Spring ’26 Email-Sending Domain Verification Requirement

What’s Changing

With this change, delivery fails for emails sent from Salesforce if the email domain–the part after the at (@) symbol–isn’t verified. To verify an email domain, set up an active DKIM key or a verified authorized email domain. This requirement applies to email relay.

The new domain-level verification requirement is in addition to the existing requirement to verify individual email addresses.

This change requires action from Salesforce admins and their DNS admins.

Why Is Salesforce Making This Change

This is a security enhancement for outbound email to ensure safe and high email deliverability.

When Does This Change Take Effect

Allowlist Generation

In existing orgs, Salesforce generated a temporary allowlist of email-sending domains.

For Government Cloud orgs, the allowlist includes the domains used between January 25, 2026 and February 25, 2026.
In all other orgs, the allowlist includes domains used between January 7, 2026, and February 25, 2026.

Phase 1: New Email-Sending Domains and Existing Domains

These changes take effect shortly after your org gets Spring '26, patch 11.

Verification is required for all new email-sending domains, regardless of whether you add the the domain to a new or existing org.
Verification is required for existing email-sending domains that aren’t allowlisted.

Phase 2: Enforcement for Allowlisted Domains

In sandboxes, verification of the allowlisted domains will be required starting April 14, 2026.
In all other orgs, including production, dates for verification of the allowlisted domains enforcement are TBD (this will be a gradual rollout starting early May)

For more information, see Determine Your Temporarily Allowlisted Email-Sending Domains and Mandatory Email Domain Verification Timeline.

Substitution Email Option

In late April 2026, Salesforce adds an option to send email from unverified domains. If the individual email address is verified but the email domain is unverified, Salesforce sends the email with email@<orgID_or_siteID>.sfcustomeremail.com as the From address.

This option allows Salesforce to send email for users whose email domains you can't verify, such as Experience Cloud site users, Salesforce Sites users, consultants, and users with public email addresses like yahoo.com or icloud.com. For more information, see Send Email for Users with Unverified Domains.

Additional Changes in Spring ’26, Patch 11

Salesforce plans to introduce these changes when domain verification is deployed in your org shortly after Spring ’26, patch 11. For timing, see Mandatory Sending-Email Domain Verification Timeline.

To support verification of email domains hosted in partner orgs, we plan to add <orgid>.sfdv.<domain> as a valid text record location for email-sending domain verification.
The ability to check whether a specific domain is verified for sending email. We plan to add this to the Deliverability page in Setup.
To help better protect your org, we plan to update DKIM signatures to also protect the Reply-To header from alteration. This change aligns with current security practices and can improve the deliverability of email that uses public email domains, such as gmail.com.
Dropdown lists of From email addresses show only email addresses with verified domains. Note: this change may not apply to all dropdown lists with the first update.

Who’s Affected

This change affects emails sent from Salesforce and related automations with an email-sending domain that Salesforce doesn't own, including system-generated emails.

Exceptions

Domain verification isn’t required for Marketing Cloud or Marketing Cloud Advanced emails.
Domain verification isn't required for services connected to external accounts where email is sent from the customer Mail Transfer Agents (MTAs). Specifically, this means that domain verification isn't required for:

- Emails sent through Gmail and Office 365 (Outlook) integrations.
- Emails sent via the Salesforce Einstein Activity Capture (EAC) tool (“Inbox”)

Emails sent with Salesforce Free Suite or in trial orgs with the salesforce-free-mailsend.com domain.
Emails that end in @gmail.com, @hotmail.com, or @outlook.com don’t require domain-level verification. These are the most common public email providers used to send email from Salesforce.

Important: Emails sent from areas of Salesforce other than Leads, Contacts, Opportunities, Accounts, and Cases (Inbox and Email-to-Case don’t apply to the Case object) still need to meet the domain-level verification requirement.

In all cases, the individual email address must still be verified.

What to Expect

If you don’t take action, email delivery can fail for user-authored and system-generated emails sent by Salesforce.

Delivery fails for emails sent from Salesforce if the email domain–the part after the at (@) symbol–isn’t verified via either an active DKIM key or a verified entry in the Authorized Email Domain list in Setup.

