How to add DKIM record for owned domain in Salesforce Marketing Cloud (SFMC)?

Summary

Adding a DKIM record for an owned domain in Salesforce Marketing Cloud (SFMC) typically involves using SFMC's Sender Authentication Package (SAP) or setting up a Private Domain. The SAP includes a dedicated IP address, branded domain, and DKIM signing. Activating SAP requires contacting your Account Executive and having Salesforce provision the domain, providing CNAME records for DNS updates. Some sources suggest you cannot add your own DKIM record without SAP, as Salesforce needs to manage the private key for security. DKIM involves a public/private key pair, with the public key added to your DNS records and the private key used by the sending server. Multiple DKIM keys can exist for a domain with unique selectors. Without a SAP, you may use shared IPs, potentially hurting deliverability. Regular DKIM key rotation is recommended for enhanced security. Deploying DKIM involves generating a key pair, adding the public key to DNS, configuring the mail server to sign messages, and testing for proper function.

Key findings

  • SAP/Private Domain Requirement: SFMC typically requires a Sender Authentication Package (SAP) or a Private Domain for implementing DKIM.
  • Salesforce Private Key Management: Salesforce generally manages the private key associated with DKIM for security reasons.
  • DKIM Key Pair Mechanism: DKIM operates using a public/private key pair where the public key is added to DNS records.
  • Multiple DKIM Keys Possible: It's possible to have multiple DKIM keys for a domain, using unique selectors for each.
  • Impact of Shared IPs on Deliverability: Using shared IPs without SAP can negatively impact email deliverability.
  • DKIM for Authentication: DKIM authenticates emails, verifying they were sent and authorized by the domain owner.
  • Key Rotation Best Practice: Regular DKIM key rotation is recommended to enhance security.

Key considerations

  • SAP Cost and Requirements: Consider the costs and requirements associated with implementing a Sender Authentication Package (SAP).
  • Account Executive Contact: Contact your Salesforce Account Executive to enable SAP or discuss Private Domain options.
  • DNS Record Management: Be prepared to manage and update DNS records as instructed by Salesforce during setup and for key rotation.
  • Testing and Validation: Thoroughly test and validate the DKIM setup to ensure it's functioning correctly.
  • Potential Deliverability Issues: Understand the potential impact on email deliverability if DKIM is not properly implemented.
  • Alternative Authentication Options: Explore alternative email authentication methods to improve security.

What email marketers say
13Marketer opinions

Adding a DKIM record for an owned domain in Salesforce Marketing Cloud (SFMC) typically involves using SFMC's Sender Authentication Package (SAP) or a Private Domain. The SAP provides a dedicated IP address, branded domain, and DKIM signing, requiring you to contact your Account Executive to enable it. Some sources suggest it's not possible to add your own DKIM record without SAP, as Salesforce needs to manage the private key for security. DKIM involves a public/private key pair, with the public key added to your DNS records and the private key used by the sending server. Multiple DKIM keys can exist for a domain with unique selectors. Without a SAP, you risk using shared IPs, potentially hurting deliverability. DKIM authenticates emails, verifying they were sent and authorized by the domain owner.

Key opinions

  • SAP/Private Domain: SFMC typically requires a Sender Authentication Package (SAP) or Private Domain for DKIM setup.
  • Private Key Management: Salesforce usually manages the private key associated with DKIM for security.
  • DKIM Key Pair: DKIM involves a public/private key pair, where the public key is added to your DNS records.
  • Multiple DKIM Keys: A domain can have multiple DKIM keys with unique selectors, useful for multiple sending services.
  • Impact of Shared IPs: Without SAP and using shared IPs can negatively impact email deliverability.
  • DKIM Authentication: DKIM authenticates emails by verifying they were sent and authorized by the domain owner.

Key considerations

  • SAP Cost: Consider the cost implications of implementing a Sender Authentication Package (SAP).
  • Contact Account Executive: Contact your Salesforce Account Executive to enable SAP and discuss Private Domain options.
  • DNS Record Updates: Be prepared to update your DNS records with the public DKIM key provided by Salesforce.
  • Deliverability Impact: Understand the potential impact on email deliverability if you don't properly implement DKIM.
  • Alternative Authentication: Explore alternative email authentication methods to improve email security
Marketer view

Email marketer from Super User shares that DKIM records are added to DNS records and can be used for multiple different systems that are setup. These are assigned with unique names (selectors).

April 2023 - Super User
Marketer view

Marketer from Email Geeks explains the DKIM-signing process, mentioning that email sent with a DKIM domain needs to be signed with a key pair (private and public). The private key has to be owned by the sending mail server. For SFMC to send DKIM-signed email, you must have their public key in your DNS and they must sign with their private key.

January 2025 - Email Geeks
Marketer view

Email marketer from Medium notes DKIM (DomainKeys Identified Mail) is an email authentication technique that allows the receiver to verify that an email was indeed sent and authorized by the owner of the domain. This is achieved through a digital signature, adding a layer of trust and security to your email communications.

October 2023 - Medium
Marketer view

Marketer from Email Geeks explains that configuring a Private Domain or a Sender Authentication Package (SAP) usually provides the necessary DKIM record.

July 2024 - Email Geeks
Marketer view

Email marketer from SFDC Study Group suggests you can't add your own DKIM record in SFMC without SAP. Salesforce needs to manage the private key associated with DKIM for security reasons.

