What is DMARC?
DMARC, which stands for “Domain-based Message Authentication, Reporting & Conformance”, is an email authentication, policy, and reporting protocol. It builds on the widely deployed SPF and DKIM protocols, adding linkage to the author (“From:”) domain name, published policies for recipient handling of authentication failures, and reporting from receivers to senders, to improve and monitor protection of the domain from fraudulent email.
How does DMARC work, briefly, and in non-technical terms?
A DMARC policy allows a sender to indicate that their messages are protected by SPF and/or DKIM, and tells a receiver what to do if neither of those authentication methods passes – such as junk or reject the message. DMARC removes guesswork from the receiver’s handling of these failed messages, limiting or eliminating the user’s exposure to potentially fraudulent & harmful messages. DMARC also provides a way for the email receiver to report back to the sender about messages that pass and/or fail DMARC evaluation.
How Can I create a DKIM Key in my Salesforce Instance?
Reference this Salesforce Help Article: https://help.salesforce.com/articleView?id=emailadmin_create_secure_dkim.htm&type=5
- From Setup, enter DKIM Keys in the Quick Find box, and then select DKIM Keys.
- Click Create New Key.
- Select the RSA key size. Consider email recipient limitations and industry-specific security regulations when choosing the key size.
- For Selector, enter a unique name.
- For Alternate Selector, enter a unique name. The alternate selector allows Salesforce to auto-rotate your keys.
- Enter your domain name.
- Select the type of domain match you want to use.
- Click Save. Salesforce publishes your TXT records to DNS. Your CNAME and alternate CNAME records appear on the DKIM Key Details page when the DNS publication is complete. It can take time for DNS publication to finish.
- Publish the CNAME and alternate CNAME records to your domain’s DNS.
- Select Activate on the DKIM Key Details page.
For more information about DMARC and FAQs visit: https://dmarc.org/wiki/FAQ#How_does_DMARC_work.2C_briefly.2C_and_in_non-technical_terms.3F
Email Domain Verification Setup Guide
DKIM Key & Authorized Email Domain — What They Are, Why They Matter, and How to Set Them Up
Salesforce now requires every domain your organization uses to send email (for example, name@yourcompany.com) to be verified. If a domain is not verified, Salesforce will block or fail to deliver emails sent from it — including manually sent emails, automated Flow emails, and system-generated emails.
This guide explains the two ways to verify a domain, walks through the setup steps for each, and shows clearly which steps happen inside Salesforce versus which steps need to be handled by whoever manages your company's website/domain (often an IT department, web host, or domain registrar like GoDaddy).
Color Key
Every step below is color-coded so you know who needs to do it:
| Salesforce Setup — done by your Salesforce Admin, inside Setup | Outside Salesforce — done by your IT / Domain (DNS) admin |
Method 1 (Preferred): DKIM Key
What It Is
DKIM stands for DomainKeys Identified Mail. It attaches a small digital "signature" to every email Salesforce sends on your behalf. When an email arrives, the receiving mail server checks that signature to confirm the email really came from your domain and was not altered along the way.
Why It Matters
- It satisfies Salesforce's domain verification requirement.
- It improves deliverability — signed emails are less likely to land in spam.
- It builds trust with email providers like Gmail and Outlook by proving your emails are legitimate, not spoofed.
This is the method Salesforce recommends. If you're not sure which option to choose, choose this one.
Setup Steps
| Step | Where | What To Do |
|---|---|---|
| 1 | Salesforce Setup | Your Salesforce Admin goes to Setup → Quick Find → "DKIM Keys" and clicks New. |
| 2 | Salesforce Setup | The Admin fills in the Key Size (2048-bit is recommended), a Selector (a short unique name), an Alternate Selector, and the exact Domain to protect. Then Save. |
| 3 | Salesforce Setup | Saving generates a set of DNS record values (a CNAME record) that need to be added to your domain's DNS settings. |
| 4 | Outside Salesforce | Send the generated CNAME record to whoever manages your domain's DNS (IT department, web host, or registrar). They add this record to the domain's DNS settings. |
| 5 | Outside Salesforce | Allow time for the DNS change to take effect. This is usually quick but can take up to 48 hours. |
| 6 | Salesforce Setup | Once the DNS record is confirmed live, the Admin returns to Setup → DKIM Keys and activates the key. |
Method 2 (Alternative): Authorized Email Domain
What It Is
An Authorized Email Domain is a simpler way to tell Salesforce "we own this domain and are allowed to send email from it." Instead of signing every email, it proves ownership one time through a small DNS entry.
Why It Matters
- It also satisfies Salesforce's domain verification requirement on its own — you do not need both methods.
- It's a good fallback if DKIM cannot be set up right away, or if you have a reason not to use DKIM.
Note: this method proves ownership, but it does not add the extra spam-fighting / trust benefits that DKIM provides. DKIM is still the preferred choice when possible.
Setup Steps
| Step | Where | What To Do |
|---|---|---|
| 1 | Salesforce Setup | Your Salesforce Admin goes to Setup → Quick Find → "Authorized Email Domains" and clicks New. |
| 2 | Salesforce Setup | The Admin enters the domain (for example, yourcompany.com) and saves. This generates a DNS TXT record value. |
| 3 | Outside Salesforce | Send the TXT record value to whoever manages your domain's DNS. They add it as a TXT record in the domain's DNS settings. |
| 4 | Outside Salesforce | Allow time for the DNS change to propagate (typically within 48 hours). |
| 5 | Salesforce Setup | Once the TXT record is live, the Admin returns to the domain entry in Authorized Email Domains and clicks "Verify domain ownership." |
A Few Important Notes
- You only need ONE of these two methods per domain — not both. DKIM is simply the better long-term choice.
- Every domain and subdomain must be verified separately. Verifying yourcompany.com does NOT automatically cover mail.yourcompany.com — each needs its own setup.
- Personal addresses (@gmail.com, @outlook.com, @hotmail.com) and emails sent through connected Gmail or Office 365/Outlook integrations are not affected by this requirement.
- If a domain is not verified, users may see a message like "Not allowed to send from an unauthorized domain" when sending manually. Automated emails (Flows, Apex, workflow alerts) may simply fail silently — check Email Logs in Setup for the error "550 5.7.1 Delivery not authorized, message discarded" if automated emails seem to be missing.
- If you're not sure who manages your company's DNS/domain settings, that's usually the same person or team who set up your website or company email — ask your IT contact or whoever manages your domain registrar account (e.g., GoDaddy, Namecheap, Google Workspace admin, Microsoft 365 admin).