Email-Sending Domain Verification FAQ

Does verification of my root domain (example.com) cover all subdomains (mail.example.com, sales.example.com)?

Answer: No. You must verify each domain and subdomain with a separate DKIM key or authorized email domain.
 

Do I need to set up both a DKIM key and an authorized email domain?

Answer: No. Only one of these two verification methods are required for each domain and subdomain. To meet the requirement, the DKIM key must be active or the authorized email domain must be verified.

Which verification method is recommended?

Answer: Salesforce recommends that you verify your email-sending domain with an active DKIM key. 

DomainKeys Identified Mail (DKIM) provides an additional benefit. DKIM is a security standard that attaches a digital signature to your emails to prove that they came from you. With this signature, the receiving server can verify that the message content wasn’t altered or faked during transit. DKIM builds trust with email providers, so your messages are more likely to land in the inbox instead of the spam folder. 

Although a verified authorized email domain meets the requirement to send email from Salesforce with your domain, there’s no additional benefit. Salesforce only recommends this option if you have a reason not to use DKIM keys.

When does this change take effect?

Answer: See Mandatory Sending-Email Domain Verification Timeline.

Does the requirement apply to sandboxes?

Answer: Yes, email-sending domain verification is also required in all types of sandboxes. DKIM keys and Authorized Email Domains aren’t copied today when creating a new sandbox and new unique ones will have to be created for each Sandbox.

What about Organization Wide Addresses or other areas in the application where user emails are already verified?

Answer: This change affects any email with a sending domain that Salesforce doesn't own when that email is sent from your Salesforce org or related automations. Emails from verified Org Wide addresses still need the sending domain/s to be verified.
 

Why only exempt gmail.com, hotmail.com, and outlook.com? 

Answer: Salesforce analyzed current email patterns. Those domains represent the vast majority of users with public email addresses. 
 

Will other public email domains be exempted from the verification requirement?

Answer: Not at this time. If users in your org have email addresses on other public email domains, enable the substitution domain option when it’s available. 

What happens if an email fails to send due to an unverified domain? Are there logs available? Will the entire Apex/Flow transaction also fail?

Answer: This is dependent on the sending feature. Some features will check if the sending domain is authorized before trying to send the email. If the feature is able to catch the error before sending it should display some error message back to the customers. Features that might not check for an authorized domain beforehand or give back an error message when our internal Email API sends, we will pass the email to our MTA logs and show the DSN - "550 5.7.1 Delivery not authorized, message discarded".  To identify any failures check the email logs in Setup from time to time for this error. 

See:  Use Email Logs to Monitor Emails Sent from Salesforce.

What about users with an email domain that I can't verify?

Answer: Yes. On the Deliverability page in Setup, enable Use a substitute email address for unverified domains. With this option, Salesforce can send email for users whose email domains you can't verify, such as Experience Cloud site users, Salesforce Sites users, consultants, and users with public email addresses like yahoo.com or icloud.com. For more information, see Send Email for Users with Unverified Domains.

How can I tell which email domains are in use in my org?

Answer: Customer can search email logs Use Email Logs to Monitor Emails Sent from Salesforce The Sender field in the returned data can be examined for what domains are being sent from the org. More information: Email Log Reference.

How can I tell which email domains are temporarily allowlisted?

Answer: See Determine Your Temporarily Allowlisted Email-Sending Domains.

How can I tell whether an email domain is verified in my org?

Answer: 

• To check whether Salesforce can send email from a specific domain, see Check the Verification Status of an Email-Sending Domain in Salesforce Help.
• To find all the DKIM keys and authorized email domains configured in your org, use Developer Console. See Identify Verified Email-Sending Domains in Salesforce Help.

Why am I receiving this advisory notification email from Salesforce with the Subject: Contact your Salesforce admin to verify your email domain? 

Answer: Excerpt of contents:
"You recently sent one or more emails from Salesforce with your email address, {user_email_address}.."

If you received this message, it means an email was sent from a domain that Salesforce hasn't verified. This can happen when using a new domain or one that hasn't been authorized in your org's setup. Salesforce now sends this notification to any user who sends email from an unverified domain in Salesforce. To avoid any disruption to your email sending, reach out to your Salesforce admin to get your domain verified.

Why am I receiving this delivery failure notification email from Salesforce with the subject: Salesforce Messages Not Delivered?

Answer: Excerpt of Contents:
“Salesforce couldn't deliver one or more emails that you recently sent because your email address, {user_email_address}, uses an unverified domain.”

You're seeing this message because you sent an email from a domain that hasn't been verified in Salesforce. This may be a new domain or one listed as an unverified one in your org's setup. Salesforce now sends this notification to any user who attempts to send email from an unverified domain. Eventually, Salesforce will stop delivering emails sent from unverified domains entirely. This email is only sent to users once every release cycle, not repeatedly.

How do I stop domain verification notification emails being sent to users?

Answer: System administrators can turn off email notifications to users sending to temporarily allowlisted email domains. These notifications warn users that delivery can fail for future email sent from Salesforce. If you use a substitute email address for unverified domains, those notifications don't apply. To turn off these notifications the setting below can be found under the “Email Domain Verification” section of Deliverability in Salesforce Setup.

Where can I find detailed instructions for popular domain registrars?

Answer: Although Salesforce can’t provide guidance or instructions for the registrar’s processes, here are links to the instructions published by popular registrars:

• Amazon (AWS) Route 53
• BlueHost
• Cloudflare
• GoDaddy
• Hostinger
• IONOS
• Namecheap
• Shopify
• Squarespace
• Wix
• Wordpress