Salesforce Email: Mandatory Domain Verification
The clock is ticking for Salesforce administrators. Starting March 9, 2026, Salesforce is enforcing a major security update that changes how your emails are delivered. If you haven’t verified your company’s email domain, your outgoing communications - from automated alerts to direct sales emails - will start bouncing or landing in “Junk” folders.
At Sliick, we want to ensure your operations remain seamless. Here is everything you need to know about the new Salesforce requirements and how to stay compliant.
What is Changing?
Previously, Salesforce relied on User-Level Verification (individual users confirming their email via a link). Now, Salesforce requires Domain-Level Verification to prove your company authorised Salesforce to send mail on your behalf (e.g., @yourcompany.com).
This is achieved using DNS (Domain Name System). Think of DNS as the “phonebook” of the internet; by adding records to your DNS, you are publicly certifying that Salesforce is an authorised sender for your domain.
The Deadlines:
- Enforcement Starts: March 9, 2026.
- Sandbox Deadline: March 30, 2026.
- Production Deadline: April 27, 2026.
If you use a custom domain and don’t verify it, Salesforce will block those emails from being delivered.
Does This Affect Me?
Check the table below to see where your organisation stands:
| If you send via… | Impact | Action Required |
|---|---|---|
Salesforce Directly (@yourcompany.com) | High | Yes. Set up DKIM or Authorised Domains. |
| Gmail/Outlook Integration | None | No. These use your email provider’s servers. |
| Einstein Activity Capture (EAC) | None | No. EAC handles verification via the provider. |
Public Domains (@gmail.com, @outlook.com) | Low | No. These public domains are currently exempt. |
How to Check Your DKIM Status
The best way to comply is by using DKIM (DomainKeys Identified Mail). It acts as a digital signature for your domain, proving to the recipient’s email server that the message really came from you and hasn’t been altered in transit.
- Log into Salesforce Setup: Click the Gear Icon > Setup.
- Navigate to DKIM Keys: Type “DKIM Keys” in the Quick Find box.
- Review Your Keys:
- Status: Ensure it says “Active”.
- Domain: Ensure it matches your sending domain (e.g.,
sliick.com).
- Test Deliverability: Use the “Test Deliverability” tool in Setup. If the test email arrives without a “via salesforce.com” warning, your DKIM is working.
Technical Guide: Adding DNS Records
If your status is “Pending” or “Inactive,” your IT team needs to add records to your DNS provider (e.g., Cloudflare, GoDaddy).
Step 1: Generate Keys in Salesforce
- Go to Setup > DKIM Keys > Create New Key.
- Set Key Size to 2048-bit.
- Enter a Selector (e.g.,
sf1) and an Alternate Selector (e.g.,sf2). - Enter your Domain and click Save. Salesforce will generate CNAME Records for you.
A CNAME (Canonical Name) record is an “alias” in your DNS. Instead of pasting a complex security key directly, you create a CNAME that points to Salesforce’s managed key. This allows Salesforce to rotate security keys automatically behind the scenes without you needing to update your DNS again later.
Step 2: Update DNS Settings
Your IT Administrator must:
- Create a new CNAME record.
- Host: Paste the “CNAME Record” (e.g.,
sf1._domainkey). - Value: Paste the “Target” (e.g.,
sf1-sliick-com.dkim.salesforce.com). - Repeat for the alternate selector.
Note: For Cloudflare users, set the record to “DNS Only” (Grey Cloud), not “Proxied.”
Step 3: Activation
Once DNS changes propagate (30 mins to 24 hours), return to DKIM Keys in Salesforce and click Activate.
Final Thoughts
Email security is no longer optional. By enforcing domain ownership through DNS and DKIM, Salesforce is protecting your brand reputation and ensuring your critical communications reach their destination. Don’t wait until the April 27 deadline - verify your domains today.
Need help with your DNS configuration or a Salesforce security audit? Contact the Sliick team today and we’ll get your email delivery back on track!
