME pages.virt.s11.exacttarget.com. cloud IN CNAME pub.s11.exacttarget.com. mta IN A 13.111.xxx.xxx 11dkim1._domainkey IN TXT ( “v=DKIM1; k=rsa; p=DKIM Details here” ) ##the above TXT record should be a single multi-line TXT record @ IN TXT “v=spf1 include:cust-spf.exacttarget.com -all” bounce IN TXT “v=spf1 include:cust-spf.exacttarget.com -all” reply IN TXT “v=spf1 include:cust-spf.exacttarget.com -all” _dmarc IN TXT “v=DMARC1; p=reject; pct=100;” ## the above TXT record is optional, but can serve as a placeholder to pass dmarc if you do not currently have a dmarc setting
If you want to keep hosting the DNS entries yourself, and possibly also have additional records created, there is an option of self-hosting. Here Salesforce will provide you with a list of entries to add to your DNS settings, to have all point to the right domains/IPs. However, if e.g. an IP is later changed by Salesforce, you will be notified and will need to update your DNS accordingly. This will not be needed if the subdomain is delegated.
Here is documentation of a “sample” list of settings you need to maintain, if you choose to self-host the DNS.
I will recommend full delegation anytime, as this is a one-off task, and leaves Salesforce with the responsibility of keeping the DNS records up to date.
3. Sending for success
For maximum deliverability success, we strongly recommend that you use your new subdomain as your FROM address in Salesforce Marketing Cloud, i.e. email@example.com. The private subdomain (email.ampscript.com) will be authenticated with DKIM, SenderID, and SPF.
Note that the domain you use with Sender Authentication Package can only be used for Salesforce emails.
Sender profiles specifies the From Information for the email send such as:
From Name: AMPscript.com
From Email Address: firstname.lastname@example.org
Multiple sender profiles can be created depending on what type of email message is to be sent but the sending domain must remain the same (email.ampscript.com).
The Sender Authentication Package is a relatively simple one-time set up. Please let me know if you have any questions in settings up the Sender Authentication Package in the comments below.