What is the most important tip for working with DKIM Keys?

Default to 2048-bit RSA keys for new DKIM setups. The historical 1024-bit default is increasingly weak by modern cryptographic standards.

AdministrationBeginner

DKIM Keys

Q: What is the primary benefit of DKIM Keys for Salesforce administrators?

DKIM Keys is an administration feature that empowers admins to manage the Salesforce environment through declarative, point-and-click configuration.

Q: In which area of Salesforce would you typically find DKIM Keys?

DKIM Keys is an administrative feature found in Salesforce Setup - the central hub where admins configure and manage the org.

Q: Can a Salesforce admin configure DKIM Keys without writing code?

DKIM Keys is a declarative admin feature, meaning it can be configured through Salesforce's point-and-click interface without writing any code.

DKIM Keys in Salesforce is the Setup area where administrators manage the DomainKeys Identified Mail cryptographic keys the platform uses to sign outbound email.

Hear it

§ 01

Definition

DKIM Keys in Salesforce is the Setup area where administrators manage the DomainKeys Identified Mail cryptographic keys the platform uses to sign outbound email. Each DKIM key is a public/private RSA pair: Salesforce holds the private key and uses it to sign every outbound email from the configured domain; the customer publishes the public key as a DNS record so receiving mail servers can verify the signature. The page lets admins create new keys, view active keys, rotate keys, and import keys generated externally (Bring Your Own Key for orgs with strict key management policies).

DKIM Keys exist because email authentication is the foundation of modern outbound deliverability. Receiving mail providers (Gmail, Outlook, Yahoo) check DKIM signatures on inbound mail; unsigned or invalid-signature mail lands in spam or gets rejected. Without DKIM, the org's outbound emails fail authentication and inbox delivery rates drop sharply. The DKIM Keys page is where the cryptographic foundation is configured; the Authorized Email Domains setup wires the keys to specific sending domains.

§ 02

Why DKIM Keys are the cryptographic foundation of outbound email authentication

Where DKIM Keys live in setup

Setup, Email, DKIM Keys. The page lists every DKIM key configured in the org with its selector (the DNS subdomain identifier, like sf2024), the associated sending domain, the active status, and the key size (1024-bit RSA or 2048-bit RSA). New Key generates a fresh key pair; the public key value is displayed for the admin to copy into DNS. Once the DNS record is verified, the key becomes active and Salesforce starts signing outbound email with the private key.

How DKIM signing works at runtime

For every outbound email from a DKIM-configured domain, Salesforce computes a cryptographic hash of the email content (headers plus body), signs the hash with the private key, and adds a DKIM-Signature header containing the signature and the public key locator (the selector plus domain). The receiving mail server reads the DKIM-Signature header, looks up the public key from DNS, verifies the signature. Match means the email is authentically from an authorized Salesforce sender; mismatch (or missing signature) means the email may be spoofed. The verification is cryptographic; correctly-signed emails pass DKIM regardless of routing path.

The selector and the DNS record pattern

Each DKIM key has a selector: a short string (typically date-based like sf2024) that identifies the key in DNS. The DNS record location is selector._domainkey.sending-domain.com. For a sending domain of acme.com with selector sf2024, the DNS record is sf2024._domainkey.acme.com (CNAME or TXT pointing to the public key value). Multiple keys can coexist with different selectors; rotation produces new selectors while old ones remain temporarily active for backward compatibility. The selector is what links the email signature to the right public key.

Key size: 1024 vs 2048 bit

Salesforce supports 1024-bit and 2048-bit RSA DKIM keys. 1024-bit is the historical default; 2048-bit is the modern recommendation. Some older DNS providers have record-size limits that complicate 2048-bit keys (the public key value is longer, may exceed single-TXT-record limits and require splitting). Modern DNS providers handle 2048-bit cleanly. Default to 2048-bit for new keys unless DNS infrastructure constraints require 1024-bit.

Key rotation and the overlap pattern

DKIM keys should rotate periodically (annually is typical for compliance). Rotation generates a new key with a new selector, publishes the new public key in DNS, switches Salesforce signing to use the new key, leaves the old key active in DNS for a transition window (typically 14 to 30 days), then removes the old DNS record. The overlap pattern allows inbound mail providers to verify signatures from emails sent before the rotation while accepting new emails signed with the new key. Skipping the overlap window can produce inbox delivery issues for in-flight emails.

