When sending emails through your Salesforce instance, it is strongly recommended to have at least one of the four Email Security Mechanisms set up. These security mechanisms are required for the following reasons:
To prevent outbound emails from being filtered from recipient’s inbox, resulting in the emails being sent to Junk folders;
To prevent email spoofing;
Salesforce supports several email security mechanisms:
DomainKeys Identified Mail (DKIM),
Transaction Layer Security (TLS),
Sender Policy Framework (SPF),
and Domain-based Message Authentication, Reporting, and Conformance (DMARC).
Goldfinch recommends using DKIM to secure your emails.
Setting up Secure DKIM Keys
a DKIM key must be created on the Client’s Salesforce instance, one key per instance (i.e. one for dev, one for production); this will create two CNAME records per key.
The two CNAME records must be created on the Client’s Email Domain DNS. After the DNS has been updated with the two CNAME records, activate the DKIM key on the Customer’s SF instance.
Follow these instructions to Create a DKIM Key (salesforce.com):
Key Size: 1024 bit
Selector: CompanyNameDKIM1 (note: this must be an alphanumeric string)
Alternate Selector: CompanyNameDKIM2
Domain: Email domain of Customer (ex: firstname.lastname@example.org, the email domain is customer.com)
Domain Match: Exact domain only
After creating the DKIM Key, a CNAME Record and an Alternate CNAME Record will be generated.
CNAME: sfdc1._domainkey.customerdomain.com IN CNAME sfdkim1.539vtd.custdkim.salesforce.com.
Alt CNAME: sfdc2._domainkey.customerdomain.com IN CNAME sfdc2.5v0vw9.custdkim.salesforce.com.
The CNAME and alternate CNAME records must be published to the customer’s email domain’s DNS. If necessary, send the CNAME records to the Customer’s Email Domain Admin / Webmaster with the following instructions:
Create 2 CName records under the Email Domain
Append “include:_spf.salesforce.com” to your existing SPF1 record. For example, if you currently have the following value for SPF1:
v=spf1 include:spf.protection.outlook.com ~all
After appending Salesforce spf value, it will look like
v=spf1 include:spf.protection.outlook.com include:_spf.salesforce.com ~all
After the CNAME records are published to DNS and recognized by Salesforce, the DKIM Key can be activated on Salesforce. For additional info: