How to Create a DKIM Key in Salesforce: Step-by-Step Guide

Securing your email communications is essential for protecting your brand and ensuring your messages reach recipients’ inboxes. One of the most effective ways to do this is by implementing DKIM (DomainKeys Identified Mail) in Salesforce. DKIM uses cryptographic keys to digitally sign emails, verifying that messages haven’t been altered during transit and that they truly come from your domain.


email authentication protocolWhat is DKIM and Why Does It Matter?

DKIM is an email authentication protocol that allows the recipient’s mail server to verify that an email was sent by your organization and hasn’t been tampered with1. By enabling DKIM in Salesforce, you:

  • Improve email deliverability and reputation

  • Prevent email spoofing and phishing

  • Ensure message integrity for your recipients


Prerequisites

Before you begin, make sure you have:

  • Salesforce admin access with permission to manage DKIM keys

  • Access to your organization’s DNS provider to update DNS records


Step 1: Access DKIM Settings in Salesforce

  1. Log in to Salesforce with administrative privileges.

  2. In Setup, use the Quick Find box to search for DKIM Keys.

  3. Click on DKIM Keys to open the DKIM management page.


Step 2: Create a New DKIM Key

  1. Click Create New Key. The new key will be inactive by default.

  2. Fill in the following fields:

    • RSA Key Size: Choose the key size (typically 1024 or 2048 bits; 2048 is recommended for stronger security).

    • Selector: Enter a unique name to identify this DKIM key (e.g., salesforce2025).

    • Alternate Selector: Enter another unique name for key rotation.

    • Domain Name: Enter the domain you use to send emails (e.g., yourcompany.com). This cannot be changed later.

    • Domain Match Pattern: Specify which domains or subdomains the key should sign for. Examples:

      • example.com (domain only)

      • *.example.com (subdomains only)

      • example.com,*.example.com (both)

  3. Click Save. Salesforce will generate your DKIM key pair and display the DNS records you need to add.


Step 3: Add DKIM Records to Your Domain’s DNS

  1. Log in to your DNS provider’s platform.

  2. Add the CNAME and Alternate CNAME records exactly as provided by Salesforce. These records link your domain to the DKIM public key Salesforce generated.

  3. Save your changes and allow up to 48 hours for DNS propagation.


Step 4: Activate the DKIM Key in Salesforce

  1. Return to the DKIM Keys page in Salesforce.

  2. Once DNS propagation is complete, click Activate next to your new DKIM key.

  3. Salesforce will verify the DNS records. When verified, your emails will be signed with DKIM automatically.


Step 5: Test Your DKIM Setup

  • Send a test email from Salesforce to an external address.

  • Check the email headers to confirm that a valid DKIM signature is present.


Best Practices

  • Monitor DKIM Status: Regularly check the DKIM key status in Salesforce.

  • Rotate Keys: Salesforce can auto-rotate keys every 30 days for added security.

  • Coordinate with IT: Work closely with your IT or DNS administrator to ensure correct DNS setup.


Troubleshooting Tips

  • If activation fails, verify that the CNAME records are correctly published and that DNS changes have fully propagated.

  • Ensure you’re using the correct domain and selector values as provided by Salesforce.


Conclusion

Implementing DKIM in Salesforce is a straightforward but crucial step to enhance your email security and deliverability. By following these steps, you’ll protect your brand and build trust with your recipients.


Step Description
Access DKIM Settings Setup > Quick Find > DKIM Keys
Create Key Define key size, selectors, domain, and save
Update DNS Add CNAME records to your domain’s DNS
Activate Key Activate in Salesforce after DNS propagation
Test & Monitor Send test emails, monitor, and rotate keys as needed