· Salesforce Guide · 3 min read
Salesforce Email Domain Verification: Requirements, Deadlines, and Setup
Salesforce now requires verification for email-sending domains. Here are the enforcement dates, risks, and exact setup steps.
Salesforce Email Domain Verification: Requirements, Deadlines, and Setup
If your organization sends email from Salesforce using a custom domain, this is now a required security control. Missing enforcement windows can disrupt outbound email delivery.
What’s Changing
Salesforce requires verification of each email-sending domain used for outbound messages. This prevents spoofing and unauthorized domain use.
Impacted: Email Composer, Apex email, Flow email actions, Workflow/Process email alerts
Generally not impacted: Marketing Cloud, Einstein Activity Capture, Inbox, common public email domains
Who This Affects
Any org sending from a custom domain (for example, @yourcompany.com) must verify each sending domain and subdomain.
Key Dates
| Situation | Deadline |
|---|---|
| New domains in existing orgs | Immediately (March 9, 2026+) |
| All domains in new orgs & sandboxes | Immediately (March 9, 2026+) |
| Existing sandbox domains | March 30, 2026 |
| Existing production org domains | April 27, 2026 |
Salesforce recommends verifying your domains as soon as possible, even if your deadline is further out.
Additional enforcement windows called out by Salesforce
- Mar 24-Apr 3, 2026: Broader sandbox enforcement
- Apr 6-17, 2026: Production enforcement waves in many orgs
- Apr 27-May 15, 2026: Temporary allowlisted domains must be fully verified in production
How To Verify Your Domain
Verification requires DNS updates. Most teams can complete this quickly with IT/DNS support.
Option 1 (Recommended): DKIM
- In
Setup, openDKIM Keysand create a new key. - Choose
2048-bit RSA. - Enter selector and alternate selector.
- Enter your sending domain and save.
- Add generated CNAME records in DNS.
- Wait for propagation (up to 72 hours), then activate in Salesforce.
example.com and mail.example.com are separate and each need verification.
Option 2: Authorized Email Domains
- Go to
Setup->Authorized Email Domains. - Add domain and copy the verification key.
- Publish TXT record in DNS.
- After propagation, verify ownership.
What Happens If You Don’t Act?
Emails from unverified domains may be blocked or dropped. This means your recipients won’t ever get the emails that your org tries to send.
Note that individual user-level email address verification remains mandatory as well — that requirement hasn’t changed.
Check delivery logs for errors like: 550 5.7.1 Delivery not authorized, message discarded.
Action Checklist
- Identify all custom domains your org uses to send email through Salesforce. You can identify which are in use by running a report on outbound email messages and checking the From Address.
- Determine which method you’ll use: DKIM or Authorized Email Domains
- Loop in your IT team or DNS administrator
- Verify every sending subdomain, if necessary (not just the root domain)
- Complete DNS record updates before your applicable deadline
- Verify the patch version for your org via Salesforce Trust Status
Bottom Line
This is a straightforward but time-sensitive control. The technical work is small, so get started before the enforcement deadline.
For the full 2026 security package beyond domains, see:
Salesforce Security Changes 2026: Deadlines, Risks, and What To Do
