Configuring DKIM in Salesforce
When you create a DKIM key, Salesforce publishes the TXT record containing your public key to DNS. They also automatically rotate keys to reduce the risk of your keys becoming compromised by a third party.
Best Practices to setup DKIM
Review the Salesforce Help & Training article: Best Practices to setup DKIM.
To create a new DKIM key
- From Setup, enter DKIM Keys in the Quick Find box, and then select DKIM Keys.
- Click Create New Key.
- Select the RSA key size. Consider email recipient limitations and industry-specific security regulations when choosing the key size.
- For Selector, enter a unique name.
- For Alternate Selector, enter a unique name. The alternate Selector allows Salesforce to auto-rotate your keys.
- Enter your domain name.
- Select the type of domain match you want to use.
- Click Save. Salesforce publishes your TXT records to DNS.
- Before activating this key, add the CNAME and Alternate CNAME records from your DKIM Key Details page to your domain’s DNS record. When the DNS publication is complete, your CNAME and alternate CNAME records appear on the DKIM Key Details page. It can take time for DNS publication to finish around the world.
- On the DKIM Key Details page, click Activate.
Note: You can’t activate your DKIM key until your CNAME records are published to your domain’s DNS record. For security purposes, Salesforce rotates your DKIM keys every 30 days. When you activate your DKIM key, Salesforce creates a secondary, inactive DKIM key for the next rotation.