Action Required: Salesforce's Biggest Security Overhaul in Years — Every Deadline, Every Change, and Your Complete Preparation Guide
| What is it? | Salesforce is rolling out mandatory security changes across email verification, MFA enforcement, phishing-resistant authentication, IP restrictions, and data export controls — with deadlines starting now through June 2026. |
| Key Deadlines | Email domain verification: April 6–17 (production). MFA + phishing-resistant MFA + IP restrictions + Transaction Security Policies: June 2026. |
| What Happens If You Don't Act | Unverified domains = silently dropped emails. Missing MFA = login failures. No IP restrictions = blocked access. No TSP = auto-enabled policies you didn't configure. |
| Who's Affected | Every Salesforce customer. Period. |
| Bottom Line | Five simultaneous security mandates with real consequences. Prepare now or scramble later. |
Why Salesforce Is Doing This Now
Starting with Spring '26, Salesforce is converting security recommendations into enforced requirements with hard deadlines. AI-powered phishing has made credential theft cheaper and more scalable. As one Salesforce security team member noted: "This is the first time Salesforce has enforced a change outside of its regular release schedule."
Change #1: Email Domain Verification (Deadlines: NOW Through April 27)
What's Changing
Every domain used to send outbound email must be verified. Unverified domains = silently dropped emails — no bounce, no error for automations. Just silence.
Affected: Email Composer, Apex email, Flow-triggered emails, Workflow alerts, Process automations
Not affected: Marketing Cloud, Einstein Activity Capture, Inbox, free consumer domains (gmail.com, outlook.com)
| Date | What Happens |
|---|---|
| March 9, 2026 | Verification required for all new orgs and new sending domains |
| March 24–April 3 | Domain verification enforced in all sandboxes |
| April 6–17, 2026 | Domain verification enforced in all production orgs |
| April 27–May 15 | Temporary allowlisted domains must be fully verified in production |
550 5.7.1 Delivery not authorized, message discardedHow to Verify: DKIM Keys (Recommended)
- Setup → search DKIM Keys → Create New Key
- Select 2048-bit RSA key size
- Enter a selector (e.g.,
yourcompany-sf-a) and alternate selector - Enter your sending domain
- Save — Salesforce generates CNAME records within ~15 minutes
- Add two CNAME entries to your DNS
- Wait for propagation (up to 72 hours)
- Return to Setup and click Activate
example.com does NOT cover mail.example.com. Each domain and subdomain needs its own key.Fallback: Authorized Email Domains
- Setup → Authorized Email Domains → Add domain
- Salesforce generates a verification key
- Add TXT record to your DNS
- After propagation, enable Verify domain ownership
Change #2: Mandatory MFA for All Users (Deadline: June 2026)
Salesforce will technically enforce MFA for all employee license users. New: sensitive post-login actions will trigger step-up authentication — additional verification even after login.
Action Steps
- Audit MFA adoption with the MFA Requirement Check tool
- Deploy Salesforce Authenticator or compatible TOTP apps org-wide
- Configure SSO MFA if using Okta, Azure AD, Ping, or ADFS
- Note: SMS is not a compliant MFA method
Change #3: Phishing-Resistant MFA for Admins (Deadline: June 2026)
Standard MFA isn't enough for admin accounts. Salesforce requires phishing-resistant MFA:
- ✅ Built-in authenticators (TouchID, FaceID, Windows Hello)
- ✅ Hardware security keys (YubiKey, Titan)
- ✅ FIDO2/WebAuthn compatible methods
- ❌ TOTP apps (Google Authenticator, Authy) — do NOT qualify
- ❌ Push notifications — can be intercepted through MFA fatigue attacks
Action Steps
- Inventory all System Administrator profiles and permission sets
- Enable built-in authenticators and security keys in Setup → Identity Verification
- Budget ~$25–50 per hardware security key for admins
- Register at least two phishing-resistant methods per admin
Change #4: Login IP Address Restrictions (Deadline: June 2026)
Organizations must restrict login IP addresses on profiles. Users from unauthorized IPs are denied access.
Action Steps
- Document all legitimate IP ranges (offices, VPN endpoints, remote work)
- Configure Login IP Ranges on each profile
- Account for mobile users — VPN may be required
- Test thoroughly to avoid locking out legitimate users
- Ensure no users connect through anonymizing proxies
Change #5: Transaction Security Policies for Data Exports (June 2026)
For Shield/Event Monitoring customers: A TSP on ReportEvent is required that triggers step-up authentication for report downloads.
