D
DKIM Test

How to Set Up DKIM for Salesforce

Step-by-step guide to configure DKIM keys in Salesforce. Learn how to create, publish, and activate DKIM signing for Salesforce email.

Last updated: 2026-01-28

Salesforce sends important emails on your behalf—lead notifications, workflow alerts, and customer communications. Setting up DKIM ensures these emails are authenticated and reach recipients' inboxes.

Why Set Up DKIM in Salesforce

Without DKIM:

  • Emails may be marked as suspicious by recipients
  • Deliverability can suffer, especially to strict domains
  • Your sending reputation isn't linked to your domain

With DKIM:

  • Emails are cryptographically signed with your domain
  • Better inbox placement
  • Improved sender reputation
  • Compliance with email authentication requirements

Before You Start

You'll need:

  • Salesforce admin access
  • Access to your domain's DNS settings
  • The domain you want to send from configured as an Org-Wide Email Address

Salesforce DKIM setup involves creating a key in Salesforce, publishing it to DNS, then activating it. The key must be published before it can be activated.

Step-by-Step Setup

1

Navigate to DKIM Keys

In Salesforce Setup, search for "DKIM Keys" in the Quick Find box, or navigate to: SetupEmailDKIM Keys

2

Create a new DKIM key

Click Create New Key.

Fill in the details:

  • Selector: A name for this key (e.g., sf or salesforce)
  • Domain: Your sending domain (e.g., example.com)
  • Domain Match: Choose how strictly to match (usually "Domain only" or include subdomains)
  • Key Size: Choose 2048-bit if your DNS supports it (recommended)
3

Copy the CNAME records

After creating the key, Salesforce displays CNAME records you need to add to DNS:

CNAME 1: The DKIM record itself

  • Host: [selector]._domainkey.yourdomain.com
  • Target: A Salesforce-generated value

CNAME 2: An alternate key record (for key rotation)

4

Add records to your DNS

Log into your DNS provider and add the CNAME records exactly as shown.

5

Wait for DNS propagation

DNS changes can take 15 minutes to 48 hours. Salesforce won't let you activate the key until it can verify the DNS records.

6

Activate the DKIM key

Return to DKIM Keys in Salesforce Setup. Click on your key and click Activate.

If the button is grayed out, DNS hasn't propagated yet—wait and try again.

Verify Your Setup

After activation, verify the DKIM record is publicly accessible.

Test with your selector: yourselector._domainkey.yourdomain.com

Common Issues and Solutions

"Activate" button is grayed out

Cause: Salesforce can't find the DKIM record in DNS.

Solutions:

  • Wait for DNS propagation (can take up to 48 hours)
  • Verify the CNAME records are added exactly as Salesforce specified
  • Check that you created CNAME records, not TXT records
  • Use a DNS lookup tool to verify the records exist

"DKIM key already exists for this domain"

Cause: A DKIM key was previously created for this domain.

Solution: Find and delete or deactivate the existing key before creating a new one.

Emails still fail DKIM after activation

Cause: The sending email address may not match the DKIM domain match pattern.

Solutions:

  • Verify your Org-Wide Email Address uses the authenticated domain
  • Check the "Domain Match" setting on your DKIM key
  • Ensure the From address domain matches the DKIM domain

Salesforce requires the sending email address to match the DKIM domain. If you're sending from notifications@example.com, your DKIM must be set up for example.com.

Key Rotation

Salesforce supports DKIM key rotation for security:

  1. Create a new DKIM key with a different selector
  2. Publish the new key to DNS
  3. Activate the new key
  4. Deactivate the old key
  5. (Optional) Remove the old DNS record after a transition period

Regular key rotation is a security best practice, though not strictly required.

Marketing Cloud vs Sales Cloud

If you use Salesforce Marketing Cloud, the DKIM setup process is different:

  1. Go to SetupPlatform ToolsSAP (Sender Authentication Package)
  2. Follow Marketing Cloud's domain authentication wizard
  3. Marketing Cloud uses its own selectors and DNS records

This guide covers Sales Cloud / Service Cloud DKIM setup. Marketing Cloud has its own authentication process.

Complete Your Email Authentication

DKIM is one part of email authentication:

SPF: Ensure Salesforce's sending IPs are included in your SPF record. Add:

include:_spf.salesforce.com

Check at spfrecordcheck.com.

DMARC: Set up a DMARC policy for your domain. Check at dmarcrecordchecker.com.

Related Articles

Monitor Your DKIM Records

Checking once is good. Monitoring continuously is better. The Email Deliverability Suite watches your SPF, DKIM, DMARC, and MX records daily and alerts you when something breaks.

Never miss a DKIM issue

Monitor your SPF, DKIM, DMARC and MX records daily. Get alerts when something breaks.

Start Monitoring