Setting Up DKIM in Salesforce
- Eugene Edwards
- 22 hours ago
- 5 min read
Protect your sender reputation and improve email deliverability
If your organization sends emails through Salesforce - whether that's donor acknowledgements, campaign updates, or follow-up communications - making sure those emails actually reach the inbox matters. DKIM (DomainKeys Identified Mail) is one of the most important authentication standards you can implement to protect your sender reputation and ensure deliverability.
This guide walks you through exactly what DKIM is, why it matters for Salesforce users, and how to set it up step by step.
What Is DKIM - and Why Does It Matter?
DKIM stands for DomainKeys Identified Mail. It is a cryptographic email authentication protocol that lets receiving mail servers verify that an email was legitimately sent by your organization and has not been tampered with in transit.
When Salesforce sends an email on your behalf, it can attach a digital signature to that message. The recipient's mail server checks that signature against a public key published in your domain's DNS records. If they match, the email passes DKIM authentication - boosting trust with providers like Gmail, Microsoft, and Yahoo.
Why You Should Care
Emails without DKIM are more likely to land in spam or be blocked entirely
Major providers like Google and Yahoo now require DKIM for bulk senders
Failed authentication damages your sender reputation over time
Properly authenticated emails show your domain name - not a Salesforce subdomain - in the "From" field
How DKIM Works in Salesforce
Salesforce generates a public/private key pair for your domain. The private key stays in Salesforce and is used to sign outgoing emails. The public key is published as a TXT record in your DNS and used to verify those signatures.
Here is the flow in simple terms:
Salesforce (Sender) Signs outgoing email with your private key and includes the signature in the email header | Gmail / Outlook (Receiver) Fetches your public key from DNS and verifies the signature - pass means the email is trusted |
Before You Begin
Make sure the following are in place before starting the setup process:
You have a verified sending domain in Salesforce (e.g., youruniversity.edu)
You have access to your domain's DNS settings - typically through your IT department or domain registrar
You are a Salesforce System Administrator, or are working with one
Your org is on Professional, Enterprise, Unlimited, or Developer Edition (DKIM is not available on Group Edition)
⚠ Important: DNS changes can take anywhere from a few minutes to 48 hours to propagate. Plan your setup during a low-send-volume period if possible, and coordinate with your IT team in advance. |
Step-by-Step Setup Guide
1 | Navigate to DKIM Key Settings in Salesforce Go to Setup → search for "DKIM Keys" in the Quick Find box → click DKIM Keys under Email. |
2 | Create a New DKIM Key Click the "New" button. Fill in the Selector (a label like "sfmc" or "sf1" - this becomes part of your DNS record name) and the Domain field (your full sending domain, e.g., youruniversity.edu). |
3 | Choose Key Size Select RSA-2048 for the key size. This is the current industry standard and is required by Google and Yahoo for bulk senders. Avoid RSA-1024 for new setups. |
4 | Save and Copy the Public Key After saving, Salesforce will display your public key value and the exact DNS TXT record you need to create. Copy the full TXT record value - it starts with "v=DKIM1". |
5 | Add the DNS TXT Record Log into your DNS management console (GoDaddy, Cloudflare, your IT team's DNS server, etc.). Create a new TXT record using the host/name and value provided by Salesforce. The host format will be: [selector]._domainkey.[yourdomain.edu] |
6 | Wait for DNS Propagation DNS changes typically propagate within 30 minutes to a few hours, but can take up to 48 hours. You can check propagation using a tool like MXToolbox or dnschecker.org. |
7 | Activate the DKIM Key in Salesforce Return to Setup → DKIM Keys. Find your new key and click Activate. Salesforce will verify the DNS record is live before allowing activation. If it fails, DNS has not yet propagated. |
What Your DNS Record Should Look Like
When you go to add the record in your DNS console, the entry will look something like this:
Type | Host / Name | Value |
TXT | sf1._domainkey | v=DKIM1; k=rsa; p=MIIBIjANBgkq...[your key] |
💡 Pro Tip: The selector you chose in Step 2 (e.g., "sf1") becomes the prefix in the host name. Salesforce will show you the exact host name string to use - copy it precisely. |
Testing and Verifying Your DKIM Setup
Once your DKIM key is active in Salesforce, here are a few ways to confirm everything is working correctly:
Option 1 - Send a Test Email to Gmail
Send a test email from Salesforce to a Gmail account. In Gmail, click the three-dot menu on the email and select "Show original." Look for the DKIM line - it should say "PASS."
Option 2 - Use MXToolbox
Visit mxtoolbox.com and use the DKIM Lookup tool. Enter your selector and domain (e.g., sf1:youruniversity.edu) to verify the record is publicly visible.
Option 3 - Check Salesforce Activation Status
In Setup → DKIM Keys, your key's status should show as "Active." If it shows "Inactive" or "Error," the DNS record may not yet be propagated or may contain a typo.
Common Issues and How to Fix Them
Issue | Resolution |
Salesforce won't let me activate the key | DNS record has not propagated yet. Wait a few hours and try again. Double-check the TXT record value is copied exactly from Salesforce. |
DKIM shows FAIL in Gmail header | The DNS record may have been entered incorrectly. Verify the host name and key value in your DNS console match exactly what Salesforce provided. |
Key is Active but emails still go to spam | DKIM alone does not guarantee inbox placement. Ensure SPF and DMARC are also configured for your domain, and check your sender reputation. |
DNS host adds the domain automatically | Some DNS providers append your domain to the host name. If your provider does this, enter only the selector portion (e.g., "sf1._domainkey") without the domain suffix. |
Multiple sending domains | You need a separate DKIM key for each domain you send from in Salesforce. Repeat the process for each domain. |
Going Further: DKIM + SPF + DMARC
DKIM is one part of a complete email authentication framework. For the strongest deliverability posture, all three protocols should be configured together:
Protocol | What It Does | Salesforce Requirement |
SPF | Authorizes IP addresses that can send on your domain's behalf | Add Salesforce's IP range to your SPF record in DNS |
DKIM | Cryptographically signs messages to verify authenticity | Follow this guide to generate and activate a key in Salesforce |
DMARC | Tells receivers what to do with emails that fail SPF or DKIM | Publish a DMARC policy in DNS (start with p=none to monitor) |
Next Steps
Once DKIM is active, here is what we recommend doing next:
1. Verify SPF is also configured for your Salesforce sending domain
2. Publish a DMARC record starting with a monitoring policy (p=none)
3. Monitor your DMARC reports to identify any unauthorized senders
4. Move to a stricter DMARC policy (p=quarantine or p=reject) once you have confidence in your setup
5. Periodically rotate your DKIM keys (annually is a good practice)
💡 Pro Tip: Need help with SPF or DMARC configuration? Reach out to your implementation team - we can review your current DNS setup and provide recommendations specific to your Salesforce environment. |
Questions?
Contact your Salesforce implementation consultant if you run into any issues or need assistance coordinating with your IT / DNS team. We are happy to review your setup and confirm everything is configured correctly before your next major send
