Summary
Adding a DKIM record for an owned domain in Salesforce Marketing Cloud (SFMC) typically involves using SFMC's Sender Authentication Package (SAP) or setting up a Private Domain. The SAP includes a dedicated IP address, branded domain, and DKIM signing. Activating SAP requires contacting your Account Executive and having Salesforce provision the domain, providing CNAME records for DNS updates. Some sources suggest you cannot add your own DKIM record without SAP, as Salesforce needs to manage the private key for security. DKIM involves a public/private key pair, with the public key added to your DNS records and the private key used by the sending server. Multiple DKIM keys can exist for a domain with unique selectors. Without a SAP, you may use shared IPs, potentially hurting deliverability. Regular DKIM key rotation is recommended for enhanced security. Deploying DKIM involves generating a key pair, adding the public key to DNS, configuring the mail server to sign messages, and testing for proper function.
Key findings
- SAP/Private Domain Requirement: SFMC typically requires a Sender Authentication Package (SAP) or a Private Domain for implementing DKIM.
- Salesforce Private Key Management: Salesforce generally manages the private key associated with DKIM for security reasons.
- DKIM Key Pair Mechanism: DKIM operates using a public/private key pair where the public key is added to DNS records.
- Multiple DKIM Keys Possible: It's possible to have multiple DKIM keys for a domain, using unique selectors for each.
- Impact of Shared IPs on Deliverability: Using shared IPs without SAP can negatively impact email deliverability.
- DKIM for Authentication: DKIM authenticates emails, verifying they were sent and authorized by the domain owner.
- Key Rotation Best Practice: Regular DKIM key rotation is recommended to enhance security.
Key considerations
- SAP Cost and Requirements: Consider the costs and requirements associated with implementing a Sender Authentication Package (SAP).
- Account Executive Contact: Contact your Salesforce Account Executive to enable SAP or discuss Private Domain options.
- DNS Record Management: Be prepared to manage and update DNS records as instructed by Salesforce during setup and for key rotation.
- Testing and Validation: Thoroughly test and validate the DKIM setup to ensure it's functioning correctly.
- Potential Deliverability Issues: Understand the potential impact on email deliverability if DKIM is not properly implemented.
- Alternative Authentication Options: Explore alternative email authentication methods to improve security.
What email marketers say
13 marketer opinions
Adding a DKIM record for an owned domain in Salesforce Marketing Cloud (SFMC) typically involves using SFMC's Sender Authentication Package (SAP) or a Private Domain. The SAP provides a dedicated IP address, branded domain, and DKIM signing, requiring you to contact your Account Executive to enable it. Some sources suggest it's not possible to add your own DKIM record without SAP, as Salesforce needs to manage the private key for security. DKIM involves a public/private key pair, with the public key added to your DNS records and the private key used by the sending server. Multiple DKIM keys can exist for a domain with unique selectors. Without a SAP, you risk using shared IPs, potentially hurting deliverability. DKIM authenticates emails, verifying they were sent and authorized by the domain owner.
Key opinions
- SAP/Private Domain: SFMC typically requires a Sender Authentication Package (SAP) or Private Domain for DKIM setup.
- Private Key Management: Salesforce usually manages the private key associated with DKIM for security.
- DKIM Key Pair: DKIM involves a public/private key pair, where the public key is added to your DNS records.
- Multiple DKIM Keys: A domain can have multiple DKIM keys with unique selectors, useful for multiple sending services.
- Impact of Shared IPs: Without SAP and using shared IPs can negatively impact email deliverability.
- DKIM Authentication: DKIM authenticates emails by verifying they were sent and authorized by the domain owner.
Key considerations
- SAP Cost: Consider the cost implications of implementing a Sender Authentication Package (SAP).
- Contact Account Executive: Contact your Salesforce Account Executive to enable SAP and discuss Private Domain options.
- DNS Record Updates: Be prepared to update your DNS records with the public DKIM key provided by Salesforce.
- Deliverability Impact: Understand the potential impact on email deliverability if you don't properly implement DKIM.
- Alternative Authentication: Explore alternative email authentication methods to improve email security
Marketer view
Email marketer from Super User shares that DKIM records are added to DNS records and can be used for multiple different systems that are setup. These are assigned with unique names (selectors).
