· Salesforce Guide · 3 min read
Salesforce Security Changes 2026: Official Announcement
Salesforce's official security announcement for 2026, including required controls and enforcement timelines.
Salesforce has published formal 2026 security requirements with staged enforcement windows. This page captures the official announcement in a clean format.
If you want a practical implementation plan, see our guide:
Salesforce Security Changes 2026: Deadlines, Risks, and What To Do
If you want the security rationale behind each requirement, see:
Why Salesforce Is Enforcing Security Changes in 2026
Salesforce Announcement Summary
Salesforce states these updates are intended to strengthen org and tenant security as cyber threats continue to evolve.
The changes focus on:
- Stronger identity controls: MFA for all users and phishing-resistant MFA for admins.
- Stronger data protection: Additional verification for sensitive operations, including large exports.
- Adaptive access controls: Risk-based controls to ensure only authorized users and devices gain access.
Immediate Action Required: Email Domain Verification
To reduce spoofing and phishing risk, Salesforce now requires verification of domains used for Salesforce outbound email.
Enforcement timeline
- New domains in all orgs: Starting March 24, 2026 (Spring ‘26 patch 11)
- Recently used domains in sandboxes: April 7, 2026
- Recently used domains in production and all other orgs: April 27, 2026
How Salesforce says to verify
- Activate a DKIM key, or
- Verify an Authorized Email Domain
If verification is not possible, a substitute-domain option is available.
New Security Control Requirements Beginning June 2026
Salesforce indicates that, starting June 2026, orgs should have the following controls in place.
1) Require MFA for users
MFA should be enforced in sandbox and production orgs, either directly in Salesforce or through your SSO provider. Salesforce also notes that some sensitive post-login actions may require step-up authentication.
2) Encourage phishing-resistant MFA for System Administrators
Admin users should adopt phishing-resistant methods such as built-in authenticators, security keys, or equivalent methods. While this is not being enforced at this time, enforcement could come in the future.
3) Restrict login IP addresses at profile level
Allowed IP ranges on profiles deny logins from unauthorized IPs. By default, this is checked at login only.
For continuous enforcement, Salesforce notes that Enforce login IP ranges on every request must be enabled in Session Settings.
This is also not being enforced, but highly encouraged.
4) Enable Transaction Security Policy for large data exports
For Salesforce Shield and Event Monitoring customers, Salesforce expects a ReportEvent TSP that triggers step-up verification for report downloads.
Salesforce also notes that if one is not in place by June 2026, a policy may be added and enabled automatically.
5) Avoid anonymizing proxies and high-risk IP sources
Salesforce advises organizations to prevent user access from anonymizing VPNs and other high-risk IP addresses.
Closing Note
Salesforce has indicated additional security controls and future timelines are still coming.
To prepare without disruption, start implementation now and align your roadmap to the published dates.
For execution support, use our implementation guide:
Salesforce Security Changes 2026: Deadlines, Risks, and What To Do
For the “why” behind each control:
Why Salesforce Is Enforcing Security Changes in 2026
If you need help making these security upgrades, please get in touch
