Considerations for DKIM Keys

Overview

When you sign your emails digitally with a DomainKeys Identified Mail (DKIM), the key proves that the message came from your domain. That signature is an industry standard.

Salesforce uses DKIM key pairs to sign outbound email sent on your company’s behalf, which increases your domain’s reputation as a legitimate sender. Each DKIM key pair consists of one private and one public key. Salesforce publishes the public key, and the private keys are stored in Salesforce. These linked keys verify your sending email domain and help verify the authenticity of your outbound emails.

During mail transport, Salesforce uses your private key to generate a DKIM signature and then adds that signature to outbound emails. When the recipient receives the email, the DKIM signature is validated against the public key via your domain’s public DNS record. This validation proves that the sender is who they claim to be.

In Salesforce, an active DKIM key also verifies that you own the domain. Salesforce can send email on behalf of your users only when both the domain and email address are verified. For more information, see Requirements to Send Email from Salesforce.

DKIM Key Rotation

For security, Salesforce rotates your DKIM keys every 30 days. The rotation cycle begins when a DKIM key pair is created and published.

A DKIM key pair contains a public key and a private key.

• Primary DKIM Key: Your main, active public-private DKIM key pair.
• Alternate DKIM Key: Your secondary, inactive public-private key pair, used to replace the primary key pair during rotation.

When you set up a DKIM key, you set up CNAME records that point to the primary and secondary private key pairs. Salesforce rotates the keys for you.

Rotation Timeline

Here’s the timeline of events starting the first time that a DKIM key is published. After you activate a DKIM key, Salesforce performs each of these actions for you.

• Day 0: The primary DKIM key pair is published.
• Day 25: Salesforce creates an alternate DKIM key pair in preparation for rotation. Salesforce publishes the alternate key pair to DNS, 5 days before rotation, so that all DNS servers know of the new key pair.
• Day 30: Salesforce marks the alternate key pair as active and signs emails with the newly active key for the next 30 days.

Multiple DKIM Key Pairs

If multiple active DKIM keys match the sending domain, Salesforce uses the key with the longest matching domain match pattern. If multiple active keys have the same longest-matching pattern, Salesforce randomly selects one of the keys to use.

Example: You send email from Salesforce with the sales.mail.example.com domain. If DKIM key pairs exist for these three domain match patterns, Salesforce uses the keys in this order.

• .sales.mail.example.com
• .mail.example.com
• .example.com

Query Your DKIM Keys

To learn how to query your DKIM keys and authorized email domains, see Identify Verified Email-Sending Domains

DKIM for Domain-Level Email Verification

Salesforce requires domain-level and user-level email verification. Salesforce can send email on behalf of your users only after both levels of verification are complete.

For domain-level verification, an active DKIM key's domain name must match the entire domain shown in the 'From' address. To avoid delivery failures, activate a separate DKIM key for each email-sending domain and subdomain. See Requirements to Send Email from Salesforce.

DKIM for User-Level Email Verification

At our customers’ request, Salesforce offers the option to use domain-level verification to bypass the requirement for user-level email verification. However, Salesforce doesn’t recommend that option because of the security risks. To protect your brand and business, Salesforce strongly recommends that you enable Require email verification for all active DKIM keys. See Considerations for Sending Email with Salesforce.