Wednesday, February 20, 2019

Another Blog on Setting Up SMTP Email Relay Between Salesforce and Gmail

How do I prevent the "Be careful with this message" warning banner appearing at the top of emails?

How do I remove the "via" in the From address of emails sent from Salesforce?

Emails that my client were sending from Salesforce were being presented to customers with warning banner, warning the customer to be careful with the message, avoid clicking on links, etc. Here's a look at one such email message, when submitted to an internal QA team member:

Fig. 1: Email from Salesforce, sent to internal company team member

Here is another email, when a Case Notification email was sent to an external customer's gmail account.

Fig. 2: Same email template from Salesforce, sent to external user

These email conditions occur because the "From" address in the email header is spoofed: the email header says it was sent from a user@companyname.com, but it was actually sent from a email server with a salesforce.com domain name.

To avoid this, the client needed to enable SMTP Email Relay. I've never setup email relay on a Google Apps domain before. I found a couple older (4+ years) blog posts on setting this up (here and here); both got me 95% of the way there. Salesforce has made a few changes since these articles were written, so I decided to post this "revised" blog of how to set up SMTP email relay between Salesforce and G-Suite.

Step 0: No Need to Open a Case with Salesforce Customer Support

Both blogs above indicated that the first step was to open a Case with Salesforce.com and request Email Relay feature enablement. I even found Salesforce Knowledge Article 5793, which seemed to imply this was still required. The current Salesforce documentation, however, indicates that setting up email relay is now a standard feature. (I actually ended up creating a Case with Salesforce, only to have them confirm it was a standard feature, and no longer needed to be enabled for each org on their side first).

Step 1: Setup SMTP Email Relay in G-Suite

Follow these instructions to setup SMTP relay service in G-Suite.
  1. Login to G-Suite Admin Console: admin.google.com
  2. From the Admin Console Home Page, go to Apps > G-Suite > Gmail > Advanced Settings (Tip: Scroll down to the bottom of the page to see Advanced Settings)
  3. On the left side, select top-level organization.
  4. Scroll to the SMTP relay service setting in the Routing section. Hover over the setting and click Configure. (If the setting is already configured, click Edit or Add Another). 
  5. For a new setting, enter a unique description.
  6. Set up the following:
    1. Allowed senders: Only addresses in my domains
    2. Authentication: Only accept mail from the specified IP addresses
    3. Reference this Salesforce Knowledge Article describing which Salesforce IP Addresses must be whitelisted. You must add all of the IP addresses that are used for email relay. (Hint: Scroll down to the section labeled "The addresses used for email relay include").
    4. Check the Enable box for each IP address entered.
    5. Require SMTP Authentication: unchecked
    6. Encryption section, Require TLS encryption: checked
    7. At the bottom, click Save

Step 2: Enable Email Relay in Salesforce

To setup email relay in Salesforce, a Salesforce admin should do the following:
  1. In Salesforce Quick Find, go to "Email Relays" and select Create Email Relay
  2. Enter the following Email Relay Properties:
    1. Host: smtp-relay.gmail.com
    2. Port: 587
    3. TLS Setting: Required
    4. Enable SMTP Auth: leave unchecked
  3. In Quick Find, go to "Email Domain Filters" and select Create Email Domain Filter
  4. Enter the following Email Domain Filter Properties:
    1. Sender Domain: leave at default setting
    2. Recipient Domain: leave at default setting
    3. Email Relay: select smtp-relay.gmail.com:587 [TLS Required]
    4. Active: checked
  5. In Quick Find, go to "Deliverability". Make sure the following features are unchecked:
    1. Uncheck "Activate bounce management" (Using email relay with bounce management is tricky; you'll need to implement DKIM signing and enable SMTP Auth. My client did not use the bounce management feature heavily, so we simply disabled it.
    2. Uncheck "Enable compliance with standard email security mechanisms" (if enabled, these may interfere with the relay of your email messages from Salesforce)
  6. In Quick Find, go to "Test Deliverability". Follow the instructions to test and verify that your email messages are routing correctly.
  7. You may want to do another test, by sending an email message from Salesforce.com. Verify that the message sends correctly. You can also log into G-Suite gmail as that user, and you should see the email in your Sent folder.
You're all set -- Salesforce emails are now relaying through your G-Suite service. Any questions or issues? Please feel free to leave a comment below if you had any trouble setting this up!