How to Authenticate Email Domains in Salesforce: DKIM & Authorized Domains
- In salesforce Go to Setup → search “DKIM Keys”
- Click on → Create a new DKIM key.
- Select 2048-bit unless a specific application requires smaller keys.
- For Selector, enter a unique string of up to 62 letters, digits, and hyphens to identify this key. Start with a letter or number. For example, example-sf-a.
- For Alternate Selector, enter another unique string of up to 62 letters, digits, and hyphens. Start with a letter or number. For example, example-sf-b.
The alternate selector allows Salesforce to auto-rotate your keys.
- Enter the domain name used to send email from Salesforce.
Note: After you save a DKIM key, you can’t edit the domain name.
- For domain match pattern, enter a comma-separated list of domain patterns that the domain name must match before Salesforce signs an email with this DKIM key. Example: example.com,*.example.com - DomainAndSubdomains: Sign if sending domain matches at the domain and subdomain levels (example.com and mail.example.com).
- Save your changes.
Salesforce publishes two DKIM public keys to DNS TXT (text) records for a Salesforce-owned domain: a primary and alternate key. The alternate key is used during key rotation.
Salesforce also generates corresponding canonical domain name (CNAME) records for your domain, which become the second half of the DKIM key pair. This process usually finishes within 15 minutes.
- Add the CNAME and Alternate CNAME records to your domain’s DNS record. To view the key details, from the DKIM key list in Setup, click the selector of the key.If Salesforce has finished publishing the TXT records for the private key, the CNAME Record and Alternate CNAME Record fields are shown.
If the TXT Record Status is Publishing in progress, wait a few minutes and try again.
- Add the CNAME and Alternate CNAME records to DNS for your domain.
- Here’s an example of DNS CNAME records for a DKIM Key with a domain of example.com and selectors example-sf-a and example-sf-b.
NAME TTL CLASS TYPE VALUE ------------------------------------------------------------------------------------------------------ example-sf-a._domainkey.example.com. 3600 IN CNAME example-sf-a.k4tyd2.custdkim.salesforce.com. example-sf-b._domainkey.example.com. 3600 IN CNAME example-sf-b.e6mxu6.custdkim.salesforce.com.
When DNS propagation is complete, your CNAME and alternate CNAME records appear on the DKIM Key Details page.
Note: DNS changes can take up to 72 hours to propagate.
- When DNS propagation is complete, activate your domain.
From the DKIM key list in Setup, click Edit for the key.
On the DKIM Key Details page, click Activate.
Note: You can’t activate your DKIM key until your CNAME records are published to your domain’s DNS record.
- From Setup, in the Quick Find box, enter Authorized Email Domains, and then select Authorized Email Domains.
- To add an authorized email domain, click Add.
- Enter the domain name. For example, example.com.
- Save your changes.Salesforce generates a verification key for the authorized email domain, for example: 00D000000000P08=1TB00000000000B.
- In DNS, add a TXT record for the domain name with or without _sfdv. as a prefix that includes the verification code.
- In Salesforce, verify ownership of the domain.
From Setup, in the Quick Find box, enter Authorized Email Domains, and then select Authorized Email Domains.
Next to your domain record, click Edit.
On the record page, enable Verify domain ownership.
If domain verification is successful, Verify domain ownership remains enabled. By default, user-level email verification isn’t required for users with email addresses on a verified domain.
If domain verification is unsuccessful, verify that the required TXT record exists in DNS and that enough time has passed for the change to propagate.
To require user-level email verification for this domain, enable Require email verification.
This setting is enabled by default.
- Save your changes.
