Loading
Salesforce now sends email only from verified domains. Read More
Identify Your Users and Manage Access
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Verify Your Email-Sending Domains

            You are here:

            1. Salesforce Help
            2. Docs
            3. Identify Your Users and Manage Access

            Verify Your Email-Sending Domains

            To send email from Salesforce on domains that you own, verify domain ownership with DomainKeys Identified Mail (DKIM) or authorized email domains. For example, if your users’ email addresses are in the format name@example.com, verify that you own example.com.

            Required Editions

            User Permissions Needed
            To manage DKIM keys or configure authorized email domains: Customize Application
            To modify authorized email domains: Email Administration

            Verify ownership of your email-sending domains via one of these methods.

            • DKIM: When you sign your emails digitally with a DKIM key, the key proves that the message came from your domain. An active DKIM key meets the domain-level verification requirement for your email-sending domain. Because this option increases the deliverability of your email, Salesforce recommends this option.

            • Authorized email domains: With this option, you create a record for your domain in Salesforce and then update the DNS record for your domain to verify ownership.

            This verification applies to emails sent from Salesforce and related automations with an email-sending domain that Salesforce doesn't own, including system-generated emails. For example, Salesforce can't send emails from an organization-wide email address with an unverified email-sending domain, even if the individual email address is verified.

            Note
            Note For the limited exceptions to the domain-level verification requirement, see Requirements to Send Email from Salesforce.

            Create a DKIM Key (Recommended)

            DKIM is a security standard that attaches a digital signature to your emails to prove they truly came from your domain. With this signature, the receiving server can verify that the message content wasn't altered or faked during transit.

            DKIM builds trust with email providers, which helps your messages land in the inbox instead of the spam folder. An active DKIM key meets the requirement for domain verification. For example, if your org includes an active DKIM key for example.com, then users with a verified email address that ends in example.com can send email from Salesforce.

            See Create a DKIM Key.

            Set Up an Authorized Email Domains

            To verify your email-sending domain without DKIM, set up an authorized email domain.

            To authorize a partner’s email sending domain, work with your partner to complete these steps.

            1. From Setup, in the Quick Find box, enter Authorized Email Domains, and then select Authorized Email Domains.
            2. To add an authorized email domain, click Add.
            3. Enter the domain name. For example, example.com.
            4. Save your changes.

              Salesforce generates a verification key for the authorized email domain, for example: 00D000000000000P08=1TB00000000000B.

            5. If you own the domain, in DNS, add a TXT (text) record for the domain name that includes the verification code.

              Work with your IT team or DNS provider to complete this step.

              Note
              Note DNS changes take up to 72 hours to propagate.

              There are three valid domain formats for the name in the DNS TXT record.

              • Your domain name.

                Here’s an example of a DNS TXT record for an authorized email domain with a domain name of example.com and a verification key of 1TB00000000000B in an org with ID 00D000000000000P08.

                Name                 TTL   CLASS   TYPE    VALUE
--------------------------------------------------------------------
example.com.         600   IN      TXT     "00D000000000000P08=1TB00000000000B"
              • Your domain with the _sfdv. prefix.

                Here’s an example of a DNS TXT record for the same domain and verification key with the _sfdv. prefix.

                Name                 TTL   CLASS   TYPE    VALUE
--------------------------------------------------------------------
_sfdv.example.com.   600   IN      TXT     "00D000000000000P08=1TB00000000000B"
              • Your domain name with the orgId._sfdv. prefix, where orgID is the org’s 18-digit ID.

                Use this option if you manage multiple orgs that use the same email-sending domain and you want unique names in DNS.

                Here’s an example of a DNS TXT record with multiple values separated by a semicolon.

                Name                                   TTL  CLASS  TYPE    VALUE
--------------------------------------------------------------------
00D000000000000P08._sfdv.example.com.   600   IN    TXT     "00D000000000000P08=1TB00000000000B"
              Tip
              Tip If a DNS TXT record already exists for one or more of these names, you can create a second TXT record for that name. Or you can append the verification code to the value list. To append a value, separate the values with a semicolon (;).

              Here's an example of a DNS TXT record with multiple values separated by a semicolon.

              Name                 TTL   CLASS   TYPE    VALUE
--------------------------------------------------------------------
example.com.         600   IN      TXT     "00D000000000X09=1TB00000000000C;00D000000000P08=1TB00000000000B"
            6. If you don’t own the domain, work with the domain owner to add the required TXT record in DNS.

              For example, to enable users to send email from Salesforce with a partner’s email domain, work with the partner to add a record to that domain’s DNS record.

              Provide the domain owner with the verification key from the Authorized Email Domains page in Setup and your 18-digit org ID.

            7. In Salesforce, verify ownership of the domain.
              1. From Setup, in the Quick Find box, enter Authorized Email Domains, and then select Authorized Email Domains.
              2. Next to your domain record, click Edit.
              3. On the record page, enable Verify domain ownership..

                If domain verification is successful, Verify domain ownership remains enabled. By default, user-level email verification isn’t required for users with email addresses on a verified domain.

                If domain verification is unsuccessful, verify that the required TXT record exists in DNS and that enough time has passed for the change to propagate.

              4. To require user-level email verification for this domain, enable Require email verification.

                This setting is enabled by default.

                Warning
                Warning When you disable this setting, you risk impersonation fraud because any user who can create users in Salesforce can also send email from any address on this authorized domain. For that reason, we recommend that you always enable Require email verification. See Considerations for Sending Email from Salesforce.
              5. Save your changes.

            See Also

             
            Loading
            Salesforce Help | Article