Potential Issues

Email Composer: When a user tries to send email from an unverified domain, the composer blocks the send and shows this error: Not allowed to send from an unauthorized domain.
Other Methods: Emails sent via Apex, Flows, Alerts, Automations and similar may not have the ability to show an error message in the UI. To check for any potential problems Admins can proactively inspect the email logs in Setup for this string: 550 5.7.1 Delivery not authorized, message discarded

Users report an error message like:
- We can’t send your email because your email address domain isn’t verified. Ask your Salesforce admin for help.
- We can’t send your email. Your email address uses an unverified domain. To send emails, ask your Salesforce admin to verify the email domain.

Users can’t select their email address in dropdowns because their email domain isn’t verified.

Before Enforcement: How to Prepare

Verify Your Email-Sending Domains.

You only need ONE of these two options, not both.

Option 1 (Recommended) Create a DKIM Key.

An active DKIM (DomainKeys Identified Mail) key satisfies the new requirement for email-sending domain verification. And a DKIM key increases your domain’s reputation as a legitimate sender, reducing the chance that your outbound emails end up in the recipient’s spam folder.

Navigation Path: In Setup, search for and select DKIM. Review the list for active keys.

Option 2: Alternative: Authorized Email Domains

Alternative: If you don’t want to use a DKIM key, set up an authorized email domain. A verified entry on the Authorized Email Domain list in Setup satisfies the new requirement for email-sending domain verification. See Verify Your Email-Sending Domains in Setup.

Navigation Path: In Setup, search for and select Authorized Email Domains. Review the list for verified domains.

Note: Both of these options require DNS (domain name record) TXT (text) records. To set up those DNS records, work with your DNS admin or the host for your domain.

Need More Time?

If you need more time to verify your email-sending domains, prepare to enable Use a substitute email address for unverified domains on the Deliverability Setup page when your org gets this update.

After Enforcement: Resolve Errors

To enable Salesforce to send email from domains that aren’t yet verified, enable Use a substitute email address for unverified domains on the Deliverability Setup page when your org gets the change shortly after Spring ’26, patch 11.

Tip: The substitute email address option also allows Salesforce to send email for users with an email domain that you can’t verify, such as Experience Cloud site users and users with public email domains like yahoo.com and iCloud.com. We recommend that you prepare to enable this option as soon as your org gets these changes.

To send email from Salesforce using a domain that you own, verify the email-sending domain via an active DKIM key or a verified authorized email domain.

Common Questions

See Email-Sending Domain Verification FAQ.

Change Log

Date	Change
March 25.2026	Added Internal Information about current Extension process
March 17, 2026	Added Change Log Added links to Mandatory Sending-Email Domain Verification Timeline and Determine Your Temporarily Allowlisted Email-Sending Domains articles Updated the label for the substitution option checkbox to match the final design Clarified that the additional changes are available when Salesforce requires email domain verification shortly after your org gets Spring '26, patch 11
March 18, 2026	Updated the "When Does This Change Take Effect" to reflect that verification is required for allowlisted domains starting on the listed dates In the "Potential Issues" list, removed the conditional phrase about when users can stop seeing their email addresses in dropdowns. That change takes effect when Salesforce requires domain verification in your org. In "Before Enforcement: How to Prepare," updated the label for the substitution option checkbox to match the final design Minor wording and formatting updates
March 20, 2026	In the "When Does This Change Take Effect" section, clarified the dates when the allowlist was generated for Government Cloud orgs.
April 2, 2026	Updated the starting enforcement dates for allowlisted domains due to the delayed rollout of Spring ‘26, patch 11. Expanded the list of users that may required the substitution domain. Changed "site users" to "Experience Cloud site users and users with public email domains like `yahoo.com` and `iCloud.com`."
April 15, 2026	Updated the article to reflect that the substitution email option is available in late April. In the "Additional Changes in Spring ’26, Patch 11" section, added a link to the timeline for more details
April 30, 2026	Updated the starting enforcement dates for allowlisted domains for all other orgs including production