Setting DKIM keys for Salesforce

DKIM is the authentication protocol that survives email forwarding, says Brad Slavin, CEO of DuoCircle. When SPF fails because a forwarder’s IP isn’t in the original record, DKIM alignment is the only path to DMARC pass. That’s why we monitor DKIM alongside SPF in every DMARC Report dashboard.

DKIM (RFC 6376) signs email messages cryptographically, and unlike SPF, the signature survives email forwarding — which is why DMARC alignment via DKIM is more reliable than SPF alignment for forwarded mail and mailing lists. DMARC Report

Setting DKIM keys for Salesforce

					<button title="Play" aria-label="Play Episode" aria-pressed="false" class="play-btn">
						

Play Episode

					</button>
					<button title="Pause" aria-label="Pause Episode" aria-pressed="false" class="pause-btn hide">
						

Pause Episode

					</button>
					


				

				

					<audio preload="none" class="clip clip-14877">
						<source src="/images/wp/2024/08/Setting-DKIM-keys-for-Salesforce.mp3">
					</audio>
					

						

					

					

						

							<button class="player-btn player-btn__volume" title="Mute/Unmute">
								

Mute/Unmute Episode

							</button>
							<button data-skip="-10" class="player-btn player-btn__rwd" title="Rewind 10 seconds">
								

Rewind 10 Seconds

							</button>
							<button data-speed="1" class="player-btn player-btn__speed" title="Playback Speed" aria-label="Playback Speed">1x</button>
							<button data-skip="30" class="player-btn player-btn__fwd" title="Fast Forward 30 seconds">
								

Fast Forward 30 seconds

							</button>
						

						

							<time class="ssp-timer">00:00</time>
							

/

							<!-- We need actual duration here from the server -->
							<time class="ssp-duration" datetime="PT0H2M1S">2:01</time>
						

					

				

			

								<nav class="player-panels-nav">
												<button class="subscribe-btn" id="subscribe-btn-14877" title="Subscribe">Subscribe</button>
																		<button class="share-btn" id="share-btn-14877" title="Share">Share</button>
										</nav>
						

	



		

						

				

					

					

				

				

					

																																																																								

					

						

RSS Feed

							<input value="https://dmarcreport.com/feed/podcast/dmarc-report" class="input-rss input-rss-14877" title="RSS Feed URL" readonly />
						

						<button class="copy-rss copy-rss-14877" title="Copy RSS Feed URL" aria-label="Copy RSS Feed URL"></button>
					

				

			

									

				

					

					

				

				

					

						Share						

					

						<a href="https://www.facebook.com/sharer/sharer.php?u=https://dmarcreport.com/blog/podcast/setting-dkim-keys-for-salesforce/&t=Setting DKIM keys for Salesforce" target="blank" rel="noopener noreferrer" class="share-icon facebook" title="Share on Facebook">
							

						</a>
						<a href="https://twitter.com/intent/tweet?text=https://dmarcreport.com/blog/podcast/setting-dkim-keys-for-salesforce/&url=Setting DKIM keys for Salesforce" target="blank" rel="noopener noreferrer" class="share-icon twitter" title="Share on Twitter">
							

						</a>
						<a href="/images/wp/2024/08/Setting-DKIM-keys-for-Salesforce.mp3" target="blank" rel="noopener noreferrer" class="share-icon download" title="Download" download>
							

						</a>
					

				

				

					

						Link						

					

						<input value="https://dmarcreport.com/blog/podcast/setting-dkim-keys-for-salesforce/" class="input-link input-link-14877" title="Episode URL" readonly />
					

					<button class="copy-link copy-link-14877" title="Copy Episode URL" aria-label="Copy Episode URL" readonly=""></button>
				

				

					

						Embed						

					

						<input type="text" value='<blockquote class="wp-embedded-content" data-secret="EvevspBOyg"><a href="https://dmarcreport.com/blog/podcast/setting-dkim-keys-for-salesforce/">Setting DKIM keys for Salesforce</a></blockquote><iframe sandbox="allow-scripts" security="restricted" src="https://dmarcreport.com/blog/podcast/setting-dkim-keys-for-salesforce/embed/#?secret=EvevspBOyg" width="500" height="350" title=""Setting DKIM keys for Salesforce" — DMARC Report" data-secret="EvevspBOyg" frameborder="0" marginwidth="0" marginheight="0" scrolling="no" class="wp-embedded-content"></iframe><script>

