If your Salesforce instance is configured to send email messages on your behalf using your domain, and those messages end up being filtered or even blocked as spam, you need to properly configure email settings within Salesforce and DKIM and SPF records using your DNS provider. These settings will add proper authentication headers to your email messages, which allow receiving email servers and spam protection filters to identify such messages as legit communications coming from you via an authorized email provider.
Note: old vs new setup for DKIM and SPF in Salesforce
Salesforce made changes to how they handle DKIM records and made them enforced in the Winter ’20 release, the changes went live in October 2019. With this change, they’re giving you CNAME records instead of the DKIM keys, and they manage the DKIM keys for you (see more info here). This guide describes the configuration steps for the new way (using CNAME, not public and private DKIM keys like it was done prior to Winter 2020 release).
If you have old DKIM keys created prior to October 2019, you would need to deactivate those and create new ones instead. Old setup would look similar to this:
Why Salesforce generated emails need special SPF and DKIM configuration
What is DKIM record and why you need it:
DKIM (DomainKeys Identified Mail) is a security and spam prevention measure. It creates a unique signature for all your outgoing mail using an asymmetric cryptography method. This allows the receiving mail server to verify that the email is actually being sent from your domain, even if it’s generated by a 3rd party service such as Salesforce. It, basically, tells receiving mail server something like “This message was actually sent from exampledomain.com, not from someone pretending to be exampledomain.com”.
What is SPF record and why you need it:
SPF (Sender Policy Framework) is another security and spam protection measure and email authentication technique that is used against email spoofing. Using SPF you can specify which hosts are allowed to send email on your behalf. This record tells receiving mail servers “This message was sent from a hostname/ IP address authorized by exampledomain.com to send messages for this domain”. So, even if someone has your DKIM key and send properly signed messages on your behalf, that mail would be invalid without you explicitly allowing authorizing them by creating an SPF DNS record pointing to their domain.
Steps to configure DKIM and SPF for Salesforce:
Adding DKIM record
Creating new key
- In Salesforce – go to the “Setup” menu and got to Email and then DKIM Keys in the Administration menu.
- Click “Create new key” button
- Fill in the fields: choose the key size or leave at default (1024), add unique selector (make sure you don’t have any DKIM keys with this selector) – this can be something like “salesforcekey”, add alternative selector (salesforce will use this one for keys rotation – an additional layer of security) – this can be something like “salesforcealtkey”, domain you want Salesforce to be sending email from (e.g. “exampledomain.com“), domain match (exact match if all emails will be sent from the main domain, or options that include subdomains if you’re going to be sending email from the subdomains e.g. “mail.exampledomain.com” as well).
- Click “Save”
- Salesforce will create and post DKIM records for you (you won’t need to add these to your own DNS settings) and then give you 2 CNAME records that you’ll need to add to your DNS provider instead. This way they can fully control and rotate DKIM keys without needing you to do any adjustments in your settings or DNS, you need to only add that CNAME once to point to them as a domain name key publisher.
Adding CNAME record
- Log in to your DNS server/provider (it can be your website host such as Dreamhost, GoDaddy, AWS or a 3rd party provider) and find a way to create new CNAME record there (steps will be different for different providers, but most of them have help pages explaining the steps and/or you can contact their support team and ask fr help and guidance)
- Copy the CNAME records Salesforce gave you in step 5 above and add then as 2 separate lines/records in the CNAME records lists on your DNS host and save.
- Give it a few minutes to propagate the changes, then go back to Salesforce and refresh the page. If/when new settings have fully propagated and you did all the steps right, you should see that the “Activate” button on the bottom of the screen is now active. Click “Activate”.
- You should see that your new DKIM setting is now active.
Adding SPF record
After you set up the DKIM, Salesforce would be able to send email from your domain signed with your signature, but this doesn’t limit this ability only to your own Salesforce instance. You need to create an SPF record that would authorize only your instance to be sending email on your behalf.
- Go back to your DNS provider and find a section that allows you to edit TXT records.
- If you don’t have any SPF records yet (look in the second column – SPF records would start with ” v=spf1 “), add a new one. Put your domain e.g. exampledomain.com in the first column and v=spf1 include:_spf.salesforce.com -all in the second column (you can add other records to this “include” list later).
- If you already have SPF records set up – just add include:_spf.salesforce.com to the list of hostnames / IP addresses that are already authorized.
- Save the changes.
- Give it a few minutes to propagate.
How to test and verify:
You can test and verify if all the settings are correct and if your Salesforce DKIM and SPF records are valid by looking at incoming email headers. In order to do it, send an email from within Salesforce to your personal email and find the email headers for that message (here’s how to do it in Mail on Mac, and here’s the steps for Outlook). If everything is set up correctly, you should see it say “Authentication-Results: … some stuff here… spf=pass spfdomain=exampledomain.com dkim=pass dkdomain=exampledomain.com“.