How to Set Up DKIM for Salesforce

Generate DKIM keys in Salesforce Setup and publish the public key in your DNS to sign outgoing email.

Quick Answer — The Record You Need

Record Type

CNAME

Host / Name

YOUR_SELECTOR._domainkey

Value

YOUR_SELECTOR._domainkey.yourdomain.com.sf._domainkey.salesforce.com

Salesforce generates DKIM keys in Setup. The exact CNAME records depend on your configuration.

Step-by-Step Setup

Log in to Salesforce Setup

Go to Setup > search for "DKIM Keys" in the Quick Find box.

Create a new DKIM key

Click "Create New Key". Enter your domain, choose a selector name, and set the key size (2048-bit recommended).

Copy the DNS records

Salesforce generates CNAME records for the DKIM key and an alternate key. Copy both.

Add the CNAME records to DNS

Create the CNAME records in your DNS provider as shown by Salesforce.

Activate the key

Return to Salesforce Setup and activate the DKIM key once DNS has propagated.

Common Gotchas

Salesforce generates both a primary and alternate DKIM CNAME record. Both should be added for key rotation support.
You must activate the DKIM key in Salesforce Setup after adding DNS records. It does not activate automatically.
If using Salesforce Marketing Cloud, DKIM setup is in a different location (Authentication settings in MC).

Verify Your Setup

After adding your DNS records, use our free DKIM checker to verify everything is configured correctly. DNS changes typically propagate within minutes, but can take up to 48 hours.

Frequently Asked Questions

Where do I generate DKIM keys in Salesforce?

Go to Setup > DKIM Keys (search in Quick Find). Click "Create New Key" to generate a key pair.

Does Salesforce support DKIM key rotation?

Yes. Salesforce provides a primary and alternate CNAME. You can rotate keys by publishing the alternate and switching the active key.

What key size should I use for Salesforce DKIM?

Use 2048-bit for maximum security. 1024-bit is acceptable if your DNS provider has record length limitations.