Best practices to setup DKIM

The considerations for setting up DKIM using the new method (increased security) as compared to the old method (public-private keys) are as follows:

• Enter your email domain in the Domain setting, not your organization MyDomain name
• DKIM keys can no longer be imported from one Salesforce organization to another. This makes the process more secure.
• After creating DKIM keys in Salesforce, the CNAME records should be published to the DNS.
• We cannot have two keys with the same selector value for the same domain. This can prevent us from publishing the new CNAME record. In this scenario the DKIM records can be created but they will not be able to be activated. The new DKIM keys should be created with the new unique selectors.
• Since DKIM keys can no longer be imported from one organization to another, if DKIM is implemented in a sandbox, the keys would have to be recreated following a sandbox refresh and the resulting CNAME record would have to be published to the DNS again.
• There is no certificate that will expire. Existing keys will continue to work but new keys would have be to be generated using the new method.
• DKIM keys can also be generated using API. This will also adhere to the new method with increased security. The new CNAMEs generated this way would still have to be updated to the DNS. For more details, see EmailDomainKey.
• Salesforce will only have one DKIM key active at any one time which would mean a DIG, NSLOOKUP or a similar check would only bring back the active primary or secondary key based on which key is active in the rotation at the time.
• The "Activate" button of the DKIM key of Salesforce will remain disabled unless Salesforce recognizes that the correct CNAME records has been published on the DNS. 
• For DKIM canonicalization we use "c=relaxed/simple". So, header canonicalization is relaxed and body is simple. This setting cannot be changed as of today.

For the steps in creating DKIM keys in Salesforce, see Create a DKIM Key.