NPSP+ Knowledge Base

Setting up DKIM Key

Owned by Kevin Kuo
18 Aug 2023
3 min read

Introduction

DKIM (Domain Keys Identified Mail) is a feature used in Salesforce to sign outbound emails sent on your organisation’s behalf.

A valid signature in an email gives recipients confidence that it was handled by a third party like Salesforce in an authorized way by the respective organisation.

How does it Work?

Sending Servers: 

There are some steps for signing an email with DKIM:

  1. The domain owner generates a public and private key pair to be used for signing outgoing messages.

  2. The public key is published in a DNS TXT record, and the private key is made available to the DKIM-enabled outbound email server.

  3. When an email is sent by an authorized user of the email server, the server uses the stored private key to generate a digital signature of the message, which is inserted in the message as a header, and the email is sent as normal.

Receiving Servers:

Sequence of steps happen while receiving emails:

  1. The DKIM-enabled receiving email server extracts the signature from the email headers.

  2. The public key is retrieved from the DNS system where we stored the key.

  3. The public key is used by the receiving mail system to verify that the signature was generated by the matching private key.

  4. A match effectively proves that the email was truly sent from, and with the permission of the claimed domain and that the message headers and content have not been altered during transit.

  5. The receiving email system applies local policies based on the results of the signature test. For example, the message might be deleted if the signature does not match.

DKIM Key Outcome

Before

After

Before

After

How to Create DKIM Key in Salesforce: 

To create DKIM Key Go to-> Setup-> DKIM Keys.

Create a New Key: 

  1. Give a unique name for the new key which distinguishes it from other keys in your org.

  2. Give the domain name on behalf of which domain you are going to send out emails.

  3. Choose an appropriate domain match,

  4. Exact domains only – cannot send emails on behalf the its sub domains.

  5. Subdomains only – can send emails on behalf of its sub domains but not on behalf of parent domain.

  6. Exact and Subdomain – can send emails on behalf of both parent and subdomains.

  7. Once we create DKIM key it generates public key and private key.

 

Pass the information to your client for example the following so they can add it to their DNS record

How to Create DNS Record in Respective Domain: 

To create DNS record, go to your domain management area, link on manage domain and follow the below steps,

  1.  Create a new record by giving the following values,

  2. Name – unique name with suffix._domainkey

  3. Type – type must be TXT.

  4.  Target – (v=DKM1; k=rsa; p=your public key generated in salesforce).

Note:   v- Version; k- Key Type; p-Public Key

  1.  Click the Save button to create the DNS record.

  2.  To validate your DNS record, go to this (http://tools.wordtothewise.com/dkim/check )    site, paste your record details and check.

  3.  Finally, activate the DKIM Key in Salesforce.

Hereafter, whenever we send emails from DKIM Key activated Salesforce Org, those emails will be checked for DKIM signature and do all the steps mentioned under Receiving Server section above.