Since Salesforce Spring '26, domain verification is required. If you haven't set up DKIM, your emails could be silently blocked, filtered to junk, or sent from a garbled address your donors won't recognise.
We've worked through this with a lot of customers recently, including going back and forth with Salesforce Support on the details. A few things surprised us:
- A DKIM key for yourorg.org does NOT cover support.yourorg.org or info.yourorg.org. Every subdomain needs its own verification — and this is the most common cause of failures we see after setup.
- DKIM and Authorised Email Domains can (and should) coexist. DKIM takes precedence, but keeping your Authorised Email Domain entries as a safety net is recommended.
- Those "Legacy Domains" that appeared in your Authorised Email Domains list earlier this year? Salesforce added them via a one-time automated scan in Jan–Feb 2026. They won't be adding more automatically going forward.
We've pulled everything together — DKIM setup, DNS configuration, key rotation, SPF, DMARC, subdomains, and the questions we hear most — into one complete guide.
If you're an organisation on Salesforce, it's worth 30 minutes to check your setup is right. Your donors' inboxes are the goal.
