Salesforce Dictionary - Free Salesforce GlossarySalesforce Dictionary
Full DKIM Keys entry
How-to guide

How to set up, rotate, and operate DKIM Keys

The pattern: generate a 2048-bit key, publish the public key to DNS, verify activation, rotate annually with the overlap pattern. The setup is one-time per domain; the rotation is recurring; the deliverability monitoring is continuous.

By Dipojjal Chakrabarti · Founder & Editor, Salesforce DictionaryLast updated May 18, 2026

The pattern: generate a 2048-bit key, publish the public key to DNS, verify activation, rotate annually with the overlap pattern. The setup is one-time per domain; the rotation is recurring; the deliverability monitoring is continuous.

  1. Open Setup, Email, DKIM Keys

    The page lists existing keys and provides New Key for creation.

  2. Click New Key for the sending domain

    Pick the sending domain (must be registered through Authorized Email Domains first). Pick 2048-bit RSA. Pick a date-based selector (sf2024, sf-2024-q1).

  3. Copy the public key value and publish to DNS

    The page displays the public key. Copy the value to the DNS record at selector._domainkey.sending-domain.com. Use CNAME or TXT per DNS provider preference.

  4. Wait for DNS propagation and verify activation

    Propagation takes 15 minutes to 4 hours. Salesforce verifies the DNS record and marks the key Active. Outbound email from the domain begins DKIM-signing automatically.

  5. Monitor DMARC reports for DKIM pass rates

    DMARC aggregate reports show DKIM pass percentage per receiving provider. Sustained high pass rates confirm the key is working.

  6. Plan annual rotation with the overlap pattern

    Generate new key, publish to DNS, switch Salesforce signing, leave old key in DNS for 14 to 30 days, remove old DNS record after the overlap window.

  7. Document the rotation cadence in the cert-management inventory

    DKIM keys belong in the cryptographic-material rotation inventory alongside TLS certificates. The inventory catches rotation lapses.

Key options
Key sizeremember

1024-bit (legacy) or 2048-bit (modern recommended).

Selectorremember

Short string identifying the key in DNS. Date-based selectors support rotation tracking.

DNS record typeremember

CNAME or TXT depending on DNS provider preference.

BYOK optionremember

Import externally-generated keys for strict key management compliance.

Rotation cadenceremember

Annually is typical; per compliance schedule.

Gotchas
  • Key rotation without the overlap window can produce inbox delivery issues for in-flight emails. Always overlap old and new keys for 14 to 30 days.
  • 2048-bit public keys may exceed single-TXT-record DNS limits. Modern DNS providers handle this; older providers may require record splitting.
  • Selector must match between the DKIM-Signature header and the DNS record. Mismatched selectors produce DKIM verification failures.
  • DKIM Keys configuration alone is not enough. Pair with deliverability monitoring; keys can break silently in production.
  • BYOK requires careful key custody. The customer holds the private key source; mistakes in import produce keys Salesforce cannot use.

See the full DKIM Keys entry

DKIM Keys includes the definition, worked example, deep dive, related terms, and a quiz.