10 Aug 2022 - Super User
Marketer view
Marketer from Email Geeks explains the DKIM-signing process, mentioning that email sent with a DKIM domain needs to be signed with a key pair (private and public). The private key has to be owned by the sending mail server. For SFMC to send DKIM-signed email, you must have their public key in your DNS and they must sign with their private key.
7 Jun 2024 - Email Geeks
What the experts say
1 expert opinions
Deploying DKIM involves generating a key pair, adding the public key to DNS as a TXT record, configuring the mail server to sign messages with the private key, and testing for proper function.
Key opinions
- Key Pair Generation: DKIM deployment requires generating a public/private key pair.
- DNS Configuration: The public key must be added to the domain's DNS records as a TXT record.
- Mail Server Configuration: The mail server needs to be configured to sign outgoing messages using the private key.
- Testing and Validation: Testing and validation are necessary to ensure DKIM is functioning correctly.
Key considerations
- Complexity: DKIM deployment can be complex and requires careful configuration.
- DNS Access: You'll need access to your domain's DNS settings to add the TXT record.
- Security: Properly securing the private key is crucial for DKIM security.
- Testing Tools: Use appropriate testing tools to validate the DKIM setup.
Expert view
Expert from Spam Resource (John Levine) explains that deploying DKIM involves generating a key pair, adding the public key to your DNS as a TXT record, and configuring your mail server to sign outgoing messages with the private key. The process also involves testing and validation to ensure it is working correctly.
6 Sep 2024 - Spam Resource
What the documentation says
3 technical articles
Salesforce documentation explains that adding a DKIM record for your owned domain in SFMC is typically achieved through a Sender Authentication Package (SAP) or by setting up a private domain. SAP includes DKIM signing along with a dedicated IP and branded domain, requiring Salesforce to provision the domain and provide CNAME records for DNS updates. Setting up a private domain involves purchasing a domain, requesting setup with Salesforce who then provide necessary DNS records (including DKIM), improving brand recognition and deliverability. DKIM key rotation is also possible, enhancing security by generating a new key and updating DNS records to maintain proper authentication.
Key findings
- SAP Features: A Sender Authentication Package (SAP) includes DKIM signing, a dedicated IP address, and a branded domain.
- SAP Activation: Activating SAP requires Salesforce to provision the domain and provide CNAME records for DNS updates.
- Private Domain Setup: Setting up a private domain involves purchasing a domain and requesting setup with Salesforce.
- DNS Records from Salesforce: Salesforce provides DNS records (including DKIM) to configure with your domain registrar when setting up a private domain.
- DKIM Key Rotation: DKIM key rotation enhances security and requires generating a new DKIM key and updating DNS records.
Key considerations
- DNS Access: You need access to your DNS settings to update records as instructed by Salesforce.
- Salesforce Involvement: Setting up SAP or a private domain requires direct involvement from Salesforce to provision the domain and provide necessary records.
- Security Practices: Regularly rotating DKIM keys can improve email security and prevent spoofing.
- Deliverability Benefits: Using your own domain and properly implementing DKIM can improve email deliverability and brand recognition.
Technical article
Documentation from Salesforce Help outlines setting up a private domain in Marketing Cloud. You purchase a domain, request setup with Salesforce, who will then provide DNS records (including DKIM) to configure with your domain registrar. This allows you to send emails from your own domain, improving brand recognition and deliverability.
9 Mar 2024 - Salesforce Help
Technical article
Documentation from Salesforce Help explains that a Sender Authentication Package (SAP) is a collection of products that authenticates your email sends. It includes a dedicated IP address, branded domain for link and image wrapping, and DKIM signing. Activating SAP involves Salesforce provisioning the domain and providing CNAME records to update in your DNS.
31 Aug 2022 - Salesforce Help
Can DKIM be set up on a subdomain, and which domain should be used for signing?
Can I use DMARC with shared IP addresses?
Do DKIM selectors affect email reputation?
How do I find the DKIM selector for my domain in Dmarcian or Hubspot?
How do I properly set up SPF and DKIM records for email marketing, including handling multiple SPF records, IP ranges, bounce capturing, and Google Postmaster Tools verification?
How do I test and validate one-click unsubscribe functionality in Salesforce Marketing Cloud (SFMC)?
