How to add DKIM record for owned domain in Salesforce Marketing Cloud (SFMC)?

Key findings

• SAP requirement: Salesforce Marketing Cloud typically requires the purchase of a Sender Authentication Package to fully authenticate your own domain with DKIM.
• Private key ownership: For SFMC to sign emails with your domain’s DKIM, they need access to (or control over) the private key associated with your domain's public DKIM record.
• Delegated domains: SFMC’s SAP essentially delegates your domain's authentication to Salesforce, which then handles the necessary DNS records, including DKIM, SPF, and DMARC.
• Cost consideration: Many users express a desire to authenticate their own domains without incurring the additional cost of an SAP, but this appears to be the standard path within SFMC.
• Deliverability impact: Using an unauthenticated domain or one with improper authentication can lead to significant email deliverability issues, including emails landing in spam folders or being rejected entirely.

Key considerations

• SAP or alternative: Evaluate whether the benefits of a Sender Authentication Package, which simplifies DNS management and authentication for multiple protocols, outweigh its cost for your organization.
• Private key control: Understand that if SFMC is signing your emails, they must possess the private key. Attempting to set up DKIM independently without this handoff will not result in SFMC-signed emails.
• DNS management: Ensure your DNS is configured to allow SFMC to send emails on your behalf, typically by adding their public key to your DNS. This is part of a broader email authentication strategy that includes setting up SPF, DKIM, and DMARC.
• Multiple sending sources: If you send emails from multiple platforms, you may need different DKIM key pairs for the same domain using distinct selectors, or by using subdomains for each platform.
• Deliverability optimization: Proper DKIM setup is critical for enhancing email deliverability and avoiding blocklists, irrespective of your ESP. For more on what an SAP provides, consider this overview of Salesforce SAP benefits.

Key opinions

• Cost avoidance: Many marketers prefer to authenticate their own domains independently rather than paying for Salesforce's Sender Authentication Package (SAP).
• Existing domain utilization: There's a strong preference to use long-standing, owned domains for email sending over SFMC-generated private domains, especially if the latter show poor deliverability.
• Setup difficulty: Some perceive the setup process for DKIM on owned domains within SFMC as lacking straightforward options or transparency.
• Deliverability issues: Marketers face challenges with delivery rates and reply mail management when not using properly authenticated or optimized domains.
• Authentication dependency: There's a general understanding that proper authentication (SPF, DKIM, DMARC) is crucial for improving email deliverability and avoiding undeliverable errors.

Key considerations

• SAP as a solution: Consider engaging with your Salesforce Account Manager to understand if a Sender Authentication Package is the required path for full owned-domain DKIM authentication.
• Deliverability impact: Prioritize proper domain authentication to mitigate issues like low deliverability or problems with reply mail management, which can severely impact campaign performance.
• Domain strategy: Decide between leveraging an SFMC-provided private domain or pushing for authentication of your established, owned domain, weighing the pros and cons of each in terms of branding, control, and deliverability. Read more about common DKIM key considerations in Marketing Cloud.
• External service authentication: Be aware that while you can set up your own DKIM records, SFMC requires its private key to properly sign emails originating from its platform, reinforcing the need for their authentication services. For deeper insights into email deliverability issues in general, refer to expert guides.

Key opinions

• Private key requirement: For SFMC to DKIM-sign emails, they must possess the private key corresponding to the public key in your DNS.
• DKIM mechanics: Email sent with a DKIM domain requires a key pair (private and public), with the private key held by the sending mail server.
• SAP necessity: To use your own domain for DKIM signing with SFMC instead of their shared domain, acquiring their Sender Authentication Package is essential.
• Varying ESP policies: Unlike some other ESPs, Salesforce Marketing Cloud charges extra for this level of domain authentication and private key management.
• Multiple sending options: If you send email from various platforms, you can set up additional key pairs for the same domain using different DKIM selectors, or use subdomains.

Key considerations

• Technical understanding: Grasp the concept of DKIM key pairs, especially the private key's role on the sending server, to properly configure your authentication.
• Platform capabilities: Recognize that while you can create your own DKIM record, SFMC needs specific configuration (via SAP) to utilize it for signing.
• Strategic investment: Factor in the cost and benefits of SFMC's SAP when planning your email infrastructure, considering its impact on full domain authentication and deliverability troubleshooting.
• Multi-platform sending: If you use other ESPs, investigate their policies on DKIM signing for owned domains, as they may differ from SFMC's approach. This will allow you to better manage your email authentication landscape.

Key findings

• Private domain capabilities: Private Domains, often part of an SAP, allow sending mail from an authenticated domain, including SPF, Sender ID, Domain Keys, and DKIM.
• Authentication application: Salesforce applies SenderID, SPF, and DKIM records to the customer’s sending domain through private domains.
• DNS configuration: To use a private domain, you may need to self-host your DNS and specifically add DKIM, SPF, and DMARC records to authenticate SFMC's IP addresses.
• Checking DKIM: DKIM records can be verified by inputting the selector and domain into a checker tool.
• Authentication options: Ensuring a valid DKIM key for your sending domain typically involves either a delegated domain setup or direct configuration within your domain management settings.

Key considerations

• SAP as a package: Recognize that a Sender Authentication Package bundles key authentication elements (SPF, DKIM, Sender ID) essential for branded and authenticated sending from SFMC. Learn about private domain benefits in Salesforce Marketing Cloud.
• DNS hosting: Be prepared to manage your own DNS records if you choose to authenticate your domain directly with SFMC's IP addresses, ensuring proper alignment.
• Record placement: Ensure that your SPF, DKIM, and DMARC records are correctly placed in your DNS for comprehensive email authentication. This is crucial for avoiding issues, including SPF and DKIM alignment problems.
• Subdomain strategy: If using subdomains for different email services, understand how to set up distinct SPF and DKIM records for each, preventing conflicts and maintaining deliverability across platforms. This is similar to setting up SPF and DKIM for new subdomains.