In order to create/manage DKIM keys in Salesforce, you will need to have the right user permissions. If you do not see the DKIM configurations in your user view, please reach out to you Salesforce administrator. You may not have the right permissions to make these edits/changes.
When you create a DKIM key, Salesforce generates a public and private key pair. You must publish the public key in DNS, which tells recipients that you, as the owner of the domain, have authorized the use of this key to sign your mail. Salesforce uses the private key to create the DKIM signature headers on your outgoing email. Then, recipients of the mail can compare the signature header with the public key in DNS to determine that the mail was signed with an authorized key. If your domain also publishes a Domain-based Message Authentication, Reporting and Conformance (DMARC) policy, recipients can use the DKIM signature to verify that the mail conforms to DMARC.
To create a new key:
- From Setup click Email Administration | DKIM Keys.
- Click Create New Key.
- For Selector, enter a unique name.
- Enter your Domain name.
- Select the type of Domain Match you'd like to use.
- Click Save.
- The key defaults to Inactive state. Make sure you add the public key to the DNS record before activating the key. DKIM signing is active whenever you have an active DKIM key.
- You can’t have more than one active DKIM key per domain name. You might have multiple active DKIM keys if your organization sends mail from more than a single domain or if you use subdomains under your organizational domain and have specified domain matching at the subdomain level.
- When you insert or update a domain key, it’s possible that the change affects existing DKIM keys. For example, if you’ve set DomainMatch to DomainAndSubdomains for the example.com domain, and you then set DomainMatch to SubdomainsOnly for the mail.example.com domain, either key could be used. Here’s how we resolve conflicts in the case when domain keys overlap.
- If two keys are equally specific about matching for the same domain, the new key replaces and deactivates the existing key.
- If a new key is more specific about matching than an existing key, the new key is used and the existing key is modified to no longer apply to the case covered by the new key. For example, because DomainOnly and SubdomainsOnly are more specific than DomainAndSubdomains, a new DomainOnly key would change the DomainMatch for an existingDomainAndSubdomains key to become SubdomainsOnly.
- If multiple keys have different domains that match the sending domain, the key with the longest domain name is used. In case of a tie, the most specific key is used.
For further information regarding Salesforce DKIM configuration, please review your Salesforce support documentation: Click Here
For further information about DKIM, please review: How does DKIM work?