Salesforce DKIM Security on Emails - CNAME

posted Jun 5, 2019, 1:19 PM by Andrew Chadick   [ updated Jun 5, 2019, 3:37 PM ]
If you find that your Salesforce emails are going to spam when they were working fine before- it's because of tightening security measures on the backend.  In order to rectify the situation, you will need to create a new DKIM Key in Salesforce.  Go to the Setup area in Salesforce, and search for DKIM.  It will pop up straight away.

One of the things that is very confusing when creating the key, is that what you are given, is NOT a DKIM key, but instead, you are given a pair of CNAME's.  

It took quite a bit of time to figure out what was needed as there is really no explanation given, but, the bottom line, is you need to go into your domain registrar, and create 2 CNAME Txt Records and insert the data you are given.  What Salesforce does is that they have created secure records on their backend, which they don't share with you, and you are simply setting up a CNAME which points to that location, and their servers will handle the rest.

Example of what you are given when creating the keys:
CNAME Record specialkey1._domainkey.mydomainname.org IN CNAME specialkey1.rrge1q.custdkim.salesforce.com.
Alternate CNAME Record specialkey2._domainkey.mydomainname.org IN CNAME specialkey2.9971sp.custdkim.salesforce.com.

The way this looks in your registrar might be different, but for me, it looks like this:

Alias                                      TTL              Refers to Host Name    Other Host                           
____________________           ____________ _____________________    _________________________   
specialkey1._domainkey   3600                                                     specialkey1.rrge1q.custdkim.salesforce.com.
specialkey2._domainkey   3600                                                     specialkey2.9971sp.custdkim.salesforce.com.

The important thing here is to make sure that you have your "Alias" without your domain name added to it as Salesforce does on the detail view of the supposed DKIM record results that they give you.  You have to copy paste the right parts over to your TXT record fields in the registrar. 

Once you have saved the CNAME's to your registrar, it takes about 30 minutes for the changes to take place.  Once you have waited the 30 minutes, go back to the location where you created the DKIM key in Salesforce, and click the button that says "Activate".  

Once activated, the check box next to your key will be ticked, and your emails will now be fixed and flowing back to your inbox instead of spam.  You can test this by running the Test Deliverability (Emails from Salesforce or Email Relay Only) option in the control panel, type your email in, and a series of 16 emails will go out, and they should come to your inbox instead of spam.  If they don't immediately go to the inbox, just wait another 30 minutes.  It will work.

Note to Salesforce: (These links aren't helpful), you need to spell out what it is happening.
Comments