Loading

Email-Sending Domain Verification FAQ

Udgivelsesdato: Apr 15, 2026
Beskrivelse

As part of our ongoing efforts to strengthen the security of our email services, email domain verification is required. Salesforce no longer delivers emails from unverified domains, even if the email addresses are individually verified.

With this change, delivery fails for emails sent from Salesforce if the email domain–the part after the at (@) symbol–isn’t verified via either an active DKIM key or a verified entry in the authorized email domain list.

This article provides answers to common questions about this change and the verification process. 

Løsning

Does verification of my root domain (example.com) cover all subdomains (mail.example.com, sales.example.com)?

Answer: No. You must verify each domain and subdomain with a separate DKIM key or authorized email domain.
 

Do I need to set up both a DKIM key and an authorized email domain?

Answer: No. Only one of these two verification methods are required for each domain and subdomain. To meet the requirement, the DKIM key must be active or the authorized email domain must be verified.

 

Which verification method is recommended?

Answer: Salesforce recommends that you verify your email-sending domain with an active DKIM key. 

DomainKeys Identified Mail (DKIM) provides an additional benefit. DKIM is a security standard that attaches a digital signature to your emails to prove that they came from you. With this signature, the receiving server can verify that the message content wasn’t altered or faked during transit. DKIM builds trust with email providers, so your messages are more likely to land in the inbox instead of the spam folder. 

Although a verified authorized email domain meets the requirement to send email from Salesforce with your domain, there’s no additional benefit. Salesforce only recommends this option if you have a reason not to use DKIM keys.

 

When does this change take effect?

Answer: See Mandatory Sending-Email Domain Verification Timeline.

 

Does the requirement apply to sandboxes?

Answer: Yes, email-sending domain verification is also required in all types of sandboxes. DKIM keys and Authorized Email Domains aren’t copied today when creating a new sandbox and new unique ones will have to be created for each Sandbox.

 

What about Organization Wide Addresses or other areas in the application where user emails are already verified?

Answer: This change affects any email with a sending domain that Salesforce doesn't own when that email is sent from your Salesforce org or related automations. Emails from verified Org Wide addresses still need the sending domain/s to be verified.
 

Why only exempt gmail.com, hotmail.com, and outlook.com? 

Answer: Salesforce analyzed current email patterns. Those domains represent the vast majority of users with public email addresses. 
 

Will other public email domains be exempted from the verification requirement?

Answer: Not at this time. If users in your org have email addresses on other public email domains, enable the substitution domain option when it’s available. 

 

What happens if an email fails to send due to an unverified domain? Are there logs available? Will the entire Apex/Flow transaction also fail?

Answer: This is dependent on the sending feature. Some features will check if the sending domain is authorized before trying to send the email. If the feature is able to catch the error before sending it should display some error message back to the customers. Features that might not check for an authorized domain beforehand or give back an error message when our internal Email API sends, we will pass the email to our MTA and the MTA logs a DSN - 550 5.7.1 Delivery not authorized, message discarded.  These can be searched for using the email logs feature Use Email Logs to Monitor Emails Sent from Salesforce.

 

What about users with an email domain that I can't verify?

Answer: Yes. On the Deliverability page in Setup, enable Use a substitute email address for unverified domains. With this option, Salesforce can send email for users whose email domains you can't verify, such as Experience Cloud site users, Salesforce Sites users, consultants, and users with public email addresses like yahoo.com or icloud.com. For more information, see Send Email for Users with Unverified Domains.

 

How can I tell which email domains are in use in my org?

Answer: Customer can search email logs Use Email Logs to Monitor Emails Sent from Salesforce The Sender field in the returned data can be examined for what domains are being sent from the org. More information: Email Log Reference.

 

How can I tell which email domains are temporarily allowlisted?

Answer: See Determine Your Temporarily Allowlisted Email-Sending Domains.

 

How can I tell whether an email domain is verified in my org?

Answer: 

 

Where can I find detailed instructions for popular domain registrars?

Answer: Although Salesforce can’t provide guidance or instructions for the registrar’s processes, here are links to the instructions published by popular registrars:

 

 

Change Log

 

Date

Change

March 16, 2026

Initial publication

April 15, 2026

Added these questions:

  • What about users with an email domain that I can't verify?
  • How can I tell which email domains are in use in my org?

 

Vidensartikelnummer

005316911

 
Indlæser
Salesforce Help | Article