Setting up Email Security Mechanisms

When sending emails through your Salesforce instance, it is strongly recommended to have at least one of the four Email Security Mechanisms set up. These security mechanisms are required for the following reasons:

To prevent outbound emails from being filtered from recipient’s inbox, resulting in the emails being sent to Junk folders;
To prevent email spoofing;
To ensure that messages are not altered in transit between the email sending server and the email receiving server.

Salesforce supports several email security mechanisms:

DomainKeys Identified Mail (DKIM),
Transaction Layer Security (TLS),
Sender Policy Framework (SPF),
and Domain-based Message Authentication, Reporting, and Conformance (DMARC).

Goldfinch recommends using DKIM to secure your emails.

Setting up Secure DKIM Keys

a DKIM key must be created on the Client’s Salesforce instance, one key per instance (i.e. one for dev, one for production); this will create two CNAME records per key.
The two CNAME records must be created on the Client’s Email Domain DNS. After the DNS has been updated with the two CNAME records, activate the DKIM key on the Customer’s SF instance.

Follow these instructions to Create a DKIM Key (salesforce.com):

Key Size: 1024 bit
Selector: CompanyNameDKIM1 (note: this must be an alphanumeric string)
Alternate Selector: CompanyNameDKIM2
Domain: Email domain of Customer (ex: employee@customer.com, the email domain is customer.com)
Domain Match: Exact domain only

After creating the DKIM Key, a CNAME Record and an Alternate CNAME Record will be generated.

Examples:

CNAME: sfdc1._domainkey.customerdomain.com IN CNAME sfdkim1.539vtd.custdkim.salesforce.com.
Alt CNAME: sfdc2._domainkey.customerdomain.com IN CNAME sfdc2.5v0vw9.custdkim.salesforce.com.

The CNAME and alternate CNAME records must be published to the customer’s email domain’s DNS. If necessary, send the CNAME records to the Customer’s Email Domain Admin / Webmaster with the following instructions:
Create 2 CName records under the Email Domain

Type	Name	Value
CNAME	sfdc1._domainkey.customerdomain.com	sfdkim1.539vtd.custdkim.salesforce.com
CNAME	sfdc2._domainkey.customerdomain.com	sfdc2.5v0vw9.custdkim.salesforce.com

Append “include:_spf.salesforce.com” to your existing SPF1 record. For example, if you currently have the following value for SPF1:

v=spf1 include:spf.protection.outlook.com ~all

After appending Salesforce spf value, it will look like

v=spf1 include:spf.protection.outlook.com include:_spf.salesforce.com ~all

After the CNAME records are published to DNS and recognized by Salesforce, the DKIM Key can be activated on Salesforce. For additional info:

Best practices to setup DKIM (salesforce.com)

How to Setup DKIM Key | Salesforce - YouTube

Email Domains

To determine the email domain host, use ICANN Lookup.
For example: customer@company.com, search ICANN for company.com to get the domain host.
Add a CNAME record | Domains - GoDaddy Help US
Edit an SPF record | Domains - GoDaddy Help US