The setup is a one-field Setup change; the discipline is in the coordination with the archival vendor and the verification testing. Most regulated orgs set this up at go-live; if it was skipped, the gap is silent until a regulator asks for records.
- Coordinate with the compliance team on the archival vendor
Identify the archival vendor and the BCC mailbox or distribution list they expose. Get the address from the compliance or IT team; do not guess.
- Enable Compliance BCC Email in Setup
Setup, Email, Compliance BCC Email. Enter the BCC address. Toggle the active flag. Save.
- Verify with a test send from each path
Send a test email from Case feed, from Sales Cloud (Email related list), trigger a test Flow that fires an Email Alert, and run a small mass email. Check the archival vendor inbox for each.
- Document the configuration in your compliance runbook
Date enabled, archival address, vendor, owner. The runbook is what compliance and audit teams will reference; building it after the fact is harder.
- Update the corporate acceptable-use disclosure if needed
Most orgs cover compliance archival in general policy language; verify the disclosure addresses Salesforce-sent emails specifically if the legal team requires.
- Schedule annual re-verification
Once per year, repeat the test-send-and-verify cycle. Configuration drift (address change, vendor migration, distribution list permission change) is invisible until verification.
- Size the archival vendor contract for expected volume
For high-volume orgs (Email Alerts, mass marketing), the archival volume can be tens of thousands per day. Confirm the vendor contract covers the expected volume before turning on.
The archival mailbox or distribution list. Coordinate with the compliance team.
Toggles BCC on or off. Active applies within minutes to subsequent outbound mail.
The compliance vendor receiving the BCC (Microsoft Purview, Mimecast, Smarsh, etc.).
Compliance BCC does not apply when Salesforce uses Email Relay; archival is handled by the customer mail server.
The archival vendor contract size; should cover expected Salesforce-sent volume.
- Compliance BCC is invisible to the sender. Users do not see the BCC; document in corporate policy if the legal team needs explicit per-email awareness.
- Email Relay bypasses Compliance BCC. Orgs using Email Relay rely on the customer mail server for archival; verify both paths cover.
- Einstein Activity Capture emails are not captured. EAC syncs emails sent by the user's mail client; those need server-side compliance archival.
- Volume can surprise procurement. High-volume Email Alerts multiply quickly; size the archival contract before turning on.
- Verification drift is silent. Address changes or distribution list permission issues break the archive without notification; annual re-verification catches drift.