How to Setup Salesforce SPF and DKIM (New CNAME Version)

If you send emails out of Salesforce you have two options: you can have Salesforce’s email servers send the email or you can have Salesforce relay the email to your email server (Gmail, Exchange, Office 365). Today's post will focus on the first option of having Salesforce send the email on your behalf. There are a number of reasons you might opt for this approach. For example, you may have sales people sending emails to leads and prospects, and do not wish to hurt your email server reputation or deliverability if you are flagged for spam. Another reason relates to volume. If you have a large service center sending out thousands of emails per day this may put a large load on your server, and instead may wish to use Salesforce's email server.

Why Setup SPF and DKIM in Salesforce?

When you have an external email sender, like Salesforce, send emails from email addresses that have your domain name it's important to setup SPF and DKIM. Otherwise, the person receiving the message will have the email flagged for possible spoofing in their inbox. How this looks will vary depending on the person receiving it. Some corporate email servers automatically delete incoming emails that appear to be spoofing while others send them to the spam folder.

DKIM Setup in Salesforce & Your DNS

1. Navigate to the Salesforce Setup menu and type in DKIM in the quick find. Click DKIM Keys.

2. Click Create New Key.

3. Choose your key size. For selector enter salesforce. For alternative selector enter sfdc. For domain enter your domain name, in my case, cloudonpurpose.com. For domain match, enter the domain pattern for your needs. I only plan on sending from email addresses with cloudonpurpose.com so I'll enter that. If you want to enable DKIM with subdomains such as then you would enter *.cloudonpurpose.com. Click save.

4. It will take a minute for Salesforce to generate the CNAME entries that you need to setup. Give the page a refresh and you should see something like the image below.

5. Next, let's navigate to our domain name server (DNS) and go to the cpanel. In our example, I'll being using NameCheap as our DNS, but you can use GoDaddy or wherever you have your domain hosted.

6. In your DNS create a CNAME record. Copy the first part of the CNAME record line prior to "IN CNAME" and paste it in host. For us it’s salesforce.domainkey. Important Note: You do not need your domain name at the end of selector.domainkey and should remove it from the string Salesforce generates. Otherwise, you will not be able to activate the DKIM Configuration.

7. Go back to Salesforce and copy the 2nd part of the CNAME line—everything after "IN CNAME" and paste it in value. In our example it’s salesforce.pymfaj.custdkim.salesforce.com.

8. Follow the same steps for the alternate CNAME record.

9. Next, you have to wait. Your DNS needs to propagate these changes. When it does you'll notice the "Activate" button on the DKIM page in Salesforce is no longer greyed out! Click it!

SPF for Salesforce Setup in Your DNS

In your zone editor for your domain look for an existing TXT record that has a v=spf1 statement. If it you don't have one create one. Add include:_spf.salesforce.com to the spf statement, or simply _spf.salesforce.com if you have an existing SPF entry that you’re editing.

We're now all set. Let's send a test email to ensure that emails we send out of Salesforce don't get tagged for spoofing.

That's all there is to it! In a future post we'll look at DMARC and also an alternative way to send email out of Salesforce using email relay. Let me know if you were able to set this up or if you have any issues via the comments below.