The setup is short but DNS-dependent. The order: register the domain in Salesforce, copy the DKIM record values, publish to DNS, wait for propagation, verify activation, then start sending. Each step takes minutes; DNS propagation is the slow part and is outside admin control.
- List the domains the org sends From
Pull a sample of outbound email From addresses from your sent log. Every distinct domain (acme.com, news.acme.com, support.acme.com) needs registration.
- Register each domain in Setup, Email Authentication
Setup, Email, Email Authentication. New Domain. Enter the domain name. Salesforce generates a DKIM key and shows the CNAME or TXT records to publish.
- Publish DKIM records to your DNS provider
Copy the Salesforce-generated CNAME or TXT records into your DNS console (Cloudflare, Route 53, Vercel DNS, etc.). The records are subdomain-specific.
- Wait for DNS propagation and verify
DNS propagation typically takes 15 minutes to 4 hours. Re-check the Salesforce page; status moves from Pending to Activated when verification succeeds.
- Confirm SPF includes Salesforce
Salesforce's SPF entry needs to be in your domain's SPF TXT record. Use an SPF lookup tool to verify; missing SPF compounds DKIM problems.
- Add a DMARC policy at "none" first
Publish a DMARC TXT record with policy "none" plus a reporting email. Aggregate reports start arriving within 24 hours and tell you what is passing and failing authentication.
- Escalate DMARC to quarantine then reject after validation
Once all legitimate senders pass DKIM and SPF reliably for 2 to 4 weeks at "none", escalate to "quarantine" (5 percent of failed mail goes to spam). After another 2 to 4 weeks, escalate to "reject" (100 percent rejected).
Every distinct sending domain. Multi-domain orgs need each registered separately.
The selector portion of the DKIM record (typically sf or a date-based string). Salesforce generates this.
CNAME or TXT depending on the DNS provider's support. Both work; Salesforce supports both.
The Salesforce SPF include string the domain's SPF TXT record must contain.
Start at none, escalate to quarantine, then reject. The escalation is what actually enforces the authentication.
- DNS propagation can take hours. Admins who publish records and immediately re-check often see Not Verified for the first hour; this is normal.
- Multi-domain orgs need separate registration per domain. Forgetting subdomain registrations is the most common cause of partial spam-folder issues.
- DMARC at policy "none" does not enforce anything. The escalation to quarantine and reject is what actually makes DMARC matter; orgs that publish DMARC at none indefinitely get no enforcement benefit.
- Email Relay is an alternative pattern, not a complement. Running both adds operational complexity without authentication benefit.
- Receiving mail providers cache DKIM records aggressively. Changing the DKIM key after publishing can produce intermittent failures for hours while caches refresh.