Loading

Unable to Activate the DKIM Keys in Salesforce

Udgivelsesdato: May 4, 2026
Beskrivelse

When you create a DomainKeys Identified Mail (DKIM) key in Salesforce for a specific domain, Salesforce publishes primary and alternate TXT records for the DKIM key in DNS (Domain Name System). Salesforce also shows CNAME records that the domain owner must publish in DNS. CNAME records must exist in DNS for the receiving mail servers to verify the DKIM signature on outgoing email.
For this reason, Salesforce does not allow a DKIM key to be marked active until Salesforce has verified that the CNAME records are properly published in DNS. If the CNAME records cannot be verified, the Activate button on the DKIM Key details page remains greyed out and is not selectable.

Løsning

CNAME records may occasionally fail to resolve. There are many reasons why CNAME records are not published correctly on the DNS of your domain.

Common Reasons for CNAME Resolution Failure

The following are examples of common causes:

  • The CNAME record may be proxied (for example, by Cloudflare).
  • There is a general error in the DNS zone definition, such as using a CNAME for the SOA (Start of Authority) record.
  • The CNAME exists alongside other records with the same name, which is not allowed by the DNS specification.
  • There is an unknown restriction on the domain's DNS configuration.

If third-party tools cannot resolve the CNAME records, Salesforce will likewise be unable to resolve the CNAME record. Work with your DNS provider to ensure the CNAME records are properly configured.

Tools to Verify CNAME Records

You can use the following third-party tools to help resolve your CNAME record's domain value. Salesforce recommends the following two tools:

  • MxToolbox — A web-based DNS lookup tool that lets you query CNAME and TXT records without needing a terminal.
  • xnnd — An alternative DNS lookup tool for verifying record resolution.

If you are comfortable using a terminal session, you can also use the dig command as described below.

Check That the CNAME Is Resolvable Using Dig

To verify whether the CNAME record for your DKIM key is resolvable, run a DNS query using the dig command in a terminal. The command queries the CNAME record associated with your DKIM selector name and domain.
The command format is: dig +noall +answer CNAME followed by your selector name, underscore, domainkey, and your domain name. For example, if your selector name is "myselector" and your domain is "example.com", the query is against "myselector._domainkey.example.com".
A successful result returns an output showing your selector name mapped to the Salesforce custdkim domain. For example:
myselector._domainkey.example.com resolves in 300 seconds with record type CNAME to myselector.XXXXXX.custdkim.salesforce.com.
If no results are returned, consult your DNS provider for help publishing the CNAME record.

Check the TXT Record Resolution Using Dig

After confirming the CNAME resolves, verify the TXT record. Run a DNS TXT query using the dig command against the same selector and domain combination.
A successful result returns two records: first, the CNAME record that the customer created; second, the aliased TXT record that Salesforce created containing the DKIM public key. The TXT record value looks like: v=DKIM1; p=cryptographic_representation_of_public_key.
Note: Screenshot showing a successful CNAME record lookup result on MX Toolbox, displaying the selector name resolving to the Salesforce custdkim domain (selectorname.XXXXXX.custdkim.salesforce.com).
Note: Screenshot showing a successful TXT record lookup result with two entries — the CNAME record created by the customer and the aliased TXT record created by Salesforce containing the DKIM1 public key.

Steps to Verify CNAME Records Point to the Correct Value

Step 1: If your CNAME records do not appear on MX Toolbox despite being published correctly, consult your DNS provider's documentation. Cloudflare users should specifically check that their CNAME records are not set to be proxied — proxied CNAMEs are not visible externally.
Step 2: From Salesforce Setup, enter DKIM Keys in the Quick Find box, and then select DKIM Keys.
Step 3: Open the DKIM key that is not yet activated. Confirm that the Activate button is greyed out (not selectable).
Step 4: Verify that you created the DKIM key using the correct domain name, and that the CNAME records were published on the DNS for that same domain.
Step 5: From the DKIM Key details page, copy the first part of the main CNAME record. For example: selectorname._domainkey.domain.com.
Step 6: Open the MX Toolbox. Use the MX lookup tool to query the CNAME record from Step 5 and check whether it resolves to a value.
Step 7: Try to match the resolved value with the second part of the CNAME record shown in Salesforce. For example: selectorname.XXXXXX.custdkim.salesforce.com.
Step 8: Repeat Steps 5, 6, and 7 for the Alternate CNAME record to verify its value as well.
Step 9: If both the main and alternate CNAME records resolve and their values match, the Activate button should become available on the DKIM Key details page.
Note for Cloudflare users: An unsuccessful TXT lookup can occur when DNS is proxying. Check that your Cloudflare CNAME records are not set to Proxied.

Vidensartikelnummer

000391930

 
Indlæser
Salesforce Help | Article