Loading
Set Up and Maintain Your Salesforce Organization
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Set Trusted IP Ranges for Your Org

            You are here:

            1. Salesforce Help
            2. Docs
            3. Set Up and Maintain Your Salesforce Organization

            Set Trusted IP Ranges for Your Org

            To help protect your Salesforce data from unauthorized access, specify a list of IP addresses from which users can log in without receiving an identity verification challenge.

            Required Editions

            Available in: both Salesforce Classic and Lightning Experience
            Available in: all editions
            User Permissions Needed
            To change network access: Manage IP Addresses
            Note
            Note

            If you use IP allowlists on Hyperforce, consider a preferred alternative such as implementing mTLS or allowing domains.

            With trusted IP ranges, if a user tries to log in from an untrusted IP address, Salesforce challenges them to verify their identity.

            As of Winter ’26, Salesforce enforces limits for trusted IP ranges. You can’t add IP ranges that exceed this limit. If your trusted IP ranges already exceeded the limit before this change, Salesforce can challenge users for device activation even if they’re within your org’s range. For more information, see Device Activation.

            Here are the limits for IPv4 and IPv6 addresses. If you use IPv4-mapped IPv6 addresses, the IPv4 limit applies.

            Note
            Note These limits also apply to login IP ranges for a specific profile.
            IP Address Type Limit
            IPv4 16,777,216
            IPv6 2^99 (2 to the power of 99)

            When calculating the total number of IP addresses, Salesforce doesn’t count private IP addresses in this range: 10.0.0.0 to 10.255.255.255. For more information on private IP addresses, see RFC 1918 from the Internet Engineering Task Force. To make sure that private IP addresses are excluded, add them as a separate range entry.

            Note
            Note If you already exceeded the limit before Spring ’26, you can’t edit your ranges to include private IP ranges.

            To verify a user's identity, Salesforce uses the highest-priority identity verification method available. Here's the order that Salesforce follows for verification methods.

            1. Built-in authenticator registered with the user’s account, such as Touch ID or Windows Hello
            2. U2F security key registered with the user’s account
            3. Push notification or location-based automated verification with the Salesforce Authenticator mobile app connected to the user’s account
            4. Time-based one-time password (TOTP) generated by a mobile authenticator app connected to the user’s account, such as Google Authenticator™
            5. One-time password (OTP) sent via SMS to the user’s verified mobile device
            6. OTP sent via email to the user’s registered email address

            Manage Trusted IP Ranges

            Note
            Note Users outside your trusted IP ranges can still log in to your org. After those users complete a login challenge, usually by entering a code sent to their mobile device or email address, they can log in.

            To prevent users from logging in to Salesforce from untrusted IP addresses, specify allowed IP ranges for your users at the profile level. When you define IP address restrictions for a profile, a login from any other IP address is denied. See Restrict Login IP Addresses in Profiles.

            1. From Setup, in the Quick Find box, enter Network Access, and then select Network Access.
              If your org was activated before Salesforce introduced this feature in December 2007, Salesforce populated your org’s trusted IP address list in December 2007, when this feature was introduced. That process added the IP addresses from which trusted users had already accessed Salesforce during the past six months.
            2. Click New.
            3. Enter a valid IP address in the Start IP Address field and a higher, valid IP address in the End IP Address field.

              The start and end addresses define the range of allowable IP addresses from which users can log in, including the start and end values. To allow logins from a single IP address, enter the same address in both fields.

              A range can include either IPv4, IPv4-mapped IPv6 addresses, or IPv6 addresses. An IP address range can’t include multiple types of addresses. For example, ranges like 255.255.255.255 to ::1:0:0:0 and :: to ::1:0:0:0 aren’t allowed.

              • The range of IPv4 addresses is 0.0.0.0 to 255.255.255.255.
              • The range of publicly accessible IPv6 addresses is ::1:0:0:0 to ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff.
              • IPv4-mapped IPv6 addresses allow an IPv6-enabled application to communicate with IPv4-only devices. To accomplish this, the IPv4 address is embedded in the IPv6 address format. These addresses are represented as IPv4 addresses in the Salesforce user interface and in API.

                The syntax for an IPv4-mapped IPv6 address is ::ffff:a.b.c.d, where a.b.c.d is the decimal representation of the IPv4 address. For example, the IPv4-mapped IPv6 address of 192.0.2.128 is ::ffff:192.0.2.128. So the range of IPv4-mapped IPv6 addresses is ::ffff:0.0.0.0 to ::ffff:255.255.255.255.

            4. Optionally, enter a description for the range. For example, if you maintain multiple ranges, enter details about the part of your network that corresponds to this range.
            5. Save your changes.
            6. To remove a Trusted IP range, click Del.
              If you remove all trusted IP ranges from the Network Access Setup page, all users who can access your org receive a device activation challenge.
            Example
            Example Warren is an IT Systems specialist for a business that handles highly sensitive customer data. He uses the Security Center app to monitor the security posture for multiple Salesforce tenants. Warren can define and deploy trusted IP ranges to selected orgs from the Security Center app. For more information, see Define and Deploy Security Policies.

            See Also

             
            Loading
            Salesforce Help | Article