Setting up SPF for Salesforce will enable Salesforce to send emails on behalf of your domain along with the DMARC authentication.
Also, while sending emails via Salesforce, you would want your receivers to receive those emails as coming from “yourdomain”.com instead of salesforce.com. The latter can cause problems in email deliverability and increase the chances of your emails being marked as spam. This is why you need to set up SPF for salesforce.
To enable SPF on Salesforce, salesforce's bounce management would need to be disabled, which can be done by:
1. Navigating to:
In Lightning Experience: Gear icon | Setup | Email | Deliverability
In Salesforce Classic: Setup | Email Administration | Deliverability
2. Un-checking the following boxes:
a. Activate bounce management
b. Enable compliance with standard email security mechanisms
Note: If you want to continue having Salesforce handle your bounce management, that is fine. As long as DKIM is correctly set up for your domain, your emails will be DMARC compliant.
Login to your DNS management console
Navigate to the domain for which you want to setup SPF for Salesforce
Now, If you have a pre-existing SPF record in your DNS:
You need to add include:_spf.salesforce.com to your previous SPF record. Hence, if your previous SPF record was v=spf1 include:_spf.google.com -all, your new record will be:
v=spf1 include:_spf.google.com include:_spf.salesforce.com -all
Note: Make sure you have only 1 SPF record configured for your domain. More than one record will completely invalidate your SPF.
Now, If you don’t have a pre-existing SPF record in your DNS:
Simply add the following DNS TXT SPF record to your DNS:
v=spf1 include:_spf.salesforce.com -all