Salesforce’s New Email Domain Verification Explained

I recently received an email from Salesforce titled “Immediate Action Required: Verify Your Domains for Email Security”. If you’re dealing with an org or multiple orgs, you probably received the same email. The content was pretty straightforward, but I understand it can also feel a bit vague. 

The wording alone was enough to raise eyebrows across the ecosystem. Was this a phishing attempt? Or a security warning? Maybe a new requirement that admins needed to act on right away? The first question that came into your mind may have been, “Is my org going to be affected in any way?” 

In short, it’s legitimate, and it does require your attention. This latest requirement from Salesforce is another step towards strengthening email security across the platform. Here’s everything you need to know, why it’s happening, and the steps you need to take to be compliant ASAP. 

Security Again?

Actually, yes. And for good reason. 

Major email providers like Gmail and Yahoo have introduced stricter authentication policies to combat phishing, spoofing, and spam, all of which are classic tricks used by scammers and hackers. And with last year’s surge of security breaches in the ecosystem, stronger safeguards like this were bound to follow.

Salesforce is changing the rules around sending email from its platform. Starting with the Spring ’26 release, any email sent from a Salesforce org must come from a domain that has been verified as belonging to your organization.

In other words, Salesforce now needs proof that your company actually owns the email domain (for example: yourcompany.com) before it will let users send emails from addresses on that domain.

The Bigger Shift in Email Security

Talk of the recent security breaches aside, this change is also part of a broader industry push to combat email spoofing and phishing. Email spoofing occurs when someone sends an email pretending to be from your company’s domain, making it a powerful attack vector for social engineering attacks. 

Technologies like SPF, DKIM, and DMARC help verify that emails are truly coming from the domain they claim to be from. Without these protections, it’s easier for attackers to send messages that appear to come from legitimate companies.

By requiring domain verification, Salesforce helps ensure that only domains your organization actually owns can be used to send emails from the platform, so if you don’t verify your domain in time, emails sent from Salesforce by your users may simply stop being delivered. 

Who Does This Affect?

Your email address has two parts: the label before the @ sign and the one after. In “yourname@yourcompany.com”, the part after the @ symbol – yourcompany.com – is the domain. That’s what needs to be verified. 

The good news is that public email providers like Gmail (gmail.com) and Outlook (outlook.com) are exempt. You only need to worry about custom company domains. So if your company has its own domain and your users send emails through that (even if they’re verified org-wide email addresses), you will want to take verification steps.

Note that emails sent via Gmail or Office 365 (Outlook) integrations within Salesforce, as well as emails sent through Salesforce Einstein Activity Capture (EAC), are not impacted by this change.

How to Proactively Check Your Status

If you’re unsure whether your org is already compliant, you can quickly verify this in Setup.

• Check DKIM Keys (Recommended)
  • Go to Setup → DKIM Keys. Review the list and confirm that there is at least one active DKIM key for your domain.
• Check Authorized Email Domains
  • Go to Setup → Authorized Email Domains. Review the list to ensure your domain appears and that domain ownership has been verified.

To meet Salesforce’s requirement, your org must have either an active DKIM key (recommended) or a verified Authorized Email Domain for the domain used to send emails.

What Happens If I Skip This Step?

If you choose to skip this step, you will get email delivery issues, which can be very frustrating, especially for important processes. Salesforce will begin blocking emails sent from that unverified domain. The way this appears depends on how the email is being sent:

• Email Composer: If a user tries to send an email manually from Salesforce using an unverified domain, the email composer will block the action and display the following message: Not allowed to send from an unauthorized domain.
• Automations and System Emails: Emails sent through Apex, Flows, email alerts, or other automations may not show an error message in the user interface like the one above. Instead, these emails may simply fail to deliver. Admins can proactively check for these failures by reviewing Email Logs in Setup and searching for the following error string: 550 5.7.1 Delivery not authorized, message discarded.

How to Verify Your Domain in Salesforce

Fortunately, verifying a domain in Salesforce is a straightforward process. You need to prove to Salesforce that your company owns your email-sending domain. This can be done by making a small change to your DNS records. It’s essentially a tiny text entry in your domain’s settings that acts like a digital signature.

There are two ways to do it:

Option 1: Set Up a DKIM Key (Recommended)

DKIM stands for DomainKeys Identified Mail. It’s an email security standard that adds a digital signature to your outgoing emails. If you haven’t already set up DKIM, now is a great time to do it.

1. Go to Setup → DKIM Keys.
2. Click Create New Key.
3. Choose a key size (Salesforce typically recommends 2048-bit unless a specific application requires smaller keys).
4. Enter a selector name, which identifies the DKIM record. This is a unique string of up to 62 letters, digits, and hyphens. Start with a letter or number.
5. The alternate selector name should be another unique string.
6. Enter the domain you want to verify. Make sure this is accurate because after you save a DKIM key, you can’t edit the domain name again.
7. Enter the domain match pattern. This tells Salesforce which email domain should use the DKIM key when sending emails. In most cases, you can simply enter your company’s domain (for example, yourcompany.com), which will apply the DKIM signature to emails sent from addresses like support@yourcompany.com, for example, or sales@yourcompany.com.
8. Hit Save!

After saving the DKIM key, Salesforce will generate CNAME records that must be added to your domain’s DNS settings. You can view these records by clicking the selector name of the DKIM key you just created.

Work with whoever manages your company’s DNS (or your domain provider) to add the CNAME and Alternate CNAME records provided by Salesforce. Once the records are added and DNS propagation is complete, return to Setup → DKIM Keys and click Activate.

Option 2: Authorized Email Domains (No DKIM)

If you’d rather not set up DKIM, you can verify your domain through Salesforce’s Authorized Email Domains feature instead. With this option, you create a record for your domain in Salesforce and then update the DNS record for your domain to verify ownership.

1. Go to Setup → Authorized Email Domains.
2. Click Add and enter your domain name.
3. Click Save.

Salesforce will generate a unique verification key, like 00D000000000P08=1TB00000000000B, for example. Next, log in to your DNS provider and add the DNS record provided by Salesforce to your domain’s DNS settings. This record proves that your organization owns the domain.

DNS changes may take some time to propagate before Salesforce can detect them, but once the DNS record is live, return to Setup → Authorized Email Domains and enable Verify domain ownership when you edit the domain record. If, for some reason, domain verification is unsuccessful, verify that the required TXT record exists in DNS and that enough time has passed for the change to propagate.

Verdict: If you’re unsure which of the two methods to choose, DKIM is generally recommended because it also signs outgoing emails for additional authentication. 

When Is This Due?

Ideally, you should set this up ASAP because enforcement began on March 9 (Spring ’26, Patch 10). However, Salesforce is rolling this out gradually across the platform. The key dates to keep in mind are:

• April 7, 2026, for sandboxes.
• April 27, 2026, for production orgs.

This is for existing orgs with domains that have been used to send mail within the last 30 days. New domains in existing orgs, as well as all domains in new orgs and new sandboxes, require immediate verification.

Summary

User email verification has been a requirement for a long time, and it’s about time that verification is required in company emails as well. Salesforce’s “Immediate Action Required” email may have caused some confusion at first, but the underlying change is fairly straightforward. 

While it can feel like yet another security task to tick off your already-long list, it’s worth taking a few minutes to review your domain settings and confirm that everything is in place. A small configuration step now can prevent larger communication issues later.