Marketing Cloud DKIM FAQ

Frequently Asked Questions (FAQ) Regarding DKIM keys and DKIM DNS entries

Q: Why is the DKIM TXT entry so long?

A: Your DKIM key is a 2048 bit key, which results in a single, multi-string text record.  This enhances security and better protects against spam and spoofing.  The reason it is multi-string is because there is a 255 character limit.  Per RFC 4408, to get around this limitation, the record is broken out into multiple strings, but concatenated together to be just one record.

Q: How do I enter the record in DNS?

A: This could vary. You can start by trying to add it just as it was provided in the zone file, as this usually works fine.  Some DNS providers have figured out how to accept an entry in this format, however some do not. GoDaddy, for example, does not, however you can enter it all in one line and GoDaddy will break it out for you.  To get this format, you would take the entire multi-string TXT record provided, remove the quotes, remove new lines, and put it all in one line.  If neither of these work for you, you should contact support of your DNS provider and have them help you add it.  They should be aware of what this is and how to enter it correctly in their platform.

Q: How can I check to ensure that it is entered correctly?

A: I recommend this online tool: http://dkimcore.org/tools/keycheck.html

Paste in the selector, and then the domain, and it will check it.

Example: If you want to check DKIM for 10dkim1.mydomain.com, you would put 10dkim1 as the selector, and then mydomain.com as the domain to see the results.

Q: Can Salesforce Marketing Cloud help configure this DNS record?

A: While Salesforce support will try to help in any way they can, they cannot really troubleshoot this for you, as they are not hosting your DNS, nor do they know what DNS provider or platform you are using. Each DNS management tool is different, with different user interfaces and different limitations or potential quirks with regard to how DNS records are managed.

Q: What if I have followed the steps above but it is still not correct?

A: I would suggest that you go back to your DNS provider for help, but I can take a look to try and help figure it out. Please include as much detail as possible — tell Salesforce support who your DNS provider is, and please provide them copies of any communication you have had with your DNS provider so they can better understand the situation and help you to troubleshoot the issue.

Q: What are the alternatives?

A: SFMC can offer a 1024-bit key instead as an alternative, please keep in mind that this is a less secure choice.

Q: My DNS host isn’t able to help, what now?

A: There are lots of tutorials online on how to break up a 2048-bit DKIM key into chunks so that the chunks are less than 255 characters and can be hosted with whatever common DNS tool is being used (links below).

You’re not the first to run into this issue:

TXT record 255 character limit with 2048-bit DKIM – Managed DNS/Hosted DNS
byu/Versonymous indns

Q: How do I generate the DKIM for my domain?

It is not your responsibility to generate a DKIM key for Marketing Cloud. You have two options on how to ensure that the domain you are sending from has a valid DKIM key:

• Delegated domain: If you are delegating the domain to the name servers of Salesforce (like most customers do), then Saleforce will manage the DNS entries for you. This also goes for the DKIM key, which in practice is stored in a TXT record. Hence you should not worry on the managing the actual DKIM key yourself.
• Self hosting: If you are self hosting your DNS records for the domain in question, Salesforce provides you with a zone file holding all the relevant DNS records, including the DKIM as a TXT record. Please see an example of such a file here below:

$TTL 1H
$ORIGIN mc.example.com.


@               IN MX 10        reply.s50.exacttarget.com.
@               IN A            192.168.0.1

bounce          IN MX 10        bounce.s50.exacttarget.com.
reply           IN MX 10        reply.s50.exacttarget.com.
leave           IN MX 10        reply.s50.exacttarget.com.

image           IN CNAME        images.s50.exacttarget.com.edgesuite.net.
view            IN CNAME        view.virt.s50.exacttarget.com.
click           IN CNAME        click.virt.s50.exacttarget.com.
pages           IN CNAME        pages.virt.s50.exacttarget.com.
cloud           IN CNAME        pub.s50.exacttarget.com.

mta             IN A            192.168.0.1


50dkim1._domainkey  IN TXT ( "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAz+pwSE2FxqncAgzL"
"3gtcL1clvZa70025dbH66oD4/B7/MEYkuwEUE9vhhU5sJ6oNVby//Nu7U3uC"
"lgSVrzibGUprJw8VRXs4BVFqc6mwlxUf1MK/hRdRtNGFcLWd0PXRg/gyE53R"
"YYjacIfNVOd9DB5iZ8LeWu3q84Yh47sjNpwmJ0yDKmqUpW0ZJL8OuLPHEwbt"
"qEktTMCwt7zp4X+/mR5kpAyFo/mjVlOTBT4LD3eCG5LWBYa6FxXoB0xXH1Vd"
"..."
"..." )


##the above TXT record should be a single multi-line TXT record


@               IN TXT          "v=spf1 include:cust-spf.exacttarget.com -all"
bounce          IN TXT          "v=spf1 include:cust-spf.exacttarget.com -all"
reply           IN TXT          "v=spf1 include:cust-spf.exacttarget.com -all"