Ensure Emails Reach Your Recipients with SPF & DKIM

Email Deliverability from Salesforce

From time to time we will get a support request from a client about emails from Salesforce not getting to the intended recipients.  Sometimes the messages go to SPAM and sometimes the messages aren’t being delivered at all.  Oftentimes the concern is that Salesforce isn’t sending the emails, but a quick scan of the email logs will show us that Salesforce did indeed send the emails.  So why were the messages not being received?

More and more organizations and email service providers are implementing policies that try and verify that the email sender is legitimate and not a hacker.  Organizations and email service providers then specify policies if an email fails authentication - e.g. if the authentication fails, but there is no link or attachment, send to the spam folder; if the message fails and there is an attachment, block the message outright.

Enter DKIM and SPF Records

So how does this authentication work?  It typically looks at two things–DKIM and SPF records.  These are records that live in your organization’s DNS server.  Whenever you send an email from your email client (Outlook or Gmail) a DKIM (Domain Keys Identified Mail) signature is added to the header of the email. When the receiving server gets the message it will be able to compare the signature in your message with the DKIM record in your DNS server to validate whether the email is truly coming from your organization.

Additionally, your email will also include the IP address of the server from which it's sent.  That’s where SPF records come into play.  Your SPF (Sender Policy Framework) record lists all of the allowed IP addresses of your email server.  The email server receiving your message will check the originating IP address against the allowed IP addresses to validate if it’s authentic.

So when an email is sent from Salesforce from it will fail both checks, as Salesforce doesn’t add a DKIM signature to emails by default and the email is coming from a Salesforce IP address.  But thankfully, Salesforce provides a very simple way to address this.

Creating DKIM Keys

You'll need to be a System Administrator in Salesforce to make these changes.

Go to Setup (the gear icon) and search for “DKIM” in the quick find box.  Select DKIM Keys from the menu and then click Create New under Manage DKIM Keys.

DKIM Setup in Salesforce setup.

On the next screen, select 2048-bit for the Key Size.  The Selector and Alternate Selectors are arbitrary–you can type in whatever you would like, though avoid using special characters. I usually just enter “salesforce” for my selector and “sfdc” for the Alternate Selector.  Add your domain to the Domain field without https:// or www.

Lastly, under Domain Match you will tell Salesforce when it should add the DKIM Signature to emails, e.g.. are there only specific subdomains you want to authenticate or do you want to authenticate all emails?  Usually, you want to authenticate all emails, so enter your domain name again followed by a comma, and then add *  The asterisk is a wild card that tells Salesforce any subdomain is fine.

Salesforce DKIM- Create a Key windowWhen your screen looks like the shot above, click Save. Salesforce will then let you know that it is publishing the TXT records.

Salesforce DKIM - Keys publishing

The publishing process may take some time. Refresh the screen to see the values for the new DNS Records to be created, but if it takes more than a few minutes, you can come back to the page later to get the values you'll need for the rest of the process. But eventually, you'll get a screen that looks something like this that shows your new keys.

Salesforce DKIM - Keys ready to activate.

You’ll notice the Activate button is grayed out. This is because though Salesforce is ready to start adding the DKIM signature to outbound emails, you need to add the corresponding records to your DNS server so that the DKIM signatures can be verified. Once the DNS records are created you’ll be able to activate the keys in Salesforce.

Updating DNS and Activating the Keys

If you have an IT team you can likely just copy and paste the data from this screen into an email and let them handle the rest.  If you manage your company’s web presence it may fall to you to create the records, though rest-assured it’s relatively easy. You’ll have to login to whatever tool you use to manage your DNS–some commonly used tools are cPanel, Plesk, or CloudFlare. You may also have DNS hosted with your domain registrar (a company like GoDaddy or Hover). Your provider likely has a help article guiding you on how to add the necessary records 

In my case, I’m going to go to my DNS Manager and click Add Record under CNAME to create a new CNAME record from scratch. I’m going to enter the selector name and the “_domainkey” part of the string into the Host field (e.g. you don’t need to include your domain name).  And then we’ll take everything after IN CNAME and add it to the Points To field.

DNS Control panel – Publishing DKIM keys.

I’ll repeat the process for my alternate selector as well.  It takes time for DNS records to propagate, so we won’t be able to activate the keys in Salesforce right away.  But that’s fine, because while we’re updating DNS records we should add or update the existing SPF record.

Most likely you already have a SPF record created, so you’ll look for a TXT record that starts with a value of “v=spf1”.  If you don’t find one you can create a new record.  If you do have an existing SPF record it’s important that you edit the existing record instead of creating a new one–most email providers will automatically ignore SPF records if more than one is detected.

In my case, I have an existing record so I edited the existing record and simply inserted “” right after “v=spf1” in the TXT Value field.  And that’s it–the SPF record is updated and Salesforce IP addresses are now approved by our domain. You can verify that you've got the syntax correct by pasting your SPF entry into a validator like this one.

DNS Control Panel - Adding an SPF entry

It’s worth noting that different applications may have slightly different names for each of these fields.  Instead of Host Record you may say Name.  Instead of “Points to” it may say “Value” or “Data”. But they’re all referring to the same things.  Also, if you accidentally get the values backwards when creating the CNAME records, don’t worry!  It won’t hurt anything, and you’ll know after a couple of hours when the Activate button is still grayed out in Salesforce.

Which brings us to our final task–Activating the new keys.  Return to the DKIM records we created in Salesforce and click Activate, and that’s it!  Emails from Salesforce will now have a DKIM signature that can be verified and all Salesforce IP addresses are now approved IPs from our domain.