You are using an older browser that might negatively affect how this site is displayed. Please update to a modern browser to have a better experience. Sorry for the inconvenience!

DKIM Key to avoid forged E-mails and avoid receiving E-mails from Salesforce as spam


DKIM (Domain Keys Identified Mail) is a feature used in Salesforce to sign outbound emails sent on your organization’s behalf. A valid signature in email gives recipients confidence that it was handled by a third party like Salesforce in an authorized way by respective organization.

How does it Work?

Sending Servers: 

There are some steps for signing an email with DKIM:

  1. The domain owner generates a public and private key pair to be used for signing outgoing messages.
  1. The public key is published in a DNS TXT record, and the private key is made available to the DKIM-enabled outbound email server.
  1. When an email is sent by an authorized user of the email server, the server uses the stored private key to generate a digital signature of the message, which is inserted in the message as a header, and the email is sent as normal.

Receiving Servers:

Sequence of steps happen while receiving emails:

  1. The DKIM-enabled receiving email server extracts the signature from the email headers.
  1. The public key is retrieved from the DNS system where we stored the key.
  1. The public key is used by the receiving mail system to verify that the signature was generated by the matching private key.
  1. A match effectively proves that the email was truly sent from, and with the permission of the claimed domain and that the message headers and content have not been altered during transit.
  1. The receiving email system applies local policies based on the results of the signature test. For example, the message might be deleted if the signature does not match.

How to Create DKIM Key in Salesforce: 

To create DKIM Key Go to-> Setup-> DKIM Keys. There would be two options:

Create a New Key: 

  1. Give unique name for the new key which distinguishes it from other keys in you org.
  1. Give domain name on behalf of which domain you are going to send out emails.
  1. Choose appropriate domain match,
  1. Exact domains only – cannot send emails on behalf the its sub domains.
  1. Subdomains only – can send emails on behalf of its sub domains but not on behalf of parent domain.
  1. Exact and Subdomain – can send emails on behalf of both parent and subdomains.
  1. Once we create DKIM key it generates public key and private key.

Import a Key: 

  1. This option is used to make use of the existing key in some other org in our org.

dkim key

Create DKIM Key: 

Public Key and Private Key has generated:

dkim key

How to Create DNS Record in Respective Domain: 

To create DNS record, go to your domain management area, link on manage domain and follow the below steps,

  1.  Create new record by giving following values,
  1. Name – unique name with suffix._domainkey
  1. Type – type must be TXT.
  1.  Target – (v=DKM1; k=rsa; p=your public key generated in salesforce).

Note:   v- Version; k- Key Type; p-Public Key

  1.  Click the Save button to create the DNS record.
  1.  To validate your DNS record, go to this (    site, paste your record details and check.
  1.  Finally, activate the DKIM Key in Salesforce.

dkim key

Create DNS record: 

dkim key

dkim key

Test the Key using online tool: 

dkim key

Activate DKIM Key in Salesforce:

dkim key

Here after, whenever we send emails from DKIM Key activated Salesforce Org, those emails will be checked for DKIM signature and do all the steps mentioned under Receiving Server section above.