DKIM Authentication: Setup, Verification & Best Practices for Salesforce

Your Domain Sent That Email—But Can Gmail Prove It? How DKIM Seals the Deal

Every email you send from Salesforce claims to come from your domain—but without proof, inbox providers have no reason to believe it. DKIM authentication provides that proof. It attaches a cryptographic signature to every outgoing message, letting Gmail, Yahoo, and Outlook verify that your email is genuine and untampered. Since 2024, Gmail and Yahoo require DKIM for all bulk senders, making it a non-negotiable requirement for any organization sending mass emails through Salesforce. Without DKIM, your messages risk being filtered to spam, rejected outright, or flagged as potential phishing—regardless of how good your content is.

What Is DKIM Authentication?

DKIM (DomainKeys Identified Mail) is an email authentication protocol defined in RFC 6376 that allows a sending domain to digitally sign outgoing emails. The signature is embedded in the email header as an invisible cryptographic hash. When a recipient’s mail server receives the message, it retrieves the sender’s public key from DNS and uses it to verify the signature. If the signature validates, it confirms two things: the email was authorized by the domain owner, and the message content was not modified in transit.

Unlike SPF, which only verifies that the sending server is authorized, DKIM verifies message integrity at the content level. This means DKIM signatures survive email forwarding—a critical advantage because forwarded emails fail SPF checks but retain valid DKIM signatures. DKIM works alongside SPF and DMARC as one of three foundational authentication protocols that inbox providers evaluate when deciding whether to deliver, filter, or reject your emails.

How DKIM Signing and Verification Works

DKIM operates on public-key cryptography. As Cloudflare’s DKIM technical reference explains, the process involves two keys: a private key held securely by the sending mail server and a public key published in DNS. When your Salesforce org sends an email, the server uses the private key to generate a hash of specific message components—typically the From header, Subject, Date, and message body. This hash becomes the DKIM signature, added to the email header.

The recipient’s mail server reads the DKIM-Signature header, extracts the domain (d=) and selector (s=) values, then queries DNS at selector._domainkey.yourdomain.com to retrieve the public key. It decrypts the signature, independently computes the hash from the received message, and compares the two values. A match means the email passes DKIM verification—confirming authenticity and integrity. A mismatch indicates the message was either not sent by the claimed domain or was altered after signing, and the server treats it as unauthenticated.

Setting Up DKIM in Salesforce

Salesforce supports native DKIM signing for outbound emails. The setup requires Salesforce admin permissions and DNS access to your sending domain. For our detailed walkthrough, see the MassMailer DKIM setup guide. The core steps are: navigate to Setup → DKIM Keys → Create New Key, enter a unique selector name (e.g., sf-2025), select a 2048-bit key size for stronger encryption, and specify your sending domain. Salesforce generates two CNAME records—one for the key selector and one for the public key.

Copy both CNAME records into your domain’s DNS configuration exactly as displayed. DNS propagation typically takes 24–48 hours. Once propagated, return to Salesforce and activate the DKIM key. After activation, Salesforce automatically signs all outbound emails where the From address domain matches the DKIM key configuration. The domain you enter must match the domain in your From header to avoid alignment failures with DMARC. For complete authentication, configure DKIM alongside SPF and DMARC using our Salesforce email authentication guide.

DKIM Key Management and Rotation

DKIM keys are not a set-and-forget configuration. Key rotation—periodically replacing your DKIM key pair with a new one—is essential for maintaining security. If a private key is compromised or exposed, attackers could sign emails on behalf of your domain until the key is revoked. Industry best practice, recommended by the Messaging, Malware, and Mobile Anti-Abuse Working Group (M3AAWG), is to rotate DKIM keys every three to six months.

Always use 2048-bit keys rather than 1024-bit. While 1024-bit keys are still functional, 2048-bit keys provide significantly stronger cryptographic protection and are the standard recommendation from Google, Microsoft, and major inbox providers. When rotating keys, publish the new key in DNS before deactivating the old one to avoid a gap in authentication coverage. Salesforce supports creating new DKIM keys while keeping existing keys active, enabling seamless rotation without send interruptions. Monitor your email deliverability metrics closely after any key rotation to catch configuration issues early.

DKIM, SPF, and DMARC: Working Together

DKIM alone doesn’t tell inbox providers what to do when authentication fails—that’s where DMARC comes in. DMARC (Domain-based Message Authentication, Reporting, and Conformance) builds on both SPF and DKIM by establishing a policy for handling emails that fail authentication checks. It also requires alignment: the domain in the DKIM signature must match the domain in the From header for DMARC to pass on DKIM alignment.

SPF verifies that the sending server’s IP is authorized by the domain’s DNS record. DKIM verifies message integrity and domain authorization through cryptographic signing. DMARC ties them together with policy enforcement (none, quarantine, or reject) and provides reporting that reveals unauthorized use of your domain. Gmail and Yahoo now require all three protocols for bulk senders. For Salesforce-specific configuration steps, our email security guide covers the complete SPF, DKIM, and DMARC stack. Missing any one protocol leaves gaps that reduce inbox placement rates and expose your domain to spoofing attacks.

Common DKIM Failures and Troubleshooting

DKIM failures typically fall into three categories: DNS configuration errors, message modification in transit, and alignment mismatches. DNS issues include typos in selector names, unpropagated records, or missing TXT/CNAME entries. Use tools like MXToolbox or Google Admin Toolbox to validate that your DKIM record resolves correctly at selector._domainkey.yourdomain.com before activating the key in Salesforce.

