The Sender Authentication Package (SAP) helps your subscribers to identify your brand and increases awareness about your brand.
SAP provides a collection of features designed to help ensure that your email messages reach the inboxes of the intended recipients.
SAP Features :
1. Private Domain : This feature assigns a domain used to send email. The domain acts as a “From address” for all your email sends to solidify your reputation and further your brand at the same time. Marketing Cloud authenticates all email sends using the Sender Policy Framework (SPF), Sender ID, and DomainKeys Identified Mail (DKIM) to prevent spoofing and phising.
SPF : Allows email senders to define IP addresses allowed to send email, and only email messages originating from those addresses are trusted.
Sender ID : It works on the same principles as SPF, the difference is that they look at the domain in different parts of the email and appear differently in the Domain Name System (DNS).
SPF looks at the domain listed in the MailFrom (MFrom) address. This address is not directly visible by the recipient, but you can find it in the SMTP header (smtp.mailfrom).
SenderID looks at the domain listed in the “From” address.
An SPF record would start as v=spf1, while a Sender ID record would start out as spf2.0.
DKIM : Adds a digital signature to ensure that the message comes from a verified sender and contains only the intended content. Nothing in the email gets altered or manipulated along the way.
Note : SAP also offers domain advantages for SMS messages and landing pages. Sender ID helps you identify yourself as the entity sending SMS messages. And a dedicated domain for CloudPages helps authenticate any web pages you use in your marketing activities.
2. Account Branding : This feature brands your account with the chosen authenticated domain. By default, links and images added in your email messages include a reference to the Marketing Cloud URL that is used for tracking purposes. SAP will remove all references to Marketing Cloud and replace it with your authenticated domain.
3. Dedicated IP Address : This feature assigns a unique IP address for your account. All email sends from your Marketing Cloud account will use this IP; allowing you to establish a sender reputation and letting email service providers know that you’re a good sender.
Note : The Dedicated IP will not be shared with other Customers. Be sure to contact your company’s internal IT team to add Marketing Cloud IP addresses and Marketing Cloud domains to their trusted servers list.
4. Reply Mail Management (RMM) : This feature helps you to control any replies to email messages you send using Marketing Cloud. It can be used to filter out of office and auto-replies, process unsubscribe requests, forward replies to the email address you specify, trigger messages, etc. We’ll discuss about RMM in detail in the next article.
Examples :
1. Without SAP : All the links and images will use Marketing Cloud references.
2. With SAP : All the links and images will use your Authenticated Domain. In this case, SAP domain is em.ntodemo.com and Sender is email@em.ntodemo.com.
Flow :
A Marketing Cloud account can have multiple SAP; but one business unit (BU) only supports one SAP for branding purposes. Therefore, view-as-webpage, links, cloudpages, and images can only point to one domain (i.e., Private Domain part of SAP) in a single BU. Although, you can have multiple private domains (needs to be purchased separately apart from SAP) for email sending on a single BU for use as “from addresses” only. In certain scenarios, SAP can be shared across multiple accounts in the same environment.
Example :
If there are 2 brands, brand1 and brand2 - then we cannot configure them within the same business unit. We need 2 business unit with 2 SAP (one per BU).
In a single BU, we can have : email.brand1.com (SAP Private Domain) and email.brand1.co.in (Private Domain). In such cases, you can use both the domains for email sends but all the other links will still point to SAP domain :
view.email.brand1.com
click.email.brand1.com
image.email.brand1.com
If we need the links and images to point to email.brand1.co.in, then we need to setup a different BU and a SAP.
An account can have more than one Dedicated IP Address with SAP. Additional Dedicated IP Addresses can be wrapped with the SAP custom domain for consistent branding.
Taking the above flow as a reference:
Group (Parent BU) :
SAP domain 1 : mktg.group.com
IP 1 : 123.45.67.89
Sender 1 : @mktg.group.com
Cloudpage/Link Branding 1 : http://*.mktg.group.com
Brand 1 (Child BU) :
SAP domain 1 : mktg.brand1.com
IP 1 : 234.56.78.90
IP 2 : 234.56.78.91 (additional IP)
Sender 1 : @mktg.brand1.com
Cloudpage/Link Branding 1 : http://*.mktg.brand1.com
Brand 2 (Child BU) :
SAP domain 1 : mktg.group.com and IP 1 : 123.45.67.89 (Inherited from Parent)
Private domain 1 : mktg.brand2.com
Private domain 2 : ecomm.mktg.brand2.com
Sender 1 : @mktg.group.com
Sender 2 : @mktg.brand2.com
Sender 3 : @ecomm.mktg.brand2.com
Cloudpage/Link Branding 1 : http://*.mktg.group.com (Points to Parent SAP domain)
Brand 1 EMEA :
SAP is inherited from Brand 1 BU
In addition, there is a new Private Domain (mktg.brand1.co.uk) and Sending Domain (@mktg.brand1.co.uk)
Brand 1 AMER :
SAP is inherited from Brand 1 BU
In addition, there is a new IP (34.56.78.90)
Points to Note :
If there is more than 1 sending domain in a single BU (like Brand 2), the emails can be sent from any of them - which will act as a “From address.”
