Salesforce DKIM Keys Enhancing Email Security and Deliverability

DomainKeys Identified Mail (DKIM) is a key technology used to authenticate emails, preventing spoofing and ensuring messages are from legitimate senders. This guide explores Salesforce DKIM keys, their implementation, benefits, and commonly asked questions to help you leverage this essential feature effectively.

What are Salesforce DKIM Keys?

Salesforce DKIM (DomainKeys Identified Mail) keys are cryptographic signatures added to outgoing emails from Salesforce on behalf of your domain. These signatures verify that the email message originated from your domain and have not been tampered with during transit. DKIM helps prevent email spoofing and improves email deliverability by providing a mechanism for email receivers to verify the authenticity of incoming emails.

Why Use Salesforce DKIM Keys?

Implementing DKIM keys in Salesforce offers several benefits:

  • Email Deliverability: Emails with DKIM signatures are less likely to be marked as spam or rejected by recipient servers, improving deliverability rates.
  • Authentication: Ensures that emails sent from your domain are recognized as legitimate by recipient servers, enhancing trust with recipients.
  • Brand Protection: Prevents unauthorized use of your domain for phishing or spoofing attacks, protecting your brand reputation.
  • Compliance: Helps meet compliance requirements for email authentication standards.

How to Implement Salesforce DKIM Keys?

Implementing DKIM keys in Salesforce involves the following steps:

  1. Generate DKIM Keys: Generate DKIM keys for your domain using Salesforce setup.
  2. Publish DKIM DNS Records: Add DKIM DNS records provided by Salesforce to your domain’s DNS settings.
  3. Activate DKIM in Salesforce: Activate DKIM in Salesforce settings to start signing outgoing emails with the generated DKIM keys.

How to Set Up DKIM Keys in Salesforce

DomainKeys Identified Mail (DKIM) is a method of email authentication that helps verify the authenticity of emails sent from your domain. Implementing DKIM keys in Salesforce involves generating cryptographic keys and configuring DNS records to enhance email security and deliverability.

Step-by-Step Guide to Set Up DKIM Keys in Salesforce

Step 1: Navigate to Domain Verification in Salesforce

  1. Log in to Salesforce: Access your Salesforce account with administrative privileges.
  2. Navigate to Setup: Click on the gear icon (Setup) in the upper right corner and select “Setup” from the dropdown menu.
  3. Search for Domain Management: In the Quick Find box, enter “Domain Management” and select “Domain Management.”

Step 2: Verify Your Domain

  1. Add Your Domain: Under “My Domains,” click on “Add a Domain” if your domain is not yet verified in Salesforce.
  2. Follow Verification Steps: Salesforce provides instructions to verify your domain ownership. This typically involves adding a TXT record or CNAME record to your domain’s DNS settings.

Step 3: Generate DKIM Keys

  1. Access DKIM Settings: Once your domain is verified, go back to “Domain Management” and click on your verified domain name.
  2. Generate DKIM Keys: Look for DKIM settings or email authentication settings within your domain configuration. Salesforce provides an option to generate DKIM keys.
  3. Generate Keys: Click on “Generate DKIM Keys” or similar option. Salesforce will create a pair of DKIM keys: a public key and a private key.

Step 4: Configure DKIM DNS Records

  1. Copy DNS Records: Salesforce will display DNS records (TXT records) for DKIM authentication. Copy these records to your domain’s DNS configuration page provided by your domain registrar or hosting provider.
  2. Add DNS Records: Log in to your domain registrar or hosting provider’s DNS management console. Add the DKIM TXT records provided by Salesforce. Each record typically includes a name ( and a value (the DKIM key).
  3. Save Changes: Save the DNS changes. It may take some time (up to 48 hours) for DNS records to propagate across the internet.

Step 5: Activate DKIM in Salesforce

  1. Return to Salesforce: After adding DKIM DNS records, return to Salesforce and navigate back to your domain settings.
  2. Activate DKIM: Click on “Activate DKIM” or similar option to enable DKIM signing for outgoing emails from Salesforce using the generated DKIM keys.

Step 6: Test DKIM Configuration

  1. Send Test Emails: Send test emails from Salesforce to verify that DKIM signing is working correctly.
  2. Check DKIM Authentication: Use email authentication tools or services to verify DKIM authentication status for emails sent from your domain.

FAQs about Salesforce DKIM Keys

What is the difference between DKIM and SPF?

DKIM (DomainKeys Identified Mail) and SPF (Sender Policy Framework) are both email authentication methods but serve different purposes. DKIM uses cryptographic signatures to verify the authenticity of the email sender and detect any modifications to the email in transit. SPF specifies which IP addresses are authorized to send emails on behalf of a domain, focusing on preventing spoofing.

Do I need to use DKIM if I already have SPF?

Yes, using both DKIM and SPF is recommended for comprehensive email authentication. While SPF verifies the sending IP address, DKIM verifies the integrity of the email message itself. Together, they enhance email security and improve deliverability.

Can DKIM keys be reused for multiple domains in Salesforce?

No, DKIM keys are domain-specific and cannot be reused for multiple domains. Each domain requires its own unique DKIM keys generated and managed within Salesforce.

How often should DKIM keys be rotated?

DKIM keys should be rotated periodically for enhanced security, typically every 6 to 12 months or as recommended by security best practices. Salesforce provides tools to easily rotate DKIM keys and update DNS records accordingly.

What happens if DKIM keys are not configured correctly?

Incorrectly configured DKIM keys can lead to email delivery issues, such as emails being flagged as spam or rejected by recipient servers. It’s essential to follow Salesforce guidelines for DKIM key setup and regularly monitor email deliverability metrics.


Salesforce DKIM keys are integral to ensuring email authenticity, security, and deliverability for organizations using Salesforce for email communications. By implementing DKIM keys and understanding their benefits, you can enhance trust with recipients, protect your brand reputation, and comply with email authentication standards effectively.