How to Setup DKIM Key in Salesforce

How to Setup DKIM Key in Salesforce

Last Updated on March 26, 2022 by Rakesh Gupta

Big Idea or Enduring Question:

  • How to set up DKIM (DomainKeys Identified Mail) key feature to let Salesforce sign outbound email sent on your company’s behalf.


After reading this blog, you’ll be able to:

  • Understand different email authentication protocols
  • Understand DKIM purpose
  • Understand how DIKM works
  • Setup DKIM key in Salesforce

What are the available email authentication protocols?

There are several methods that focus on different aspects of email messages.

IP Authorization Check Message authenticity verification Additional layers of security
Must-Have Must-Have Highly Recommended
Use it to

  • Secure yourself from spoofing and phishing


Use it to

  • Prevent possible message modifications
  • Secure yourself from spam attacks
Use it to

  • Improve email fraud security
  • Set up own domain authentication procedure

Let’s now talk about DKIM methods in more detail.

What Does DKIM do?

DKIM, or DomainKeys Identified Mail, is an email authentication method that uses a digital signature to let the receiver of an email know that the message was sent and authorized by the owner of a domain.

Why should you use DKIM?

The main reason you should use DKIM verification is pretty straightforward: If DKIM is used together with DMARC, or SPF you can protect your domain against phishing and email spoofing, like keeping scammers from posing as legitimate email senders and domain owners and impersonating their identities using the same domain name.

DKIM also helps in improving email deliverability. After implementing DKIM your emails will be better identified by ISPs and your recipients’ email clients, which improves the chances of your emails reaching your contacts’ inbox and not the spam folder.

How does DKIM work?

There are three main steps to the DKIM signing process.

  1. The sender decides what to include in a DKIM record – The sender identifies what fields they want to include in their DKIM record signature. These fields include the address, the body, the subject, and many others. 
  2. The DKIM is created and a message including it is sent – The sender’s email platform creates a signature which is basically a hash code and is computed by taking the content of the email and combining it with the private key using a security algorithm. 
  3. A message is received, and the server validates the DKIM signatures – Last but not least, once the email has been sent, it’s up to the recipient email service provider to validate the DKIM signature by finding the domain name system (DNS) for the TXT record. If this validation check fails and therefore the digital signature – does not exist, many different email service providers raise an alarm and may, depending on the volume of email sent, decide to mark this email as spam or even to block the sender’s IP address.

What is a DKIM selector?

A selector is an arbitrary string appended to the domain name, to help identify the DKIM public key. It is part of the DKIM signature and is inserted into the DKIM-Signature header field.

How can you test whether DKIM was configured properly?

Once DKIM is added, make sure that you validate it with an online DKIM analyzer. Use, for example, DNS Checker or DKIM Validator.

Another option is to send a test email to yourself and verify whether a message arrived with your DKIM signature yourself.

Once the message arrives, check the header validate, If the sender’s domain appears for both mailed-by and signed-by, the message was verified successfully with DKIM.

You can also click on the three dots in the top-right corner and Show Original. Here you will see the result of DKIM authentication. If it says PASS and your domain address, everything works fine. 

Business Use case

Harmeet Kaur is working as a System administrator at Gurukul On Cloud (GoC). She has received a requirement from his sales and marketing team to add a DKIM key for for email sent from Salesforce. 

Guided Practice (We-do): 

To add a DKIM key in Salesforce perform the steps below: 

  1. Click Setup.
  2. In the Quick Find box, type Email Keys.
  3. Select Email keys then click on the Create New Key.
  4. Enter the following details:
    1. RSA Key Size: 2048-bit
    2. Selector: gcloud
    3. Alternate Selector: gclouds
    4. Domain:
    5. Domain Match: Exact domain only
  5. Make sure to click Save, and you’re done.
  6. Wait for Salesforce to publish your TXT records to DNS. Your CNAME and alternate CNAME records appear on the DKIM Key Details page when the DNS publication is complete. It can take time for DNS publication to finish.
  7. Now our DKIM key is set up in Salesforce, the next step is to place the CNAMEs in our DNS records.
  8. Once done, you can return back to your DKIM Keys setting in Salesforce. You may have to wait until DNS changes reflect worldwide servers. It may take 24-48 hours.
  9. Once it’s propagated, you can activate the key.
  10. Thanks for reading this article, I hope you find this helpful.

Points to Remember

  1. DKIM doesn’t encrypt your mail. 
  2. DKIM doesn’t save you from spam once and for all.
  3. A DKIM signature can’t be forged even its details are available in DNS records.
  4. Since DKIM keys can no longer be imported from one organization to another, if DKIM is implemented in a sandbox, the keys would have to be recreated following a sandbox refresh and the resulting CNAME record would have to be published to the DNS again.
  5. Salesforce will only have one DKIM key active at any one time which would mean a DIG, NSLOOKUP or a similar check would only bring back the active primary or secondary key based on which key is active in the rotation at the time.

Formative Assessment:

I want to hear from you!

What is one thing you learned from this post? How do you envision applying this new knowledge in the real world? Feel free to share in the comments below.

Have feedback, suggestions for posts, or need more information about Salesforce online training offered by me? Say hello, and leave a message!

8 thoughts on “How to Setup DKIM Key in Salesforce

  1. Hello Rakesh, and than you for the awesome work you did here. I do have a question regarding messages sent from SF that fail DKIM alignment due to:
    Test Result
    DKIM Signature Body Hash Verified Body Hash Did Not Verify

    I have checked with my DNS team and they say everything is fine. Is it possible that the 2048 key needs to change to 1024? Can that be the issue here?

    Thanks in advance for your responses.

  2. Thanks for the blog, its really interesting. I do have a question. If I need to implement and re-create DKIM in multiple sandboxes like DEV, UAT etc. , do you know if both sandboxes’ unique keys can be published to the DNS of the email server side?

    1. Yes, you can have multiple DKIM records on your domain. Unlike DMARC or SPF, DKIM sets no limit to the number of records you can configure for a single domain as long as it is permitted by your DNS host. 

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.