March 2024 - SFDC Study Group
Marketer view

Email marketer from StackExchange says you can have multiple DKIM keys for a domain, which could be a solution if you have multiple email sending services. Each DKIM key will have a unique selector.

October 2023 - StackExchange
Marketer view

Marketer from Email Geeks explains that you can set up your own DKIM record for your domain, but you won't have SFMC's private key.

December 2022 - Email Geeks
Marketer view

Email marketer from Mailjet explains that to create a DKIM record, you'll typically need to generate a public/private key pair. The public key is added to your domain's DNS records as a TXT record, while the private key is used by the sending server to sign outgoing emails. The receiving server then uses the public key to verify the email's signature.

January 2024 - Mailjet
Marketer view

Marketer from Email Geeks shares his understanding that you cannot authenticate your own domains in SFMC without a Sender Authentication Package (SAP).

August 2024 - Email Geeks
Marketer view

Marketer from Email Geeks responds that you need to ask your Account Manager to enable the Sender Authentication Package if you don't already have it.

September 2024 - Email Geeks
Marketer view

Marketer from Email Geeks clarifies that if you want to use your own domain for DKIM with SFMC instead of SFMC's shared domain, then you must get their authentication package.

October 2021 - Email Geeks
Marketer view

Email marketer from Salesforce Trailblazer Community explains that Salesforce Marketing Cloud generally requires a Sender Authentication Package (SAP) to properly authenticate email domains. The SAP gives you a dedicated IP, branded domain and DKIM signing. However, you need to contact your Account Executive about enabling this.

September 2021 - Salesforce Trailblazer Community
Marketer view

Email marketer from Reddit shares that a SAP provides the dedicated IP address as well as the DKIM authentication. Furthermore without it you are using shared IPs which can hurt your deliverability.

October 2021 - Reddit

What the experts say
1Expert opinion

Deploying DKIM involves generating a key pair, adding the public key to DNS as a TXT record, configuring the mail server to sign messages with the private key, and testing for proper function.

Key opinions

  • Key Pair Generation: DKIM deployment requires generating a public/private key pair.
  • DNS Configuration: The public key must be added to the domain's DNS records as a TXT record.
  • Mail Server Configuration: The mail server needs to be configured to sign outgoing messages using the private key.
  • Testing and Validation: Testing and validation are necessary to ensure DKIM is functioning correctly.

Key considerations

  • Complexity: DKIM deployment can be complex and requires careful configuration.
  • DNS Access: You'll need access to your domain's DNS settings to add the TXT record.
  • Security: Properly securing the private key is crucial for DKIM security.
  • Testing Tools: Use appropriate testing tools to validate the DKIM setup.
Expert view

Expert from Spam Resource (John Levine) explains that deploying DKIM involves generating a key pair, adding the public key to your DNS as a TXT record, and configuring your mail server to sign outgoing messages with the private key. The process also involves testing and validation to ensure it is working correctly.

March 2023 - Spam Resource

What the documentation says
3Technical articles

Salesforce documentation explains that adding a DKIM record for your owned domain in SFMC is typically achieved through a Sender Authentication Package (SAP) or by setting up a private domain. SAP includes DKIM signing along with a dedicated IP and branded domain, requiring Salesforce to provision the domain and provide CNAME records for DNS updates. Setting up a private domain involves purchasing a domain, requesting setup with Salesforce who then provide necessary DNS records (including DKIM), improving brand recognition and deliverability. DKIM key rotation is also possible, enhancing security by generating a new key and updating DNS records to maintain proper authentication.

Key findings

  • SAP Features: A Sender Authentication Package (SAP) includes DKIM signing, a dedicated IP address, and a branded domain.
  • SAP Activation: Activating SAP requires Salesforce to provision the domain and provide CNAME records for DNS updates.
  • Private Domain Setup: Setting up a private domain involves purchasing a domain and requesting setup with Salesforce.
  • DNS Records from Salesforce: Salesforce provides DNS records (including DKIM) to configure with your domain registrar when setting up a private domain.
  • DKIM Key Rotation: DKIM key rotation enhances security and requires generating a new DKIM key and updating DNS records.

Key considerations

  • DNS Access: You need access to your DNS settings to update records as instructed by Salesforce.
  • Salesforce Involvement: Setting up SAP or a private domain requires direct involvement from Salesforce to provision the domain and provide necessary records.
  • Security Practices: Regularly rotating DKIM keys can improve email security and prevent spoofing.
  • Deliverability Benefits: Using your own domain and properly implementing DKIM can improve email deliverability and brand recognition.
Technical article

Documentation from Salesforce Help outlines setting up a private domain in Marketing Cloud. You purchase a domain, request setup with Salesforce, who will then provide DNS records (including DKIM) to configure with your domain registrar. This allows you to send emails from your own domain, improving brand recognition and deliverability.

April 2023 - Salesforce Help
Technical article

Documentation from Salesforce Help explains that a Sender Authentication Package (SAP) is a collection of products that authenticates your email sends. It includes a dedicated IP address, branded domain for link and image wrapping, and DKIM signing. Activating SAP involves Salesforce provisioning the domain and providing CNAME records to update in your DNS.

November 2023 - Salesforce Help
Technical article

Documentation from Salesforce Help details how to rotate DKIM keys in Marketing Cloud. Key rotation enhances security and requires generating a new DKIM key in your account and updating the DNS records. This process ensures your email continues to be properly authenticated.

August 2021 - Salesforce Help