Action Steps
- Check if you have Shield or Event Monitoring
- Create a custom TSP on ReportEvent with appropriate thresholds
- Test the user experience for legitimate report users
- Communicate to power users who regularly export reports
Additional Spring '26 Security Architecture Changes
| Change | Impact | Action |
|---|---|---|
| Connected Apps → External Client Apps | New Connected Apps creation disabled | Inventory and plan migration to External Client Apps |
| Triple DES Retirement in SAML | Legacy encryption causes auth failures | Update to SHA-256/AES in all SAML configurations |
| Accelerated Certificate Rotation | Shorter cert lifecycles increase rotation frequency | Implement automated cert tracking and alerting |
| My Trust Center (Beta) | Real-time org security visibility | Assign ownership, integrate with incident response |
| Experience Cloud File Scanning | Virus/malware scanning on uploads/downloads | Test high-volume file workflows for performance |
Your Complete Security Upgrade Checklist
🔴 This Week (Before April 6)
- Audit all email-sending domains in production
- Set up DKIM keys for every sending domain and subdomain
- Check email logs for
550 5.7.1errors - Enable substitute domain option as safety net
- Verify sandbox domains (enforcement already active)
🟡 By End of April
- Complete email domain verification for all production domains
- Verify allowlisted domains are fully authenticated
- Begin MFA gap analysis with MFA Requirement Check tool
- Inventory System Administrator accounts for phishing-resistant MFA
- Document legitimate IP ranges across offices and VPNs
🟢 By End of May
- Deploy phishing-resistant MFA to all System Administrators
- Configure Login IP Ranges on all profiles
- Create Transaction Security Policies (Shield/Event Monitoring customers)
- Enable MFA for all remaining users
- Test step-up authentication flows in sandbox
🔵 Ongoing
- Plan Connected Apps → External Client Apps migration
- Update SAML to SHA-256/AES
- Implement automated certificate rotation monitoring
- Operationalize My Trust Center
- Conduct quarterly security reviews
Don't Wait Until Deadlines Force Emergency Changes
Vantage Point helps with security audits, DKIM configuration, MFA deployment, IP architecture, TSP design, and integration security reviews — all from senior consultants who've guided 150+ clients through Salesforce security transitions.
Frequently Asked Questions
What are the Salesforce security changes in 2026?
Five mandatory changes: email domain verification (April 2026), MFA for all users (June 2026), phishing-resistant MFA for admins (June 2026), login IP restrictions (June 2026), and Transaction Security Policies for data exports (June 2026, Shield/Event Monitoring customers).
What happens if I don't verify my Salesforce email domains?
Emails from unverified domains are silently dropped — no bounce notification for automations. Manual sends show a blocking error, but Flow and Apex emails fail without any notification. Check logs for 550 5.7.1 Delivery not authorized.
What is phishing-resistant MFA?
Cryptographic verification methods that can't be intercepted: built-in authenticators (TouchID, FaceID, Windows Hello), hardware security keys (YubiKey), and FIDO2/WebAuthn. Standard TOTP apps and push notifications don't qualify.
Does the MFA requirement apply if we use SSO?
Yes. MFA must be enforced at the SSO provider level. Since February 2026, Salesforce also requires Device Activation for SSO logins — a separate step confirming the device is authorized.
Will Salesforce add a Transaction Security Policy automatically?
Yes — for Shield/Event Monitoring customers only. If you don't create a qualifying TSP by June 2026, Salesforce adds a default one that may not match your operational needs. Better to configure your own.
How do Login IP Ranges work with remote workers?
By default, IP checks only apply at login. Enable "Enforce login IP ranges on every request" for continuous validation. Remote workers may need VPN access to connect from approved IP ranges.
What should I do first?
Start with email domain verification — those deadlines are most imminent (April 6–17 for production). Set up DKIM keys, then begin MFA gap analysis and admin account inventory for phishing-resistant MFA deployment.
Resources
- Mandatory Email Domain Verification Timeline — Official Salesforce enforcement schedule
- Email-Sending Domain Verification FAQ — Detailed FAQ from Salesforce
- Spring '26 Release Note: Verify Email Domain Ownership
- Salesforce MFA Requirement Check Tool
- MFA Implementation Guide
- Protecting Data After Identity Compromise — Salesforce security blog
- Transaction Security Policies Guide
- Vantage Point — Security Readiness Assessment
