HOW TO

You spent hours writing the perfect email. You hit send. And it lands in spam.

That’s the silent killer of every outbound strategy — and DKIM is one of the fastest ways to fix it.

If you’re sending emails through Salesforce and haven’t set up DKIM, you’re leaving deliverability on the table. Studies show that 20% of legitimate commercial emails never reach the inbox, and missing authentication records like DKIM is one of the leading causes.

This guide walks you through exactly how to activate a DKIM key in Salesforce — step by step, no technical degree required.

What Is DKIM and Why Does It Matter for Email Senders

DKIM stands for DomainKeys Identified Mail. It’s an email authentication protocol that adds a digital signature to every email you send. When your email arrives at the recipient’s mail server, that server checks the signature against a public key stored in your DNS — if they match, your email is verified as legitimate.

Without DKIM:

• Your emails are more likely to be flagged as spam
• Your domain reputation suffers over time
• Your open rates and deliverability drop significantly

Here’s what the data says about email authentication:

• Emails with proper authentication are 36x less likely to be marked as spam compared to unauthenticated emails
• Organizations using SPF, DKIM, and DMARC together see up to 10% higher inbox placement rates
• 73% of organizations report that email deliverability directly impacts their pipeline performance
• Only 57% of businesses have fully implemented DKIM across all their sending domains — meaning the other 43% are sending unprotected emails every single day
• Google and Yahoo now require DKIM authentication for bulk senders (those sending 5,000+ emails per day) as of February 2024

The bottom line: if your domain isn’t authenticated, you’re not just losing opens — you’re losing deals.

How DKIM Works Inside Salesforce

Salesforce has a built-in DKIM key management system. When you activate DKIM in Salesforce, the platform:

1. Generates a public/private key pair
2. Signs each outgoing email with the private key
3. Provides you with a CNAME record to add to your DNS
4. Receiving mail servers verify the signature using the public key in your DNS

This process happens invisibly on every send — once it’s set up, you don’t have to think about it again.

What You Need Before You Start

Before activating DKIM in Salesforce, make sure you have:

• System Administrator access in your Salesforce org
• Access to your domain’s DNS settings (via GoDaddy, Cloudflare, Namecheap, Route 53, or your registrar)
• Your sending domain confirmed — this is the domain in your From address (e.g., yourcompany.com)
• Patience for DNS propagation — changes can take anywhere from a few minutes to 48 hours

How to Activate DKIM Key in Salesforce — Step by Step

Step 1: Navigate to DKIM Keys in Setup

Log in to Salesforce and go to Setup. In the Quick Find search bar, type “DKIM Keys” and select it from the results.

You’ll land on the DKIM Key Management page, which shows any existing keys and lets you create new ones.

Step 2: Create a New DKIM Key

Click “Create New Key.”

You’ll be presented with a form. Here’s what to fill in:

• RSA Key Size: Select 2048-bit (this is the recommended and most secure option as of 2024)
• Selector: Enter a unique name — this becomes part of your DNS record name. Something like sf1 or salesforce2025 works fine. Avoid spaces or special characters.
• Domain: Enter the domain you send from (e.g., yourcompany.com)
• Domain Match: Choose whether this key applies to the exact domain or subdomains too

Click Save.

Step 3: Copy Your CNAME Records

After saving, Salesforce generates two CNAME records you need to add to your DNS:

You’ll see both clearly displayed on the screen. Copy these exactly — even one character off will cause the verification to fail.

Step 4: Add the CNAME Records to Your DNS

Log in to your DNS provider and navigate to your DNS records for the relevant domain.

Add a new CNAME record:

• Name/Host: Paste the CNAME Host from Salesforce (some DNS providers strip the root domain automatically — check their documentation)
• Value/Points To: Paste the long CNAME Value from Salesforce
• TTL: Set to 3600 (1 hour) or use your provider’s default

Save the record.

Pro tip: If you’re using Cloudflare, make sure the record is set to DNS only (grey cloud), not proxied (orange cloud). Proxying CNAME records can break DKIM verification.

Step 5: Wait for DNS Propagation

DNS changes don’t take effect instantly. Propagation typically takes:

• 5–30 minutes for most providers under normal conditions
• Up to 48 hours in rare cases

You can check propagation status using a free tool like MXToolbox or DNSChecker.org. Search for your CNAME record to confirm it’s live globally before moving to the next step.

Step 6: Activate the DKIM Key in Salesforce

Once your DNS record has propagated, return to Setup → DKIM Keys in Salesforce.

Find the key you created. Its status should now show as “Verified” or be ready to activate.

Click “Activate” next to the key.

Salesforce will confirm the key is now active. From this point forward, every email sent from that domain through Salesforce will be signed with your DKIM key.

Step 7: Verify the Activation

Send a test email to a Gmail or Outlook address you control. Open the email, click the three-dot menu, and select “Show original” (Gmail) or “View message source” (Outlook).

Look for a line that reads:

dkim=pass

If you see that, you’re fully authenticated and protected.

Troubleshooting Common DKIM Activation Issues in Salesforce

DKIM Key Shows “Pending” or “Not Verified”

DNS hasn’t fully propagated yet. Wait 30–60 minutes and check again. If it’s been more than 24 hours, double-check that the CNAME record was entered exactly as Salesforce provided — even a missing dot or extra space breaks it.

DKIM Keeps Failing After DNS Propagation

Check whether your DNS provider auto-appended your domain to the CNAME host. For example, if your CNAME host should be sf1._domainkey.yourcompany.com but your provider automatically adds .yourcompany.com, you’d end up with a duplicate. Review the raw DNS record to confirm.

“Activate” Button Is Greyed Out

This usually means the DNS record hasn’t been verified yet. Use MXToolbox to confirm the CNAME resolves correctly before trying to activate.

Emails Still Going to Spam After DKIM Activation

DKIM alone doesn’t guarantee inbox placement. You also need:

• SPF (Sender Policy Framework)
• DMARC (Domain-based Message Authentication, Reporting & Conformance)

Together, these three form the full email authentication stack. Research shows that domains with all three protocols active see a 98% reduction in email spoofing incidents and significantly higher deliverability.

The Bigger Picture: DKIM Is Just One Piece of Your Outbound Strategy

Here’s what most people miss: DKIM fixes your deliverability. But deliverability is only valuable if your outbound strategy is actually working.

Even with perfect email authentication, cold email averages a 1–5% response rate across industries. Spam filters are smarter. Inboxes are noisier. Decision-makers are harder to reach.

That’s why smart teams are diversifying their outbound — pairing email with LinkedIn prospecting, where response rates average 15–25% and you’re reaching 65+ million verified decision-makers without deliverability concerns.

Conclusion

Activating DKIM in Salesforce is a non-negotiable step for any team serious about email deliverability. The process — creating the key, adding your CNAME records, waiting for DNS propagation, and hitting activate — takes less than an hour. The payoff is a significantly lower chance of landing in spam, a stronger domain reputation, and emails that actually get seen.

But here’s the honest truth: even with DKIM, SPF, and DMARC fully configured, cold email is an uphill battle. With inboxes more crowded than ever and spam filters growing more aggressive, deliverability is just the first problem — standing out in a flooded inbox is the second.

That’s where teams who add LinkedIn outbound to their strategy consistently pull ahead. Verified decision-makers. No spam filters. Response rates 3–5x higher than email alone.

If you want to see what a full outbound system — email and LinkedIn — looks like for your business, SalesSo builds and runs it for you from day one.

Book a free strategy meeting →