Salesforce DKIM setup: create keys and publish CNAME records

Salesforce DKIM lets Salesforce sign outbound email with your domain, which is the most reliable way to make Salesforce mail pass DMARC.

Salesforce’s Create a DKIM Key documentation says to create a DKIM key in Setup, publish the CNAME and alternate CNAME records in DNS, then activate the key after DNS propagates.

Before you start

You need:

• Salesforce permission to customize the application.
• DNS access for the sending domain.
• A domain that has completed Salesforce email-sending verification requirements.
• A clear list of domains and subdomains Salesforce sends from.

Salesforce notes that an active DKIM key verifies domain ownership only when the DKIM key domain matches the full domain in the From address. Create separate DKIM keys for subdomains that send mail.

Step 1: create a DKIM key in Salesforce

In Salesforce Setup, search for DKIM Keys and select it.

Click Create New Key.

Use:

Field	Recommended value
RSA key size	2048-bit
Selector	A unique selector, for example example-sf-a
Alternate Selector	A second unique selector, for example example-sf-b
Domain	The sending domain, for example example.com
Domain Match Pattern	The exact sending domain

Salesforce no longer recommends wildcard domain match patterns for domains you own. If you send from mail.example.com, create a separate DKIM key for that subdomain.

Step 2: wait for Salesforce to generate CNAME records

After saving, the key starts inactive. Salesforce publishes two DKIM public keys under Salesforce-owned DNS and generates two CNAME records for your domain.

Salesforce says this process usually finishes within 15 minutes.

Open the DKIM key details page and wait until the CNAME Record and Alternate CNAME Record fields appear.

Step 3: publish both CNAME records

At your DNS provider, add both CNAME records exactly as Salesforce shows them.

They look conceptually like:

example-sf-a._domainkey.example.com CNAME example-sf-a.xxxxxx.custdkim.salesforce.com
example-sf-b._domainkey.example.com CNAME example-sf-b.yyyyyy.custdkim.salesforce.com

Do not copy these examples. Use the generated values from your org.

Some DNS providers want only the host prefix, such as example-sf-a._domainkey, while others want the full hostname. Confirm the final DNS name before saving.

Step 4: activate the DKIM key

When DNS propagation is complete, return to Salesforce.

Edit the DKIM key and click Activate. Salesforce says you cannot activate the key until the CNAME records are published.

Salesforce also rotates DKIM keys automatically. The alternate selector supports that rotation, so publish both CNAME records.

Step 5: verify real Salesforce mail

Send a test message from Salesforce using the same feature you care about: user email, automation, alerts, or another Salesforce email path.

Inspect the headers:

• DKIM passes.
• The DKIM d= domain aligns with the From domain.
• DMARC passes.

Then check the domain with DMARCTrust and monitor aggregate reports in your dashboard.

Common mistakes

Only publishing one CNAME. Salesforce uses a primary and alternate selector.

Using wildcards for owned subdomains. Create separate DKIM keys for subdomains that send.

Forgetting to activate. DNS publication does not enable signing by itself.

Assuming all Salesforce products share this setup. Marketing Cloud and other Salesforce products can have separate authentication flows.

SPF and DMARC

SPF still matters. If your org needs it, add include:_spf.salesforce.com to your single SPF record. See Salesforce SPF setup.

Then publish DMARC in monitoring mode:

v=DMARC1; p=none; rua=mailto:[email protected];

Use DMARCTrust to confirm Salesforce is aligned before you enforce.

FAQ

How many DKIM records does Salesforce use?

Salesforce generates two CNAME records: one for the selector and one for the alternate selector.

What key size should I choose?

Use 2048-bit unless a specific application requires smaller keys.

How long does Salesforce DKIM DNS take?

Salesforce says DNS changes can take up to 72 hours to propagate.