Sender Authentication Package(SAP) – What is it and do I need it?

Sender Authentication Package(SAP) – What is it and do I need it?

What is a Sender Authentication Package (SAP)?

A Sender Authentication Package is a SKU that is made up of 4 distinct products: 

  • A Dedicated IP Address
  • A Private Domain 
  • Account Branding (Link Wrapping)
  • Reply Mail Management (RMM)

The combination of these four products allows for verified, authenticated sending in a way that helps mail both appear to come from the brand directly and allows that brand to best manage its sending reputation.

Can you explain each part of a SAP?

Dedicated IP 

Internet Protocol (IP) Addresses allow a computer to communicate with another computer over the internet by assigning “IP Addresses” to each device that accesses the internet. This is a unique address for each device in most cases (think of it like GPS Coordinates). IP addresses effectively provide an end-point that a computer can access to send or receive information. 

  • In the email world, an Email Service Provider (ESP) can either “pool” a group of IP’s together to perform sends or they can allow individual customers to have their own IP address(es) from which to send.
  • By default, new accounts set up in Marketing Cloud are aligned to shared IP pools. An SAP allows for a customer to either continue using the shared pool (not recommended) or take advantage of the included dedicated IP. 
  • The downside to shared IP pools is that they do not pass a certain type of authentication (called DMARC) and the sender does not get to control their reputation – they inherit the reputation of the pool for their sends. If there is a spammer, or a lot of “marked as spam” activity in that pool, it could cause deliverability issues for you.
  • Dedicated IP’s allow for a single customer to have their own private address to send from that allows them to control their sending reputation, apply stricter security standards, and pass all currently used authentication methods. 

Private Domain 

A Private Domain ensures and authenticates that messages originating from a particular customer’s account are actually sent from that customer. 

  • Private domains allow Salesforce to apply SenderID, Sender Policy Framework (SPF) and Domain Keys Identity Management (DKIM) records to the customer’s sending domain so that they are most likely to get into a recipient’s mailbox.
  • These are standard email authentication routes. 
  • Private domains also allow Salesforce to authenticate dedicated IP’s in such a way that they will pass DMARC authentication, which requires that the sending domain and the return path (where the email comes from and goes back to) to be the same. 

Account Branding (Link Wrapping) 

This part of an SAP allows Salesforce to configure links for any product the customer is using so that they appear to come from/redirect to the same domain from which the email came.

  • Without Account Branding, the link will appear to redirect to a site hosted on the “” domain which can cause confusion for the recipients of emails sent by the customer’s brand. 
  • In practice, when customers hover over a link that says, “Click Here,” they can see the site that the button will redirect to. If Account Branding is not set up, they will see the address of ExactTarget click server (how we capture that someone clicked on a link). With Account Branding set up, they’ll only see the customer’s domain

(i.e. instead of ). 

Reply Mail Management (RMM) 

Reply Mail Management (RMM) allows Marketing Cloud to handle replies back to the “reply to” email address that a customer uses in their Sender Profile (where the email appears to come from). 

  • RMM is capable of getting rid of unnecessary emails like out of office replies. It  is also capable of handling unsubscribe requests and even sending an automated response for emails (either a default or custom email) sent to that box as well.
  • RMM should not be thought of as an “auto-responder” –  it lacks complex routing/evaluation rules.

Can a customer have more than one SAP?

There is a hard limit of 1 SAP per Business Unit. A customer may only have more than 1 SAP configured if they have multiple Business Units (BU).

Does each BU need its own SAP?

No, but it is a best practice.

SAP configurations can be copied from one BU to another so multiple Business Units can have the same SAP aligned to them. This would be common if a brand had a generic sending domain, but BU’s for each of its Lines of Business (LOB’s). For example, we want all of our emails to come from “,” but we might have a BU for marketing, product marketing, event marketing, and internal communications that all need to use the domain and link wrapping, so we’d apply our single SAP to each of our 4 BU’s.

How does a customer set up a domain with their SAP?

There are three ways our customers can set up domains with their SAP’s: 

  1. Salesforce can buy a domain on their behalf and configure it.

This is the easiest way to have an SAP configured, but it would require mail to come from a different domain than the customer’s website. For example, the company Northern Trail Outfitters, with a domain of, could have Salesforce buy and configure the domain 

Note that a “spoofed” domain, or even one that uses “email” in it, like that above, is rarely a best practice. If a customer chooses to have Salesforce buy a domain for them, our recommendation would be for a generic-type domain that is still associated with the brand. For instance, a benefits administration company may choose to have be a domain that Salesforce buys and configures for them, as it could be easily reused across multiple clients (in a multi-BU setup). 

  1. The client can delegate a subdomain to Salesforce for authentication.
  • This is the intermediate option. It requires the client to insert four (4) nameserver (also known as NS) entries into their DNS Record (Domain Name System record) .
  • In this case, if a client like NTO chooses this option, they could put 4 NS entries in their DNS for the subdomain
  • THIS IS IMPORTANT: A client cannot delegate their apex domain (what comes before the .com) to Salesforce if it is being used by another service or for a purpose like hosting the client’s website. Why? Because NS records point that address to a particular destination IP address. Think of a domain name (i.e. ) as an alias or pseudonym for an IP address – it can only have one set of NS records at the top level or it will break the website, since a browser wouldn’t know which NS record to use to display the website’s information.
  • Again, a client can only delegate a subdomain or a domain that is not in use for any other purpose to Salesforce. 
  • Information on this option can be found here: id=mc_es_subdomain_delegation_guide.htm&type=5 
  1. The client can self-host their DNS records. 
  • This is the most complicated option for a client, as they need to have a solid understanding of DNS administration and settings. 
  • Salesforce will provide a zone file to the customer (through the SAP parent case) that includes all of the necessary entries for their DNS, but it’s completely up to the customer to input those correctly. The Salesforce deliverability team can only give a “yes” or “no” to the question “Did I set up my DNS correctly?” Salesforce cannot provide support on this option because each DNS host is different.

What happens if I do not set up the SAP?

  • Without an SAP, it is very likely the client’s messages will get rejected from the mailbox provider itself (hard bounce) or that the client’s messages will end up in spam since they will not have the requisite authentication.
  • A client will be aligned to the pooled IP’s, without an SAP, so they’ll not be able to control their sending reputation.

Are SAP’s included in any edition of Marketing Cloud?

  • The Professional Edition (Pro Edition) and above each have one SAP included. 
  • Once the purchase has been completed, a message is sent to the customer to fill out the SAP Form.
  • The triggered message sent to the key/billing contact, contains a very specific code in it to properly align the form to the case. If the client does not receive this email, contact your AE.
  • A client cannot fill out this form on their own and have it successfully submit. 

If you need more information: .

I want to self-host my DNS records; do I need to buy anything from Salesforce for sending?

Yes. In this case, you would need a dedicated IP (a way to send the mail) and a Private Domain (a way to authenticate the mail they send through Marketing Cloud).  You cannot send authenticated mail through Marketing Cloud without a Private Domain at minimum.