You are here:
DKIM Keys Control
A digital signature mechanism that validates that outbound emails originated from your Salesforce‑hosted org and have not been altered in transit, supporting email authenticity and spam‑filter enforcement.
Control Name
DKIM Keys
Control Overview
Digital signature mechanism that validates that outbound emails originated from your Salesforce‑hosted org and have not been altered in transit, supporting email authenticity and spam‑filter enforcement.
Description
DKIM (DomainKeys Identified Mail) uses a cryptographic key pair: Salesforce generates a private key stored in the org, and you publish a matching public key as a DNS TXT record; mail servers then verify signatures on emails sent from Salesforce (for example, notifications, marketing emails, or Apex‑driven messages).
Recommended Configuration
Set up DKIM Keys in 'Manage DKIM Keys' to sign outbound emails that your company sends. Create a key for each sending domain, generate the DNS record, publish it with your DNS provider, and activate the key in Salesforce after confirming propagation.
Security Impact
Improves email trustworthiness, reduces deliverability problems, and helps prevent spammers or attackers from spoofing your domains and sending phishing messages that appear to come from Salesforce‑powered senders.
Business Impact
Enhances email deliverability and sender reputation, reduces the chance that legitimate emails land in spam folders, and supports brand‑protection and compliance messaging requirements.
Security Risk If Not Configured
Missing outbound email authentication using DKIM keys makes it easier for attackers to forge emails that appear to come from your org, increasing phishing and spoofing risk.
Threat Scenarios
Increases risk of failure to authenticate email messages, allowing email spoofing and phishing attacks; for example, attackers impersonate your org in password‑reset or billing alerts, tricking users into disclosing credentials or making fraudulent payments.
Estimated CVSS Score Range
High (7.0–8.9).
Risk Impact Considerations
Impact is higher for orgs that send notifications to customers, employees, or partners, and for sending domains used in sensitive workflows (finance, HR, customer‑support).
Higher Risk When
You use custom domains for outbound email, send high‑volume or high‑impact emails (marketing, alerts, contracts), or operate in sectors where email‑based fraud is common.
Low Risk When
You only use test or sandbox systems without external recipients, limit outbound email to internal notifications, or rely on a separate, tightly controlled email gateway.
Business and Integration Considerations
Strongly recommended for any production org sending outbound email. Coordinate with your DNS and email‑admin teams to ensure correct key‑rotation and DNS‑record maintenance.
Security Health Review Guidance
Strongly recommended.
Who Is Impacted
System admins responsible for email settings, IT security teams, email‑marketing or communications teams, and any stakeholders affected by email deliverability or brand‑fraud incidents.
