Whitelist Salesforce senders in Email Impersonation Control service
search cancel

Whitelist Salesforce senders in Email Impersonation Control service

book

Article ID: 205889

calendar_today

Updated On:

Products

Email Security.cloud

Issue/Introduction

Salesforce senders are stopped or tagged by the Email Impersonation Control service.

Cause

Salesforce does not use the domain Salesforce.com solely when sending emails, but rather a long string ID followed by the domain Salesforce.com. This string changes per user , whitelisting each single user becomes a challenging task.

Resolution

Broadcom recommends to whitelist by IP ranges based on source and region of the emails. Below are the sources by regions, IP ranges and domains to allow:

https://help.salesforce.com/articleView?id=000321501&type=1&mode=1

Note : The above link needs to be monitored for any new IP ranges added by Salesforce.

 

Wildcard characters cannot be used to designate approved senders for Sender IP Addresses or Sender Email Addresses, but you can specify your IP address ranges with CIDR notation. Also, the wildcard (*) character is allowed for trusted third party subdomains. For example, messages from test.sample.com are accepted if *.sample.com is added in Approved Senders > Sender Domains. Use caution when adding any information to a whitelist.

In a scenario where you do not wish to whitelist the entire Salesforce IP range, the following entry can be added to allow the mail through:

*.bnc.salesforce.com or *.salesforce.com