Bring Your Own DKIM Key

For orgs with strict key management requirements (customer-held keys for compliance), Salesforce supports importing externally-generated DKIM keys. The admin generates the key pair using their own KMS or HSM, uploads the public key to Salesforce, configures DNS to publish the public key, uploads the private key to Salesforce (or imports through Bring Your Own Key infrastructure). The pattern is similar to Shield Platform Encryption BYOK: customer holds the source, Salesforce uses the key for signing. Most orgs use Salesforce-generated keys; BYOK is for compliance contexts that specifically require it.

Audit, monitoring, and the deliverability connection

DKIM Keys page is the configuration; deliverability monitoring (DMARC reports, Test Deliverability) is where the keys' impact is visible. Sustained high DKIM pass rates in DMARC aggregate reports indicate the keys are working. Drops in pass rate signal key misconfiguration, DNS issues, or rotation problems. Pair the DKIM Keys page with deliverability monitoring; configuration alone is not enough. Most outbound deliverability incidents trace to DKIM issues (key expired, DNS dropped, selector mismatch); the monitoring catches them before users complain.

§ 03

How to set up, rotate, and operate DKIM Keys

The pattern: generate a 2048-bit key, publish the public key to DNS, verify activation, rotate annually with the overlap pattern. The setup is one-time per domain; the rotation is recurring; the deliverability monitoring is continuous.

Open Setup, Email, DKIM Keys
The page lists existing keys and provides New Key for creation.
Click New Key for the sending domain
Pick the sending domain (must be registered through Authorized Email Domains first). Pick 2048-bit RSA. Pick a date-based selector (sf2024, sf-2024-q1).
Copy the public key value and publish to DNS
The page displays the public key. Copy the value to the DNS record at selector._domainkey.sending-domain.com. Use CNAME or TXT per DNS provider preference.
Wait for DNS propagation and verify activation
Propagation takes 15 minutes to 4 hours. Salesforce verifies the DNS record and marks the key Active. Outbound email from the domain begins DKIM-signing automatically.
Monitor DMARC reports for DKIM pass rates
DMARC aggregate reports show DKIM pass percentage per receiving provider. Sustained high pass rates confirm the key is working.
Plan annual rotation with the overlap pattern
Generate new key, publish to DNS, switch Salesforce signing, leave old key in DNS for 14 to 30 days, remove old DNS record after the overlap window.
Document the rotation cadence in the cert-management inventory
DKIM keys belong in the cryptographic-material rotation inventory alongside TLS certificates. The inventory catches rotation lapses.

Key options

Key sizeremember

1024-bit (legacy) or 2048-bit (modern recommended).

Selectorremember

Short string identifying the key in DNS. Date-based selectors support rotation tracking.

DNS record typeremember

CNAME or TXT depending on DNS provider preference.

BYOK optionremember

Import externally-generated keys for strict key management compliance.

Rotation cadenceremember

Annually is typical; per compliance schedule.

Gotchas

Key rotation without the overlap window can produce inbox delivery issues for in-flight emails. Always overlap old and new keys for 14 to 30 days.
2048-bit public keys may exceed single-TXT-record DNS limits. Modern DNS providers handle this; older providers may require record splitting.
Selector must match between the DKIM-Signature header and the DNS record. Mismatched selectors produce DKIM verification failures.
DKIM Keys configuration alone is not enough. Pair with deliverability monitoring; keys can break silently in production.
BYOK requires careful key custody. The customer holds the private key source; mistakes in import produce keys Salesforce cannot use.

Trust & references

Sources

Cross-checked against the following references.

DKIM Keys referenceSalesforce
RFC 6376: DKIM SignaturesIETF

Official documentation

Straight from the source - Salesforce's reference material on DKIM Keys.

DKIM KeysSalesforce Help
Authorized Email DomainsSalesforce Help
Email DeliverabilitySalesforce Help

Was this entry helpful?

Help us write better definitions. Quick reactions or detailed edit suggestions.

About the Author

Dipojjal Chakrabarti is a B2C Solution Architect with 29 Salesforce certifications and over 13 years in the Salesforce ecosystem. He runs salesforcedictionary.com to help admins, developers, architects, and cert/interview candidates sharpen their fundamentals. More about Dipojjal.

Test your knowledge

Q1. What is the primary benefit of DKIM Keys for Salesforce administrators?

Q2. In which area of Salesforce would you typically find DKIM Keys?

Q3. Can a Salesforce admin configure DKIM Keys without writing code?

Discussion

Loading…

Loading discussion…

Back to Dictionary