Email Sender Domain Enforcement

Starting May 6, 2025 Salesforce is implementing security changes in Account Engagement business units to strengthen protections against email spoofing. At that time, we’ll start rolling out email sender domain enforcement for all Marketing Cloud Account Engagement business units. Emails without a sender email address that contains a validated domain won’t send.

To ensure there's no impact on your business unit, validate all email-sending domains associated with campaigns in your Account Engagement business unit.

How do I know if this enforcement affects me?

Monitor the Optimizer for related alerts. Prior to enforcement, check the Optimizer for invalid email templates. After enforcement, check for email send failure alerts due to an invalid sender.

We're contacting customers who've been identified as having email templates at risk of using invalid email sending domains once enforcement is turned on. These customers fall into two groups:

1. Business units with the potential to send emails without a valid sending domain. Out of caution, we recommend monitoring the Optimizer before enforcement, but no action is required. When an email template is identified as at risk, alerts are shown.
2. Business units identified as sending emails without a valid sending domain. Make sure in-use email templates have been updated with sender email addresses that have a validated domain.

Customers with business units created after July 1, 2023 were unable to send emails or email templates that used sender email addresses without a valid domain. If changes to those emails and email templates included an invalid domain, email sends didn't fail. After May 6, 2025, those same email and email templates won't send.

Customers with business units created before July 1, 2023 may have email templates that are not valid. After May 6, 2025, emails that use those templates won’t send.

How can I determine if I have any email templates without a valid sender domain?

Monitor the Optimizer for related alerts. Before enforcement, check the Optimizer for email templates without a valid sender email address. Click the linked report in the failure message to see the full list of email templates without a valid sender email address. After enforcement, check for email send failure alerts due to an invalid sender email address.

Go to Account Engagement Settings→Optimizer→Configuration Issues to review alerts related to invalid email templates and email send failures.


What action do I take?

1. Identify Impacted Templates: Review the knowledge article Sender Domain Validation Enforcement for steps on identifying email templates with invalid sender domains.
2. Validate Domains: Learn how to add a validated email-sending domain in Salesforce Help. Another option is to update the invalid sender in your current campaigns to one with a validated domain.
3. Delete Irrelevant Templates: If you have email templates with unvalidated domains that are no longer needed, consider deleting them.
4. If your users send emails using the Send Engage Email button, you’ll also need to validate those users’ email domains, as the chosen sender for those emails will be the user clicking the button, regardless of the template’s sender hierarchy.

How do I find active email templates with invalid senders?

As part of the Spring '25 release, new tools are available to help identify and address email send failures.

• Enforcement begins May 6, 2025: Failures due to invalid sender domains will start triggering at that time.
• For Admins:
  • The Failed Email Sends report highlights errors like “Invalid sender address” to support proactive monitoring.
  • The Optimizer now triggers an alert when these errors are detected, prompting a timely investigation.
• For Marketers:
  • A new count has been added to the Account Engagement List Email Report, showing the number of failures and linking directly to the impacted sends.
  • You can also use table actions to export a list of affected prospects and take corrective action.

Why is this change happening?

To enhance your business unit’s security and protect against email spoofing, you must validate an email sending domain by adding a DNS validation key. This requirement has been in place since July 1, 2023. See the knowledge article, Account Engagement DNS Validation Key Requirement.

Starting May 6, 2025, we’re enforcing this requirement for all emails and email templates. They must include a sender email address that contains a validated domain. Otherwise, the emails won’t send.

When did Salesforce require a validated domain for email sends?

As of July 1, 2023, we required customers to validate at least one email sending domain by adding a DNS validation key. See the knowledge article, Account Engagement DNS Validation Key Requirement. We delayed enforcement of validated domains across all emails to give customers more time to prepare.

Starting May 6, 2025, we’re turning on enforcement of email sending domain validation for your business unit. After that time, emails without a validated email sending domain won’t send.

Why do some of the ‘Invalid Email Templates’ links direct me to a message stating “Looks like there’s a problem. We couldn’t find the record you’re trying to access. It may have been deleted by another user, or there may have been a system error. Ask your administrator for help.”?

For context, when an Email Content record is created in Lightning we will replicate an Email Template record into the Account Engagement application. When Email Content is deleted in Salesforce it does not delete the replicated Email Template record in the Account Engagement application.

You can safely ignore links in the ‘Invalid Email Templates’ table that direct to deleted Email Content records. You’re not at risk of sending failing emails from these content records unless you un-delete them.


If you have more questions, contact Salesforce Customer Support.