How to add DKIM record for owned domain in Salesforce Marketing Cloud (SFMC)?
Matthew Whittaker
Co-founder & CTO, Suped
Published 26 Apr 2025
Updated 17 Aug 2025
7 min read
Email authentication is crucial for ensuring your messages reach the inbox, and DKIM (DomainKeys Identified Mail) plays a significant role in this. It helps recipient mail servers verify that an email was indeed sent by the domain it claims to be from and that the message hasn't been tampered with in transit. For businesses using Salesforce Marketing Cloud (SFMC) to send emails, properly configuring DKIM for your owned domain is a key step towards improving deliverability and protecting your brand's reputation.
Many companies want to use their primary brand domain for email sending rather than a subdomain provided by their ESP. This helps maintain brand consistency and builds trust with recipients. However, integrating your owned domain with a platform like SFMC for DKIM signing isn't always straightforward. It requires understanding how SFMC handles email authentication and what specific steps are necessary to ensure proper setup.
This guide will walk through the process of adding a DKIM record for your owned domain within Salesforce Marketing Cloud, clarify the role of the Sender Authentication Package (SAP), and provide insights into common considerations to help you achieve optimal email deliverability.
DKIM works by adding a digital signature to your outgoing emails. This signature is generated using a private key kept by the sending mail server (in this case, SFMC) and is verified by recipient mail servers using a public key published in your domain's DNS records. For this system to function correctly, SFMC needs to sign your emails with their private key, and your domain's DNS must contain the corresponding public key.
While SFMC offers various levels of domain configuration, the most comprehensive solution for full email authentication, including DKIM, SPF, and DMARC alignment, is typically achieved through their Sender Authentication Package (SAP). Without SAP, SFMC usually sends emails from a shared domain or a private domain that lacks full authentication for your specific brand.
The distinction between simply having an owned domain in SFMC and having it fully authenticated via DKIM is critical. Just because you use your domain in the 'From' address does not mean it's DKIM-signed by that domain. Without the proper setup, your emails might still show as 'sent via marketingcloud.com' or similar, which can negatively impact your sender reputation and increase the likelihood of messages landing in the spam folder.
To correctly add a DKIM record for your owned domain in SFMC, the Sender Authentication Package (SAP) is almost always a prerequisite for full authentication. SAP is Salesforce Marketing Cloud's solution for email authentication and branding. It provides you with a dedicated IP address (or range), a private domain (which includes SPF, DKIM, and DMARC setup), and custom branding for your links and images. This package ensures that emails sent through SFMC are fully authenticated and aligned with your brand's domain.
The critical reason SAP is needed for DKIM with your owned domain is that DKIM requires a pair of cryptographic keys: a private key and a public key. The private key resides with the sending server, which is Salesforce Marketing Cloud. For SFMC to sign emails with your domain's DKIM signature, they must possess the private key corresponding to the public key you publish in your DNS. SFMC only provides you with this private key functionality (and the corresponding public key to publish) as part of the SAP offering.
Attempting to create a DKIM record for your owned domain independently without SFMC's involvement for the private key will result in DKIM validation failures. Your DNS record might exist, but the emails sent from SFMC won't be signed correctly, leading to authentication errors and potential blocklisting (or blacklisting). This is why direct authentication of an owned domain for DKIM signing within SFMC typically necessitates the purchase and configuration of SAP.
Steps to implement DKIM for your owned domain in SFMC
Once you have the Sender Authentication Package provisioned for your Salesforce Marketing Cloud account, the process for adding your DKIM record (and other authentication records) becomes a collaborative effort with Salesforce support. You won't directly add the DKIM record via a self-service interface in SFMC setup for your owned domain.
The typical procedure involves working with your Salesforce Account Manager or support team. They will provide you with the specific DNS records you need to publish, including the DKIM public key, SPF record, and DMARC record. These records are custom-generated for your chosen sending domain or subdomain under the SAP.
Salesforce provides a detailed guide on how to create and manage DKIM keys within their system, which is largely facilitated through their support team after SAP activation. Your task will then be to add these provided records to your domain's DNS settings via your domain registrar or DNS hosting provider.
