How to Setup Salesforce SPF and DKIM (New CNAME Version)
post-template-default,single,single-post,postid-2362,single-format-standard,bridge-core-2.2.2,qode-page-transition-enabled,ajax_fade,page_not_loaded,,qode-title-hidden,qode_grid_1300,footer_responsive_adv,qode-content-sidebar-responsive,qode-theme-ver-28.5,qode-theme-bridge,qode_header_in_grid,wpb-js-composer js-comp-ver-6.1,vc_responsive,elementor-default,elementor-kit-2761

How to Setup Salesforce SPF and DKIM (New CNAME Version)

If you send emails out of Salesforce you have two options: you can have Salesforce email servers send the email or you can have Salesforce relay the email to your email server (Gmail, Exchange, Office 365).

Today’s post will focus on the first option of having Salesforce send the email on your behalf. There are a number of reasons you might opt for this approach. For example, you may have sales people sending emails to leads and prospects, and you do not wish to hurt your email server reputation or deliverability if you are flagged for spam. Another example, may relate to volume. If you have a large service center sending out thousands of emails per day this may put a large load on your server, and instead may wish to use Salesforce’s email server to send emails.

This is what an email looks like as a recipient when you receive an email from Salesforce where SPF and DKIM have not been configured.

Why Setup SPF and DKIM in Salesforce?

When you have an external email sender, like Salesforce, send emails from email addresses that have your domain name it’s important to setup SPF and DKIM. Otherwise, the person receiving the message will have the email flagged for possible spoofing in their inbox. How this looks will vary depending on the person receiving it. Some corporate email servers automatically delete incoming emails that appear to be spoofing while others send them to the spam folder.

How to Setup SPF and DKIM to enable Salesforce to Send Emails

  1. Navigate to the Salesforce Setup menu and type in DKIM in the quick find. Click DKIM Keys.
  2. Click Create New Key.
  3. Choose your key size. For selector enter salesforce. For alternative selector enter sfdc. For domain enter your domain name, in my case, For domain match, choose what makes sense. I only plan on sending from email addresses with so I’ll choose exact match. If you have email address with sub domains such as then you would choose exact domain and subdomains. Click save.
  4. It will take a minute for Salesforce to do its thing, and generate some CNAME entries that you need to setup.
  5. Give the page a refresh and you should see something like the image below.
Note: this is the new way that Salesforce does DKIM. It does not generate long strings for public and private keys like it previously did.
This is what DKIM used to look like in Salesforce.

6. Next, let’s navigate to our domain name server (DNS) and go to the cpanel. In our example, I’ll being using, but you can use GoDaddy or wherever you have your domain hosted.

7. Before, we jump back to setup DKIM, let’s quickly configure SPF. In your zone editor for your domain look for an existing TXT record that has a v=spf1 statement. If it you don’t have one create one. If there’s an existing one edit it. Add to the spf statement.

8. Now that we have SPF configured we’ll configure DKIM. After all, we don’t want any Salesforce org to be authorized to send emails from our domain, just our specific Saleforce org. Navigate back to Salesforce to the DKIM Key record. Copy the first part of the CNAME record line prior to “IN CNAME”. Now, switch to your DNS and paste it in to the first row entry for your CNAME.

Go back to Salesforce and copy the 2nd part of the CNAME line–everything after “IN CNAME”. Then switch back to your DNS and paste it in and click save.

9. Next, you have to wait. Your DNS needs to propagate these changes. When it does you’ll notice the “Activate” button on the DKIM record is no longer greyed out! Click it!

We’re now all set. Let’s send a test email to ensure that emails we send out of Salesforce don’t get tagged for spoofing.

That’s all there is to it!

In a future post we’ll look at DMARC and also an alternative way to send email out of Salesforce using email relay. Let me know if you were able to set this up, or if you have any issues!

  • Jimmy
    Posted at 06:54h, 10 April Reply

    This was super helpful – thank you!

  • lucy
    Posted at 02:04h, 23 June Reply

    I haven’t been able to find this explained so clearly, so thank you Paul! I’ve been going around in circles with Salesforce support for almost a week, but now I see exactly what was wrong *facepalm*

    • Paul Fischer
      Posted at 09:16h, 23 June Reply

      Hi Lucy, I’m glad this post was helpful to you!

  • Sano
    Posted at 10:56h, 28 July Reply

    Thank you for this post. This is extremely helpful. Our emails from SF are not reaching Gmail and the research has led me into the swirl of DMARC, DKIM,SPF… Have you posted on DMARC yet?I am unable to find it. Thanks again!

  • Christoph
    Posted at 14:40h, 11 September Reply

    Hi there,
    I have set up DKIM keys as described, but Salesforce does not give me any DNS Settings? On the DKIM page – both list view and details page – there is no information related to DNS settings.

    • Paul Fischer
      Posted at 11:09h, 18 September Reply

      Hi Christoph, are you not seeing the Key Size, Selector, CNAME, etc as shown in the screenshot in step 5? If not, perhaps we can take the issue offline or you can provide a screenshot.

      • Christoph
        Posted at 11:36h, 18 September Reply

        Hi Paul, yes, that was indeed the problem. But now it‘s showing up, idk what the problem was. Thank you anyways!

  • Tom M
    Posted at 19:36h, 22 October Reply

    Hi Paul – great article. I am having an issue – once I add Salesforce SPF to my DNS, I pass the 10 ‘dns lookup’ limit. Do you have any suggestions?

  • Jai Aswani
    Posted at 02:30h, 01 March Reply

    Hi Paul, Could you let me know when DKIM Activate button gets enabled?

  • Jai Aswani
    Posted at 03:48h, 01 March Reply

    Hi Paul,

    My DKIM key has been activated. Still in gmail I am getting spoof notification. Could you help me?

  • james
    Posted at 15:56h, 14 November Reply

    super clear and helpful

Post A Comment