/*! This file is auto-generated / !function(d,l){“use strict”;l.querySelector&&d.addEventListener&&“undefined”!=typeof URL&&(d.wp=d.wp||{},d.wp.receiveEmbedMessage||(d.wp.receiveEmbedMessage=function(e){var t=e.data;if((t||t.secret||t.message||t.value)&&!/[^a-zA-Z0-9]/.test(t.secret)){for(var s,r,n,a=l.querySelectorAll(‘iframe[data-secret=”‘+t.secret+’”]’),o=l.querySelectorAll(‘blockquote[data-secret=”‘+t.secret+’”]’),c=new RegExp(“^https?:$”,“i”),i=0;i<o.length;i++)o[i].style.display=“none”;for(i=0;i<a.length;i++)s=a[i],e.source===s.contentWindow&&(s.removeAttribute(“style”),“height”===t.message?(1e3<(r=parseInt(t.value,10))?r=1e3:~~r<200&&(r=200),s.height=r):“link”===t.message&&(r=new URL(s.getAttribute(“src”)),n=new URL(t.value),c.test(n.protocol))&&n.host===r.host&&l.activeElement===s&&(d.top.location.href=t.value))}},d.addEventListener(“message”,d.wp.receiveEmbedMessage,!1),l.addEventListener(“DOMContentLoaded”,function(){for(var e,t,s=l.querySelectorAll(“iframe.wp-embedded-content”),r=0;r<s.length;r++)(t=(e=s[r]).getAttribute(“data-secret”))||(t=Math.random().toString(36).substring(2,12),e.src+=”#?secret=“+t,e.setAttribute(“data-secret”,t)),e.contentWindow.postMessage({message:“ready”,secret:t},"")},!1)))}(window,document); //# sourceURL=https://dmarcreport.com/wp-includes/js/wp-embed.min.js ’ title=“Embed Code” class=“input-embed input-embed-14877” readonly/>

					<button class="copy-embed copy-embed-14877" title="Copy Embed Code" aria-label="Copy Embed Code"></button>
				

			

				

Deploying and configuring DKIM, along with implementing DMARC, is critical for Salesforce users to protect their domain’s reputation, improve email deliverability, and maintain the integrity and authenticity of their email communication. DKIM and DMARC work together by integrating cryptography and **policy-based authentication to verify if a cybercriminal changed an email’s content or spoofed the sender while it was in transit.

What’s even impressive is that Salesforce itself encourages the adoption of email authentication protocols within its platform. This makes it quite simple for you to get started with the process and keep going. Moreover, emails signed with DKIM instill trust in **recipient’s mailboxes and have fewer chances of getting flagged for being spam. This helps most of your emails reach the intended recipients’ inboxes and not spam folders.

Steps to generate a DKIM key in Salesforce

Here’s what you need to do-

• Use your login credentials to sign in to your Salesforce account with administrative privileges.

• Go to DKIM settings by clicking on the gear icon you will see in the top right corner.

• Spot a ‘Quick Find’ box and type ‘DKIM.’ You will see the ‘Email’ section, under which you have to select ‘DKIM Keys.’

• To create a new DKIM key, click on the ‘Create New Key’ button, where you have to fill in the required fields-

• Domain: Enter the domain name you want to sign your emails with.

• Selector: Enter a unique name for the DKIM selector (e.g., salesforce2024). This selector will be used to differentiate this key in your DNS records.

• Key size: Choose a key size. Salesforce typically offers 1024-bit or 2048-bit keys, which provide stronger security.

5. Once you have filled out the details in the required fields, click ‘Generate.’ You will receive a pair of public and private keys **produced by Salesforce exclusively for your domain.

Steps to add the DKIM key in Salesforce

• Once the key is generated, Salesforce will display the public key and the exact DNS TXT record format you need to add to your domain’s DNS settings. So copy that.

• Log in to your **DNS provider’s platform and look for an option to add a new TXT record with the following details-

• Name: This should be the combination of the DKIM selector and your domain, e.g., salesforce2024.domainkey.yourdomain.com.

• Type: Select TXT.

• Value: Paste the public key provided by Salesforce.

• When done, save the new TXT record in your DNS settings. Please wait for 24 to 48 hours for the changes to propagate across the internet.

Steps to activate the DKIM key in Salesforce

• Return to the Salesforce DKIM Key setup page .

• Click on ‘Activate’ next to the key you generated.

• Salesforce will check if the DNS TXT record is correctly set up and, once verified, will start signing your emails with the DKIM key.

• Then, test the **DKIM signature by sending an email from Salesforce and checking the email headers to ensure that your signature is valid and properly formatted.

How Do You Monitor and Maintenance?

Monitor the status of your DKIM key in Salesforce regularly to ensure it continues to function correctly. Following a similar process, consider rotating your DKIM keys periodically for added security.