Loading
Feature Disruption - Service Cloud VoiceRead More
Feature degradation | Gmail Email delivery failureRead More
Set Up and Maintain Your Salesforce Organization
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Restrict User Email Domains Control

            You are here:

            1. Salesforce Help
            2. Docs
            3. Set Up and Maintain Your Salesforce Organization

            Restrict User Email Domains Control

            Define an allowlist to restrict the email domains allowed in a user’s Email field, to make sure the domains used are trusted.

            Control Name

            Restrict User Email Domains

            Recommended Configuration

            Define an allowlist to restrict the email domains allowed in a user’s Email field. Setup>Authorized Email Domains>New Authorized Email Domain.

            Control Overview

            Define an allowlist to restrict the email domains allowed in a user’s Email field, to make sure the domains used are trusted. New users with an email address on an authorized email domain can send email from that address through Salesforce without additional verification.

            To use this feature, add the authorized email domain and then verify ownership of your domain. Domain verification requires a DNS TXT record for your domain name that equals the verification code.

            Security Risk If Not Configured

            Significant risk in offboarding procedures and data governance, as the company loses the ability to monitor or revoke access to the inbox where critical security alerts and corporate information are being sent.

            Threat Scenarios

            Malicious user could change their Salesforce email to a personal address to maintain access through password resets or receive sensitive data exports and system notifications outside the company’s oversight.

            Estimated CVSS Score Range

            Critical (9.0–10.0).

            Risk Impact Considerations

            Risk severity depends on the type of users, user population size, platform email usage.

            Higher Risk When

            Unrestricted Send Email permission that is granted to all users.

            Low or No Risk When

            This control can be considered low risk when one or more of the following are implemented:

            • Limited number of users with Send Email permission: Send email permission provisioning rules are tightly scoped to enforce least privilege.
            • IP Login Restriction: IP Login restriction for users with privileges to modify the setup
            • MFA Enforcement: MFA is enforced for Salesforce users

            Business and Integration Considerations

            Customers should evaluate business justification for each user and profile that has Send Email permission.

            Recommended Remediation

            Restrict Send Email permission to authorized profile and restrict domain that can be used.

            Security Health Review Guidance

            User email domain restriction is a control that customers configure based on their requirement. This change impacts new users and change to existing users. Existing users without change will not be impacted.

            See Also

             
            Loading
            Salesforce Help | Article