DKIM for Salesforce: Key Setup and Configuration

Salesforce has built-in DKIM key management that lets you sign outgoing emails with your domain. This guide covers setup for both Sales Cloud (core Salesforce) and Marketing Cloud.

Salesforce generates DKIM keys for you and provides CNAME records to add to your DNS. Once the records propagate, you activate the key in Salesforce Setup.

How Salesforce DKIM Works

Salesforce's DKIM implementation:

You create a DKIM key in Salesforce Setup
Salesforce generates a key pair and gives you CNAME records
You add the CNAME records to your domain's DNS
You activate the key in Salesforce
Salesforce signs all outgoing emails from that domain

Setting Up DKIM in Sales Cloud

Open Salesforce Setup

Create a new DKIM key

Click "Create New Key." You'll see a form to configure the key:

Key Size: Select 2048-bit (recommended) or 1024-bit
Selector: Enter a unique name (e.g., sf1 or salesforce)
Domain: Enter the domain you send email from (e.g., example.com)
Domain Match: Choose "Exact domain" or "Subdomains" depending on your setup

Save and get DNS records

Click "Save." Salesforce generates the key pair and displays the CNAME records you need to add to your DNS. You'll see two records: one for the selector and one for an alternate selector.

Add CNAME records to DNS

In your DNS provider, create two CNAME records using the hostnames and values Salesforce provides. The format is typically:

selector._domainkey.yourdomain.com pointing to a Salesforce-hosted key endpoint
selector2._domainkey.yourdomain.com pointing to a second endpoint

Wait for DNS propagation

Allow up to 48 hours for the CNAME records to propagate. Salesforce will not let you activate the key until the records are live.

Activate the DKIM key

Return to Setup, then go to DKIM Keys. Click on your key and select "Activate." Salesforce verifies the DNS records and enables signing.

Salesforce DKIM DNS Records

Salesforce uses CNAME records rather than TXT records. This lets Salesforce manage the actual key values and handle rotation. Your DNS records will look like:

Field	Record 1	Record 2
Type	CNAME	CNAME
Host	`sf1._domainkey`	`sf1.altby._domainkey`
Value	(Salesforce-provided endpoint)	(Salesforce-provided endpoint)

The exact hostnames and values are unique to your Salesforce org. Always copy them directly from the DKIM Keys setup page rather than constructing them manually.

DKIM Key Options in Salesforce

Key Size

2048-bit is the default and recommended size
Use 1024-bit only if your DNS provider has record length restrictions (less relevant with CNAME records)

Selector

Choose something descriptive like sf, salesforce, or sf2026
If you rotate keys later, you can use versioned selectors (e.g., sf-v1, sf-v2)

Domain Match

Exact domain: Only signs emails where the From address exactly matches the domain
Subdomains: Signs emails from the domain and any subdomains (e.g., support@sub.example.com)

Need DKIM keys for other services?

Generate DKIM keys for services that don't have built-in key management like Salesforce.

Generate DKIM Keys

DKIM for Salesforce Marketing Cloud

Marketing Cloud handles DKIM differently from Sales Cloud. The setup depends on your Marketing Cloud configuration:

Sender Authentication Package (SAP)

If you use a Sender Authentication Package, DKIM is configured as part of the SAP setup:

Request SAP from Salesforce

Contact your Salesforce account team or submit a case to set up SAP for your sending domain.

Add the provided DNS records

Salesforce provides a set of DNS records including DKIM entries. Add all records to your domain's DNS.

Salesforce verifies and activates

Once the records propagate, Salesforce verifies them and enables authentication including DKIM signing.

Without SAP

Without a Sender Authentication Package, Marketing Cloud emails are sent from a Salesforce-owned domain. DKIM signing uses Salesforce's domain, not yours. To sign with your own domain, you need either SAP or a custom configuration through Salesforce support.

Pro tip

If you use both Sales Cloud and Marketing Cloud, each needs its own DKIM configuration. They operate independently and can use different selectors.

Verifying Salesforce DKIM

After activating your DKIM key:

Check key status in Setup

Go to DKIM Keys in Salesforce Setup. The key status should show as "Active."

Send a test email

Send an email from Salesforce to an external address (Gmail works well for testing).

Check email headers

Open the received email and view the full headers. Look for:

Authentication-Results: ... dkim=pass header.d=yourdomain.com

The dkim=pass result confirms Salesforce is signing correctly.

Troubleshooting

Key won't activate

Verify both CNAME records exist in your DNS
Check that the CNAME values match exactly what Salesforce shows
Wait the full 48 hours for propagation before retrying

DKIM failing after activation

Confirm the key status is still "Active" in Setup
Check that no DNS changes have removed or modified the CNAME records
Test with dig or nslookup to verify the CNAME records resolve correctly

Emails not being signed

Verify the From address domain matches the DKIM key's domain setting
Check the Domain Match setting (exact vs. subdomains)
Ensure the sending user or process uses the correct From address

Multiple domains

Create a separate DKIM key for each sending domain
Each domain needs its own pair of CNAME records
You can have multiple active keys simultaneously

Salesforce DKIM with Other Email Services

If you send email from both Salesforce and other services (e.g., Google Workspace for internal email, Mailchimp for marketing), each service uses its own DKIM selector. They don't conflict:

Service	Selector
Salesforce	`sf1._domainkey`
Google Workspace	`google._domainkey`
Mailchimp	`k1._domainkey`

Add all the required DNS records. Receiving mail servers check each email's selector to find the right public key.

DKIM Creator helps you generate keys for services that don't include built-in DKIM management.

Generate DKIM keys instantly

Create DKIM key pairs for any email service. Free, secure, and generated in your browser.