When having more than 1 IP in a single BU (like Brand 1), specify which IP needs to be used for which type of classification (commercial/transactional) in the Delivery profile.
Same IP can be used for more than 1 BU (like Brand 1 EMEA & Brand 1 AMER).
If you need any changes with respect to IP setup (or SAP in general), raise a ticket with Salesforce support.
Process :
After purchasing the SAP, you will receive an email :
From : mc-deliverability@mcld.salesforce.com
Subject : Reminder - SAP for Salesforce Marketing Cloud Account
Body will contain your Account’s MID, details about SAP products, and a form
You need to fill out the form with all the required details in order for Salesforce to setup SAP for your account. Before doing so, decide on the following :
1. Decide what domain you want to use for Sender Authentication :
Provide a domain name that needs to be configured. If you pick a new domain make sure it looks similar to your current domain and/or company name for branding purpose. Example, if your domain is sfmcstack.com, choosing a subdomain prefix such as “em”, “email”, “mail” might be a good choice, resulting in email.sfmcstack.com to use as your subdomain in Marketing Cloud.
Note : The subdomain used should be exclusive to Marketing Cloud use only. It is not recommended to use a subdomain that is already being used by some other tools.
2. Options for Domain Setup :
a. Do you want Salesforce to purchase a Domain for you?
This option will allow Salesforce to purchase the domain if it is new and they will do all the heavy lifting for you. No technical skills will be required from your end.
Note : Salesforce will not be able to purchase a subdomain of your existing domain.
b. Delegate a domain or subdomain you own.
This option allows you to use a domain/subdomain with the name you designate (Example, sfmcstack.com or email.sfmcstack.com). It requires your IT team to make changes in the DNS. As part of domain or subdomain delegation, you point a specific domain or subdomain, host, or zone name, to Marketing Cloud DNS servers. Learn how to setup here. This is most widely used option and the customers usually prefer setting up a subdomain instead of a domain - as it might already be in use for web pages or internal mailing purposes.
Note : Not all domain providers provide the ability to delegate a domain.
c. Self host DNS using an existing domain/subdomain you own.
This is more of an advanced option that requires engagement from your IT team/domain host. If you have an existing domain/subdomain and want to use it with your Marketing Cloud sending, the IT team can request the zone file of all the DNS entries from Salesforce and later import them to function correctly with the Marketing Cloud platform.
Note: Salesforce does not support DNS configurations, if you choose this option. If there is any issue with the zone file, your host/IT team will need to troubleshoot as they will have full control of the DNS.
3. Where will replies be sent?
Reply Mail Management (RMM) handles replies to your email messages automatically. It requires some basic configuration from your end depending on your requirement.
4. Sending
For Deliverability benefit, it is recommended to use SAP domain in your from address. Example, if you SAP domain is “email.sfmcstack.com”, you should send as “something@email.sfmcstack.com” for all your email sends. If you do so, your email addresses will automatically be verified. Also, consider the projected monthly email send volume.
Note : The domain/subdomain you use with SAP can only be used for Salesforce emails.
After you’ve decided on the above, fill out the form with the following details :
Contact Information : Point of contact that Salesforce will reach out for any updates/questions.
Account Information : Provide AccountID/MID and if you want to enable RMM.
Domain information and Configuration : Provide a domain name and the account where SAP needs to be setup (Account and/or Sub-Account).
Note : Domain changes requested after the setup is completed will require additional product purchase cost. Please make sure you’re providing the correct information the first time.
Once you’ve submitted a form, a case will be opened with Salesforce Deliverability team, and you will be contacted via email for updates/questions.
Considerations :
Any customer who sends more than 250k emails per month, is concerned about branding, and wants to prevent the Marketing Cloud default branding from appearing in links or images should use SAP. It is necessary to send at least 250k email messages each month to maintain a dedicated IP address's reputation.
If your monthly email sending volume is under 250k, you can still use SAP authentication and ask Salesforce to continue using the shared IPs (assigned by default) or share another IP within your account structure. The SAP form submission must explicitly indicate this option in the "Additional Comments" section to avoid assigning the account a dedicated IP address.
All the features (like Private Domain, IP address) can be purchased separately but the link and image wrapping (part of account branding) only comes as part of SAP.
To change an SAP domain, the purchase of a new SAP package is required. The existing Dedicated IP Address continues to be used.
Conclusion :
SAP will be included with other products if you have purchased a new Marketing Cloud account. However, if your contract does not include SAP, please contact your Account Executive.
Please note that SAP is an important part of the Marketing Cloud implementation process, so make sure to discuss it with the internal team and then fill in the form as per your business needs.
Hope you enjoyed it! Please feel free to contact me with any feedback/suggestion.
See you in the next one.
**Images and some pieces of content are sourced from Salesforce Documentation.
#sfmc #sfmcstack #salesforce #marketingcloud #salesforcemarketingcloud #sap #senderauthenticationpackage #emailstudio #emailauthentication