Update Your DNS for Enhanced Security and Seamless Management with Salesforce Marketing Cloud Engagement

Update Your DNS Settings 

Before June 1, 2026, you must update the DNS settings for your impacted domains. Complete these steps to update the DNS settings for your domains.

1. Review the email from Salesforce that describes this change. The email contains a list of impacted domains, and provides a CNAME record for each DSE.

2. Log in to the management console for your DNS provider. See the documentation for your DNS provider for complete instructions.

3. Edit the DNS records for each impacted domain. 

   1. Replace the existing CNAME records with the DSE values provided in the email from Salesforce. If your configuration uses A records that refer to a specific IP address, replace them with CNAME records that refer to the DSE. This table shows examples of both types of configurations.

2. Search for a Certificate Authority Authorization (CAA) record that applies to the impacted domain. If you use an SSL certificate provided by Salesforce, add DigiCert to the CAA record at the level of the impacted domain, or at a higher level. This table shows an example of this change.

4. Save your updated DNS records. Updated records typically take several hours to propagate across the internet, but can take up to 48 hours.

After you update your DNS to refer to your DSE, your configuration is secure. There's no downtime involved with this change. 

Confirm your configuration by using an online DNS or SSL checking tool. Several such tools are available online. Enter your domain into the tool and verify that the CNAME record points to the new DSE and the final resolved target. If you updated your CAA records, you can also verify that they reflect your changes.

Use Your Own SSL Certificates

By default, Salesforce secures domains by using SSL certificates from DigiCert. Your organization can optionally use an SSL certificate from a different Certificate Authority (CA) to secure your SAP and CloudPages domains.

To use your own SSL certificate, first update your DNS to point to your DSE. After that, you have two options:

• Secure the domains immediately with your own certificates before June 1, 2026.

• Let Salesforce apply a certificate to your domains automatically. Later, you can replace it with a customer-supplied certificate.

Frequently Asked Questions

What is a Domain-Specific Endpoint?

A DSE is a unique endpoint that Salesforce hosts for your specific domain. Instead of pointing your DNS CNAME records to a generic Salesforce instance, you point them to a unique DSE. This configuration allows Salesforce to manage the underlying infrastructure, security, and future updates for that domain without downtime, while you retain control of your DNS zone.

What happens if I don't update my DNS before June 1, 2026?

If you don't update your DNS before June 1, 2026, Salesforce can't secure your existing domains on your behalf. Unsecured domains can be vulnerable to security issues, and can result in links and images in your emails not appearing correctly. You're responsible for securing these domains.

Will there be any downtime during this DNS update?

No. DNS changes take time to propagate fully, but these DNS changes don't interrupt your Marketing Cloud activities.

How can I verify that my DNS update was successful?

After you update your DNS records, you can use an online DNS or SSL checker to view the CNAME records for your domain. Confirm that the CNAME record now points to the new DSE provided by Salesforce.

I have multiple domains listed. Do I need to update all of them?

Yes. Update the CNAME record for each impacted domain listed in the email you received from Salesforce. Each domain has a unique DSE.

Who do I contact in my organization to make these changes?

Contact your IT department, webmaster, or anyone in your organization with administrative access to your domain's DNS records.

The email I received says that Salesforce secures my existing domains at no additional cost until my contract renews. What does that mean?

Effective June 1, 2026, all new SAP and CloudPages domains are automatically secured by default, and existing unsecured domains are automatically secured on your behalf.  

New customers after June 1, 2026 require an SSL Certificate license for each SAP and CloudPages domain.

For existing customers, Salesforce provides SSL Certificate licenses at no additional cost. Salesforce secures your existing domains and any new SAP and CloudPages domains. This coverage continues until your next contract renewal, or when you request a quote for more SAP licenses, whichever occurs first. At that point, you're responsible for purchasing an SSL Certificate license for each domain. One SAP license requires four SSL licenses, and each additional CloudPages domain requires an SSL license.