An example of a DKIM record you might receive is a CNAME record, which points to a Salesforce-controlled DKIM key. This is a common method for ESPs to manage DKIM without you needing to directly paste long TXT strings. The DKIM selector (e.g., sfmc) identifies which public key to use for verification.
Example DKIM CNAME recordDNS
sfmc._domainkey.yourdomain.com IN CNAME sfmc.yourdomain.com.dkim.marketingcloud.com.
Troubleshooting and best practices
After publishing the DNS records provided by Salesforce, it's essential to verify their correct implementation. You can use various online email testing tools to confirm that your DKIM, SPF, and DMARC records are correctly configured and that your emails are passing authentication. Incorrectly configured records can lead to emails failing authentication, resulting in them being sent to spam or even rejected outright.
Monitoring your email deliverability is a continuous process. Keep an eye on your sender reputation and DMARC reports to identify any authentication failures or potential issues. If you notice a sudden drop in inbox placement or an increase in DMARC 'fail' results, it's a strong indicator that your email authentication, including DKIM, might be misconfigured or that your domain has been placed on an email blocklist (or blacklist).
Effective DKIM implementation, alongside SPF and DMARC, significantly enhances your domain's credibility with mailbox providers like Gmail and Yahoo. This leads to better inbox placement, improved email engagement metrics, and protects your brand from phishing and spoofing attacks. For a deeper dive into these authentication methods, explore our guide to DMARC, SPF, and DKIM.
Best practices for SFMC DKIM setup
Key recommendations
Engage Salesforce support: Always work directly with your Salesforce account team to provision and receive the necessary DNS records for SAP.
Verify DNS propagation: After adding records to your DNS, allow sufficient time for propagation (24-48 hours) before testing.
Monitor performance: Regularly check your deliverability and DMARC reports for any issues.
Consider DMARC: Implement a DMARC policy for comprehensive email authentication and reporting.
The path to authenticated sending
Proper DKIM implementation for your owned domain in Salesforce Marketing Cloud is a critical step in achieving optimal email deliverability and maintaining a strong sender reputation. While it might seem complex, especially with the reliance on the Sender Authentication Package (SAP), understanding SFMC's authentication requirements is key. By collaborating with Salesforce support and diligently publishing the provided DNS records, you can ensure your emails are fully authenticated, build recipient trust, and ultimately improve your campaign performance.
Views from the trenches
Best practices
Ensure your Salesforce Account Manager enables the Sender Authentication Package for your account.
Work with Salesforce support to obtain the correct DKIM CNAME record and other DNS entries for your domain.
Always verify DNS propagation after publishing records, and confirm DKIM passes using an email authentication checker.
Align DKIM with your DMARC policy to protect your domain against spoofing and phishing.
Common pitfalls
Attempting to manually generate and add a DKIM TXT record without SFMC's private key, which will lead to authentication failures.
Assuming that simply using your 'From' domain in SFMC means it's fully DKIM authenticated.
Neglecting to monitor DMARC reports after setup, missing crucial signs of authentication issues or blocklist (blacklist) placement.
Not understanding that SFMC's SAP is typically a prerequisite for full DKIM signing of your owned domain.
Expert tips
If your private domain from SFMC is having deliverability issues, consider if it's due to poor setup or sender practices, as a new domain with SAP should perform well.
Remember that for SFMC to DKIM-sign emails using your domain, they must hold the private key corresponding to your public DNS record, which is facilitated by SAP.
If you need to send emails from other platforms using the same domain, you can set up additional DKIM key pairs with different selectors for those services.
Always factor in the additional cost for the Sender Authentication Package when planning your SFMC setup for optimal deliverability.
Expert view
Expert from Email Geeks says: You can set up your own DKIM record for your domain, but without SFMC's private key, emails sent through SFMC will not be correctly signed by your domain.
2024-04-01 - Email Geeks
Marketer view
Marketer from Email Geeks says: I initially thought I could just add the DKIM record myself, but SFMC requires their Sender Authentication Package (SAP) to properly authenticate your owned domain.
