To authorize Salesforce to send emails on your behalf. you will have to add their SPF mechanism to your SPF record.
For more information on SPF for salesforce please click on the button below.
NOTE: Salesforce will by default use their own domain as the Return-Path domain. This means that DMARC will fail with respect to SPF. The reason for this is so that Salesforce handle the bounces for you.
In order to have SPF passing and aligning so that DMARC passes you will need to disable bounce management in Salesforce. This will cause the Return-Path domain to match your domain and therefore pass DMARC with respect to SPF.
To configure DKIM signing for your emails in Salesforce is pretty straightforward. You will essentially have to create a DKIM key pair in Salesforce, take the public key and enter it in your DNS. The private key will be used by Salesforce to sign the emails and the public key will be used to verify that the emails have not been modified in transit and that they do indeed originate from your domain.
For instructions on how to create the DKIM key in salesforce please click on the button below.
NOTE: Please refer to Salesforce for any further questions regarding SPF and DKIM as the above does not cover all salesforce scenarios. The instructions may be different for different customers using salesforce for different purposes or using different salesforce applications.
Create a free OnDMARC account to test your configuration.