How to add DKIM record for owned domain in Salesforce Marketing Cloud (SFMC)?
Summary
What email marketers say13Marketer opinions
Email marketer from Super User shares that DKIM records are added to DNS records and can be used for multiple different systems that are setup. These are assigned with unique names (selectors).
Marketer from Email Geeks explains the DKIM-signing process, mentioning that email sent with a DKIM domain needs to be signed with a key pair (private and public). The private key has to be owned by the sending mail server. For SFMC to send DKIM-signed email, you must have their public key in your DNS and they must sign with their private key.
Email marketer from Medium notes DKIM (DomainKeys Identified Mail) is an email authentication technique that allows the receiver to verify that an email was indeed sent and authorized by the owner of the domain. This is achieved through a digital signature, adding a layer of trust and security to your email communications.
Marketer from Email Geeks explains that configuring a Private Domain or a Sender Authentication Package (SAP) usually provides the necessary DKIM record.
Email marketer from SFDC Study Group suggests you can't add your own DKIM record in SFMC without SAP. Salesforce needs to manage the private key associated with DKIM for security reasons.
Email marketer from StackExchange says you can have multiple DKIM keys for a domain, which could be a solution if you have multiple email sending services. Each DKIM key will have a unique selector.
Marketer from Email Geeks explains that you can set up your own DKIM record for your domain, but you won't have SFMC's private key.
Email marketer from Mailjet explains that to create a DKIM record, you'll typically need to generate a public/private key pair. The public key is added to your domain's DNS records as a TXT record, while the private key is used by the sending server to sign outgoing emails. The receiving server then uses the public key to verify the email's signature.
Marketer from Email Geeks shares his understanding that you cannot authenticate your own domains in SFMC without a Sender Authentication Package (SAP).
Marketer from Email Geeks responds that you need to ask your Account Manager to enable the Sender Authentication Package if you don't already have it.
Marketer from Email Geeks clarifies that if you want to use your own domain for DKIM with SFMC instead of SFMC's shared domain, then you must get their authentication package.
Email marketer from Salesforce Trailblazer Community explains that Salesforce Marketing Cloud generally requires a Sender Authentication Package (SAP) to properly authenticate email domains. The SAP gives you a dedicated IP, branded domain and DKIM signing. However, you need to contact your Account Executive about enabling this.
Email marketer from Reddit shares that a SAP provides the dedicated IP address as well as the DKIM authentication. Furthermore without it you are using shared IPs which can hurt your deliverability.
What the experts say1Expert opinion
Expert from Spam Resource (John Levine) explains that deploying DKIM involves generating a key pair, adding the public key to your DNS as a TXT record, and configuring your mail server to sign outgoing messages with the private key. The process also involves testing and validation to ensure it is working correctly.
What the documentation says3Technical articles
Documentation from Salesforce Help outlines setting up a private domain in Marketing Cloud. You purchase a domain, request setup with Salesforce, who will then provide DNS records (including DKIM) to configure with your domain registrar. This allows you to send emails from your own domain, improving brand recognition and deliverability.
Documentation from Salesforce Help explains that a Sender Authentication Package (SAP) is a collection of products that authenticates your email sends. It includes a dedicated IP address, branded domain for link and image wrapping, and DKIM signing. Activating SAP involves Salesforce provisioning the domain and providing CNAME records to update in your DNS.
Documentation from Salesforce Help details how to rotate DKIM keys in Marketing Cloud. Key rotation enhances security and requires generating a new DKIM key in your account and updating the DNS records. This process ensures your email continues to be properly authenticated.