The Vantage View | Salesforce

Salesforce Security Overhaul 2026: Email Verification, MFA, IP Restrictions — Complete Guide | Vantage Point

Written by David Cockrum | Mar 27, 2026 5:40:30 PM

Action Required: Salesforce's Biggest Security Overhaul in Years — Every Deadline, Every Change, and Your Complete Preparation Guide

What is it? Salesforce is rolling out mandatory security changes across email verification, MFA enforcement, phishing-resistant authentication, IP restrictions, and data export controls — with deadlines starting now through June 2026.
Key Deadlines Email domain verification: April 6–17 (production). MFA + phishing-resistant MFA + IP restrictions + Transaction Security Policies: June 2026.
What Happens If You Don't Act Unverified domains = silently dropped emails. Missing MFA = login failures. No IP restrictions = blocked access. No TSP = auto-enabled policies you didn't configure.
Who's Affected Every Salesforce customer. Period.
Bottom Line Five simultaneous security mandates with real consequences. Prepare now or scramble later.

Why Salesforce Is Doing This Now

Starting with Spring '26, Salesforce is converting security recommendations into enforced requirements with hard deadlines. AI-powered phishing has made credential theft cheaper and more scalable. As one Salesforce security team member noted: "This is the first time Salesforce has enforced a change outside of its regular release schedule."

Change #1: Email Domain Verification (Deadlines: NOW Through April 27)

What's Changing

Every domain used to send outbound email must be verified. Unverified domains = silently dropped emails — no bounce, no error for automations. Just silence.

Affected: Email Composer, Apex email, Flow-triggered emails, Workflow alerts, Process automations
Not affected: Marketing Cloud, Einstein Activity Capture, Inbox, free consumer domains (gmail.com, outlook.com)

Date What Happens
March 9, 2026 Verification required for all new orgs and new sending domains
March 24–April 3 Domain verification enforced in all sandboxes
April 6–17, 2026 Domain verification enforced in all production orgs
April 27–May 15 Temporary allowlisted domains must be fully verified in production
⚠️ Hidden Danger: The grace period only covers domains with email activity in the last 30 days. Occasional-use domains may already be failing silently. Check email logs for: 550 5.7.1 Delivery not authorized, message discarded

How to Verify: DKIM Keys (Recommended)

  1. Setup → search DKIM Keys → Create New Key
  2. Select 2048-bit RSA key size
  3. Enter a selector (e.g., yourcompany-sf-a) and alternate selector
  4. Enter your sending domain
  5. Save — Salesforce generates CNAME records within ~15 minutes
  6. Add two CNAME entries to your DNS
  7. Wait for propagation (up to 72 hours)
  8. Return to Setup and click Activate
ℹ️ Important: A DKIM key for example.com does NOT cover mail.example.com. Each domain and subdomain needs its own key.

Fallback: Authorized Email Domains

  1. Setup → Authorized Email Domains → Add domain
  2. Salesforce generates a verification key
  3. Add TXT record to your DNS
  4. After propagation, enable Verify domain ownership

Change #2: Mandatory MFA for All Users (Deadline: June 2026)

Salesforce will technically enforce MFA for all employee license users. New: sensitive post-login actions will trigger step-up authentication — additional verification even after login.

Action Steps

  • Audit MFA adoption with the MFA Requirement Check tool
  • Deploy Salesforce Authenticator or compatible TOTP apps org-wide
  • Configure SSO MFA if using Okta, Azure AD, Ping, or ADFS
  • Note: SMS is not a compliant MFA method

Change #3: Phishing-Resistant MFA for Admins (Deadline: June 2026)

Standard MFA isn't enough for admin accounts. Salesforce requires phishing-resistant MFA:

  • ✅ Built-in authenticators (TouchID, FaceID, Windows Hello)
  • ✅ Hardware security keys (YubiKey, Titan)
  • ✅ FIDO2/WebAuthn compatible methods
  • ❌ TOTP apps (Google Authenticator, Authy) — do NOT qualify
  • ❌ Push notifications — can be intercepted through MFA fatigue attacks
⚠️ Why This Matters: Salesforce documented active campaigns where threat actors used phishing to bypass SSO and steal session tokens. Phishing-resistant MFA prevents these attacks entirely.

Action Steps

  • Inventory all System Administrator profiles and permission sets
  • Enable built-in authenticators and security keys in Setup → Identity Verification
  • Budget ~$25–50 per hardware security key for admins
  • Register at least two phishing-resistant methods per admin

Change #4: Login IP Address Restrictions (Deadline: June 2026)

Organizations must restrict login IP addresses on profiles. Users from unauthorized IPs are denied access.

