You are here:
Verify the Ownership of Email Sending Domains by DKIM Keys Control
Confirms that the Salesforce org is the legitimate owner of the domains used to send outbound email.
Control Name
Email Security - Deliverability (Select "Verify the ownership of email sending domains by DKIM keys").
Control Overview
Confirms that the Salesforce org is the legitimate owner of the domains used to send outbound email by binding those domains to cryptographic DKIM keys, which helps remote mail servers trust that messages genuinely originate from your company.
Description
When this setting is enabled, Salesforce requires that each outbound‑email domain has a valid DKIM key configured. Salesforce generates a key per domain, and the corresponding DNS record is published in your DNS zone to prove ownership and enable signature verification by receiving mail servers.
Recommended Configuration
Select "Verify the ownership of email sending domains by DKIM keys" in Setup>Email Administration>Deliverability or Email Security, then configure DKIM keys for each sending domain and publish the DNS records.
Security Impact
Increases the authenticity of your outbound email by providing cryptographic proof that messages were sent from authorized Salesforce‑backed domains, reducing the chance that attackers can spoof those domains or that legitimate email is marked as suspicious.
Business Impact
Improves email deliverability and sender reputation, reduces the likelihood that security‑conscious or compliance‑driven recipients will treat your messages as untrusted, and supports brand‑trust and regulatory‑compliance messaging.
Security Risk If Not Configured
Unverified email sending domain ownership for the org allows attackers to more easily impersonate your domains or reduces the ability of receivers to distinguish genuine Salesforce‑sent messages from spoofed ones.
Threat Scenarios
Attackers can craft phishing or spoofed emails that appear to come from your domains, tricking recipients into disclosing credentials, initiating fraudulent transactions, or treating untrusted messages as if they were legitimate Salesforce notifications.
Estimated CVSS Score Range
High (7.0–8.9).
Risk Impact Considerations
The impact is greater when the company uses customer‑facing or brand‑sensitive domains (for example, @company.com or @support.company.com) to send high‑volume or high‑impact transactional or marketing emails.
Higher Risk When
Multiple domains are used for outbound email, external parties rely heavily on email‑based workflows, or the organization is subject to strict data‑privacy or anti‑phishing regulatory expectations.
Low Risk When
Email volume is low, most outbound email is internal or already routed through a separate, tightly controlled email gateway, or the sending domains are generic internal‑only addresses not used externally.
Business and Integration Considerations
Coordinate with DNS and email‑admin teams to manage key‑rotation and DNS‑record maintenance, and verify that all active sending domains are covered before enabling.
Security Health Review Guidance
Strongly recommended.
Who Is Impacted
System administrators, email‑marketing and communication teams, security and compliance teams, and external recipients who receive email from Salesforce‑based sending domains.