Message modification is the most common silent failure. Email forwarding services, mailing lists, footer appending tools, and email relay servers can alter the message body or headers after DKIM signing, invalidating the signature. If your organization uses email relay in Salesforce, ensure the relay doesn’t modify signed headers or body content. Alignment failures occur when the domain in the DKIM signature (d= value) doesn’t match the From header domain—particularly common when sending through third-party platforms on behalf of your domain. Monitor DMARC reports to identify these failures and adjust your DKIM configuration accordingly. Persistent email bounces or sudden drops in open rates often indicate undetected DKIM issues.

DKIM and Native Salesforce Email Platforms

Managing DKIM authentication across Salesforce requires ongoing visibility into authentication health—not just initial setup. Native Salesforce email platforms like MassMailer simplify this by providing built-in authentication monitoring that tracks SPF, DKIM, and DMARC pass rates in real time. Instead of manually checking DNS records and parsing DMARC XML reports, teams can see authentication status directly within their Salesforce dashboard alongside campaign performance data.

MassMailer automatically verifies sending domain authentication, alerts you when DKIM keys expire or DNS records change, and provides deliverability diagnostics that connect authentication health to inbox placement. For organizations sending at volume beyond Salesforce’s 5,000 daily limit, MassMailer also offers dedicated IP addresses with automated warm-up—where strong DKIM authentication is essential for building sender reputation from day one. This end-to-end approach turns email authentication from a periodic admin task into continuous, automated protection.

Is your DKIM actually passing—or silently failing? MassMailer monitors SPF, DKIM, and DMARC health in real time, alerts you before authentication issues impact deliverability, and keeps every email properly signed—all natively within Salesforce. Schedule a call to see how MassMailer protects your sender reputation →

Key Takeaways

DKIM adds a cryptographic digital signature to outgoing emails, letting recipient servers verify both sender authorization and message integrity—two things SPF alone cannot prove.
Gmail and Yahoo require DKIM authentication for bulk senders as of 2024; emails without valid DKIM signatures face spam filtering or outright rejection.
Salesforce supports native DKIM key generation in Setup → DKIM Keys, requiring DNS CNAME record publication and 24–48 hours for propagation before activation.
Use 2048-bit keys and rotate them every three to six months to maintain strong cryptographic security and prevent compromised key exploitation.
DKIM survives email forwarding (unlike SPF), making it the most reliable authentication signal for messages that pass through intermediary servers.
DKIM must align with SPF and DMARC for complete protection—all three protocols are now baseline requirements, not optional security enhancements.

Frequently Asked Questions

What does DKIM stand for?

DomainKeys Identified Mail. It’s an email authentication protocol that uses public-key cryptography to digitally sign outgoing messages, allowing recipient servers to verify sender identity and message integrity.

Does Salesforce support DKIM natively?

Yes. Navigate to Setup → DKIM Keys to generate a key pair, publish the CNAME records to your domain’s DNS, and activate after propagation. Salesforce then signs all matching outbound emails automatically.

What key size should I use for DKIM?

Always use 2048-bit keys. While 1024-bit keys still work, 2048-bit provides significantly stronger encryption and is the standard recommendation from Google, Microsoft, and major inbox providers.

How often should I rotate DKIM keys?

Every three to six months. Regular rotation limits exposure if a private key is compromised. Publish the new key in DNS before deactivating the old one to avoid authentication gaps.

Can DKIM prevent email spoofing on its own?

Not completely. DKIM verifies message integrity and domain authorization, but needs DMARC to enforce policy on authentication failures and SPF to verify sending server authorization.

Why do my emails fail DKIM after forwarding?

Forwarding services that modify message headers or body content invalidate DKIM signatures. However, unmodified forwards preserve DKIM—unlike SPF, which always fails on forwarded messages.

Does DKIM affect email deliverability?

Directly. Emails without valid DKIM are more likely to be marked as spam or rejected. Gmail and Yahoo require DKIM for bulk senders, making it essential for inbox placement.

MassMailer

MassMailer Verifier

MassMailer Alerts

Email Monitor

Email Template Builder

MassMailer Docs

Salesforce Mass Email Marketing

Salesforce Email Deliverability

Salesforce Email Verification

Salesforce Email Attachments

Salesforce Email Alerts

Salesforce Email Integration

Blog

Case Study

Podcast

Glossary

Video

Presentation

Success as a Service

Success Packages

Support

Join Webinar

About

Customers

Partners

Why MassMailer

MassMailer vs Mailchimp

MassMailer vs Constant Contact

MassMailer vs iContact

MassMailer vs ActiveCampaign

MassMailer vs Campaign Monitor

MassMailer vs Salesforce Engagement Studio

MassMailer vs Salesforce Marketing Cloud

MassMailer vs Oracle Eloqua Marketing Automation

MassMailer vs Adobe Marketo Engage

MassMailer vs SendGrid

MassMailer Vs Emma

MassMailer Vs Brevo

MassMailer vs Klaviyo

MassMailer vs Vertical Response

MassMailer vs Outlook for Salesforce

MassMailer vs Salesforce Email

MassMailer vs Gmail for Salesforce

MassMailer vs Hubspot Marketing

Education

Non-Profits

Financial Services

Real Estate

Healthcare

Legal Services

Health & Fitness

Event Management

Public Sector

Manufacturing

Energy & Utilities

Technology

DKIM Authentication

Table of Contents

Related Glossary Terms