ℹ️ Important Nuance: By default, IP checks only apply at login — not mid-session. Enable "Enforce login IP ranges on every request" in Session Settings for continuous validation. Salesforce notes this is "particularly important if your org has not implemented Phishing-Resistant MFA."

Action Steps

  • Document all legitimate IP ranges (offices, VPN endpoints, remote work)
  • Configure Login IP Ranges on each profile
  • Account for mobile users — VPN may be required
  • Test thoroughly to avoid locking out legitimate users
  • Ensure no users connect through anonymizing proxies

Change #5: Transaction Security Policies for Data Exports (June 2026)

For Shield/Event Monitoring customers: A TSP on ReportEvent is required that triggers step-up authentication for report downloads.

⚠️ Auto-Enforcement: If you don't create your own TSP by June 2026, Salesforce will automatically add and enable a default policy — which may not match your operational needs.

Action Steps

  • Check if you have Shield or Event Monitoring
  • Create a custom TSP on ReportEvent with appropriate thresholds
  • Test the user experience for legitimate report users
  • Communicate to power users who regularly export reports

Additional Spring '26 Security Architecture Changes

Change Impact Action
Connected Apps → External Client Apps New Connected Apps creation disabled Inventory and plan migration to External Client Apps
Triple DES Retirement in SAML Legacy encryption causes auth failures Update to SHA-256/AES in all SAML configurations
Accelerated Certificate Rotation Shorter cert lifecycles increase rotation frequency Implement automated cert tracking and alerting
My Trust Center (Beta) Real-time org security visibility Assign ownership, integrate with incident response
Experience Cloud File Scanning Virus/malware scanning on uploads/downloads Test high-volume file workflows for performance

Your Complete Security Upgrade Checklist

🔴 This Week (Before April 6)

  • Audit all email-sending domains in production
  • Set up DKIM keys for every sending domain and subdomain
  • Check email logs for 550 5.7.1 errors
  • Enable substitute domain option as safety net
  • Verify sandbox domains (enforcement already active)

🟡 By End of April

  • Complete email domain verification for all production domains
  • Verify allowlisted domains are fully authenticated
  • Begin MFA gap analysis with MFA Requirement Check tool
  • Inventory System Administrator accounts for phishing-resistant MFA
  • Document legitimate IP ranges across offices and VPNs

🟢 By End of May

  • Deploy phishing-resistant MFA to all System Administrators
  • Configure Login IP Ranges on all profiles
  • Create Transaction Security Policies (Shield/Event Monitoring customers)
  • Enable MFA for all remaining users
  • Test step-up authentication flows in sandbox

🔵 Ongoing

  • Plan Connected Apps → External Client Apps migration
  • Update SAML to SHA-256/AES
  • Implement automated certificate rotation monitoring
  • Operationalize My Trust Center
  • Conduct quarterly security reviews

Don't Wait Until Deadlines Force Emergency Changes

Vantage Point helps with security audits, DKIM configuration, MFA deployment, IP architecture, TSP design, and integration security reviews — all from senior consultants who've guided 150+ clients through Salesforce security transitions.

Schedule Your Security Readiness Assessment →

Frequently Asked Questions

What are the Salesforce security changes in 2026?

 

Five mandatory changes: email domain verification (April 2026), MFA for all users (June 2026), phishing-resistant MFA for admins (June 2026), login IP restrictions (June 2026), and Transaction Security Policies for data exports (June 2026, Shield/Event Monitoring customers).

What happens if I don't verify my Salesforce email domains?

 

Emails from unverified domains are silently dropped — no bounce notification for automations. Manual sends show a blocking error, but Flow and Apex emails fail without any notification. Check logs for 550 5.7.1 Delivery not authorized.

What is phishing-resistant MFA?

 

Cryptographic verification methods that can't be intercepted: built-in authenticators (TouchID, FaceID, Windows Hello), hardware security keys (YubiKey), and FIDO2/WebAuthn. Standard TOTP apps and push notifications don't qualify.

Does the MFA requirement apply if we use SSO?

 

Yes. MFA must be enforced at the SSO provider level. Since February 2026, Salesforce also requires Device Activation for SSO logins — a separate step confirming the device is authorized.

Will Salesforce add a Transaction Security Policy automatically?

 

Yes — for Shield/Event Monitoring customers only. If you don't create a qualifying TSP by June 2026, Salesforce adds a default one that may not match your operational needs. Better to configure your own.

How do Login IP Ranges work with remote workers?

 

By default, IP checks only apply at login. Enable "Enforce login IP ranges on every request" for continuous validation. Remote workers may need VPN access to connect from approved IP ranges.

What should I do first?

 

Start with email domain verification — those deadlines are most imminent (April 6–17 for production). Set up DKIM keys, then begin MFA gap analysis and admin account inventory for phishing-resistant MFA deployment.
View full post