Recommended Best Practices for Email Verification and Device Activation in Summer ’26

Publish Date: May 29, 2026

Description

What Happens When a Salesforce Sandbox Is Refreshed

When a Salesforce sandbox is refreshed, all users who are not members of a public group have their email addresses automatically appended with .invalid. For example, user@company.com becomes user@company.com.invalid.

When a System Administrator corrects a user's email address by removing the .invalid suffix, Salesforce sends that user an email verification link to confirm the change.

Behavior Before Summer '26 Patch 7 (Original Issue)

In patches prior to Summer '26 Patch 7, clicking the email verification link triggered the following sequence:

The user was prompted to log in to verify their identity.
If the user's last_login field was not null (meaning the user had previously logged into the sandbox), the system triggered the Device Activation (Identity Confirmation) process.
The Device Activation code was sent to the old .invalid email address, which the user could not access — blocking them from completing the verification.

Behavior After Summer '26 Patch 7 (Fixed)

In Summer '26 Patch 7 and later, clicking the email verification link completes the email address change successfully. Salesforce still requires the user to verify their identity after an email change — this is by design and has not changed. However, Forced Device Activation (also called Identity Confirmation) is no longer triggered as part of this email verification flow.

Summary of Changes

Area	Change
Fixed in Summer '26 Patch 7	Forced Device Activation no longer triggers when a user clicks an email-address-change verification link
Unchanged	Identity verification is still required when a user's email address changes. This is intentional behavior.

Resolution

How to Check Your Salesforce Instance Patch Version

To verify which patch version your Salesforce organization is currently running:

Go to Setup and select Company Information. The Instance field displays your org's instance name (for example, NA45 or CS87).
Visit status.salesforce.com, search for your specific instance, and review the current release version displayed on the right side of the screen.

If Your Org Is on Summer '26 Patch 7 or Later

No action is required. The Forced Device Activation step has been removed from the email-change verification flow. Users who update their email address are still asked to verify their identity (this is expected behavior), but they are no longer sent a Device Activation code to an inaccessible .invalid address.

If Your Org Is on a Patch Earlier Than Summer '26 Patch 7

Until your Salesforce instance is updated to Summer '26 Patch 7 or later, the following best practices and workarounds apply.

Note: The workarounds described below are no longer required once your instance is updated to Summer '26 Patch 7 or later.

Best Practice — Recommended Order of Operations to Prevent the Issue

To prevent users from getting stuck in the Device Activation loop, System Administrators should correct the user's email address before the user logs in to the refreshed sandbox for the first time.

Admin Action: Immediately after the sandbox refresh completes, remove the .invalid suffix from the user's email address and save the corrected address.
Key Condition: This step must be completed while the user's last_login field is still null, meaning the user has not yet logged in to the newly refreshed sandbox.
Result: Device Activation does not trigger, and the email change is verified successfully.

Workarounds for Users Already Stuck in the Device Activation Loop (Pre–Summer '26 Patch 7 Only)

If a user has already logged in to the sandbox and is currently stuck in the Device Activation loop, use one of the following methods to resolve the issue:

Register a Mobile Phone Number: Set a mobile phone number on the user's detail page. On the next login attempt, the Device Activation challenge is sent to the user's phone via SMS instead of the inaccessible .invalid email address. The user can then complete verification.
Define Trusted IP Ranges: Set Trusted IP Ranges for the organization (found under Setup | Network Access) or directly on the user's Profile. When the user logs in from a trusted IP address, Salesforce bypasses the Device Activation prompt, allowing the user to complete email verification without needing access to the .invalid address.

Knowledge Article Number

005322018

Did this article solve your issue?

Let us know so we can improve!