Salesforce Email Domain Verification for Developers

Salesforce Email Domain Verification: Technical Deep Dive

Salesforce is enforcing stricter controls on emails originating from its platform, requiring organizations to verify ownership of any custom domain used in From: addresses. This change is aligned with industry-wide efforts, driven by major email providers (like Gmail/Yahoo), to enhance sender authentication (SPF, DKIM, DMARC) and mitigate phishing and email spoofing attacks.

Failure to comply before the specified enforcement dates will result in email delivery failure for messages sent using unverified custom domains via standard email composer, Apex, Flows, or Email Alerts.

Scope of Impact

This verification applies specifically to the domain portion (@yourcompany.com) of any email address utilized by Salesforce to send outbound messages. Public domains such as gmail.com or outlook.com are exempt.

Crucially, this impacts automated emails:

• Emails triggered via Apex methods (e.g., Messaging.sendEmail).
• Emails dispatched through Salesforce Flow Email Alerts or Send Email actions.
• System-generated notifications relying on organizational sending addresses.

Integrations using external SMTP services, or emails sent via direct integrations with Office 365/Gmail accounts (like those used by Einstein Activity Capture), are generally unaffected by this platform verification requirement.

Identifying Non-Compliance

If emails from unverified domains cease delivery, administrators or developers monitoring system logs should look for specific delivery failure responses. For system and automated emails, review Email Logs in Setup for the rejection string:

550 5.7.1 Delivery not authorized, message discarded

Manually composing emails in the UI will trigger a user-facing block message: "Not allowed to send from an unauthorized domain."

Verification Methods for Developers and Architects

To satisfy the platform requirement, your organization's domain must satisfy one of two conditions: either have an active DKIM key set up, or be listed and verified in Authorized Email Domains.

Option 1: Implementing DKIM Keys (Recommended)

DKIM (DomainKeys Identified Mail) adds cryptographic signing to outgoing emails, providing strong proof of origin. This is the preferred method as it enhances overall email authentication.

Configuration Steps in Setup:

1. Navigate to Setup → DKIM Keys.
2. Click Create New Key.
3. Define Parameters:
   • Key Size: 2048-bit is typically recommended.
   • Selector: A unique identifier (max 62 alphanumeric/hyphens, must start with a letter/number).
   • Alternate Selector: A second unique string for redundancy.
   • Domain: The exact domain to be verified (e.g., yourcompany.com). This cannot be modified after saving.
   • Domain Match Pattern: Typically mirrors the domain entry.
4. Save the configuration.

Upon saving, Salesforce generates CNAME records. You must provision these records (including the Alternate CNAME) in your external DNS provider (e.g., Route 53, Cloudflare).

Once DNS propagation is confirmed, return to Setup → DKIM Keys and click Activate for the new key.

Option 2: Authorized Email Domains (Alternative)

This method verifies domain ownership via a DNS record without implementing cryptographic signing.

Configuration Steps in Setup:

1. Navigate to Setup → Authorized Email Domains.
2. Click Add and input the custom domain name.
3. Save the entry.

Salesforce generates a unique verification key (e.g., a string value).

You must provision this key as a TXT record in your domain's external DNS settings. The specific record format will be provided by Salesforce upon saving the domain entry.

After the TXT record propagates, return to the domain entry in Setup → Authorized Email Domains and enable Verify domain ownership.

Enforcement Timeline

While enforcement began incrementally (Spring ’26 Patch 10), target deadlines for complete organizational compliance are:

• Sandboxes: April 7, 2026
• Production Orgs: April 27, 2026

Domains that have been actively sending email within the last 30 days prior to these dates require verification by that deadline. New domains added subsequently, or all domains in newly provisioned orgs/sandboxes, require immediate verification upon initial email attempts.

Key Takeaways

• Action Required: Verify all custom sending domains (@yourcompany.com) used in platform emails.
• Impact: Unverified domains lead to outright email delivery failure for Apex, Flow, and UI messages.
• Best Practice: Implement and activate a DKIM Key set up for superior email authentication.
• Exemptions: Public domains (@gmail.com) and emails routed via integrated services like Office 365/Gmail connectors are unaffected.