Salesforce Dictionary - Free Salesforce GlossarySalesforce Dictionary
Spring '26 overview
For Architects

Spring '26

Spring '26 ships infrastructure changes that will outlive any single feature: shorter TLS certificates, mandatory email-domain verification, IPv6 on the way, end of legacy host-name redirections, and a hard restriction on connected-app creation. Architects should plan now — most of these have rolling cutover dates that extend through 2026.

What's new for architects

  • TLS certificate lifespans are shrinking in three steps. Maximum lifespan drops from 398 days to 200 days on Mar 15, 2026, to 100 days on Mar 15, 2027, and to 47 days on Mar 15, 2029. Salesforce will also stop publishing certificate-rotation announcements via the Certificate Changes Trailblazer Community group on a yet-to-be-announced date (90+ day notice). Audit every system that relies on a public TLS certificate (mTLS endpoints, custom domains, integrations) and switch to automated rotation. Stop using certificate pinning.
  • IPv6 is coming to Salesforce orgs. No firm date — Government Cloud first in early 2026, with at least 2 months of advance notice for each subsequent stage. If you have IP allowlists, plan for dual-stack or migrate to domain allowlists or SNI. Inside Salesforce, an IP-allowlist range is IPv4 or IPv6, not both — you'll add a parallel range per profile.
  • Hyperforce expands to 17 countries with new Data 360, Marketing Cloud, Platform, MuleSoft, and Tableau Cloud regions in Italy and Sweden, plus broader availability across Australia, Brazil, Canada, France, Germany, India, Indonesia, Israel, Italy, Japan, Singapore, South Korea, Sweden, Switzerland, the UAE, the UK, and the US. Hyperforce public IP ranges now include inbound addresses in addition to outbound. Hyperforce Assistant has updated tooling to find hard-coded references.
  • Email-domain verification is mandatory. All sending domains require an active DKIM key or an Authorized Email Domains entry. Cutover dates: new domains added after Feb 25, 2026 verify immediately; sandboxes Apr 14, 2026; production May 4, 2026. This is a Salesforce-wide infrastructure change, not just an admin task — coordinate with platform/DevOps to update CI seed data and integrations.
  • Domain redirections end in Spring '26 (the Update References to Legacy Host Names Release Update is enforced) and instanced URLs in API traffic end in Winter '27. Replace every <instance>.salesforce.com URL in API traffic with the org's My Domain login URL.
  • Connected app creation is disabled by default in all Salesforce orgs. SAML connected apps must migrate to External Client Apps (ECA). AppExchange partners must follow new security requirements for both connected apps and ECA solutions.
  • Database Encryption is GA in all regions. Real-Time Event storage is on by default. Field Audit Trail field count rises from 60 to 200; Data Detect now scans 100 objects with unlimited fields. Health Check tracks 7 new configurable security settings (MFA status, SAML enablement, session controls) and supports notification routing on score changes.
  • Apex sharing-recalculation behavior is changing under a Release Update — run the Update Apex Code and Flows for Changed Sharing Recalculation Behavior preview in a sandbox and walk every custom-sharing trigger through the guided review.
  • Salesforce Backup & Recover Next is a native app, with daily automated backups and in-org restore. Available on a rolling basis in GovCloud and Japan first.
  • Privacy Center → Privacy Requests fulfills Right to Be Forgotten across the platform; you can now bypass automations at the object/policy level and tune batch size for performance.
  • Salesforce Functions is retired for new purchase and renewal — architect the exit (Heroku, MuleSoft, External Services, Apex callouts).

What's deprecated

  • Salesforce Functions — retirement plan published.
  • Open CTI — scheduled for retirement.
  • Microsoft EWS — retirement affects Lightning Sync, Outlook Integration, Salesforce for Outlook.
  • Salesforce for Outlook — retires December 2027.
  • Legacy Chat — being retired (move to Enhanced Chat / Messaging).
  • Legacy host-name redirections — Release Update enforced in Spring '26.
  • Instanced URLs in API traffic — support ends Winter '27.
  • Public TLS certificate rotation announcements — Salesforce plans to stop these for first-party production orgs (90+ day notice when the date is set).

What's still in beta

  • Setup with Agentforce (architects: useful for org-health diagnostics and ECA troubleshooting).
  • Salesforce Multi-Framework for React inside Salesforce.
  • Volume-Based Multipliers for Digital Wallet (beta in non-English languages).

The architectural takeaway: write the Spring '26 readiness memo now, with the certificate, IPv6, and email-verification timelines plotted across 2026, and assign owners for each. The cutover dates are Salesforce's, not yours.

What to test in your sandbox

  1. 1. Audit certificate inventory and rotation cadence

    List every TLS certificate your org consumes — mTLS endpoints, custom domains via CDN, named credentials, AppExchange integrations, JWT bearer flows. Confirm each one rotates in under 200 days by Mar 15, 2026, under 100 days by Mar 15, 2027, and under 47 days by Mar 15, 2029. Drop any reliance on public certificate-rotation announcements from Salesforce.

    Reference: salesforce-certificate-and-key-pair, certificate-and-key-management

  2. 2. Plan IPv6 readiness for IP allowlists

    For every profile that uses Login IP Ranges, add a parallel IPv6 range once your network team has the user IPv6 addresses. For external systems that allowlist Salesforce IPs, switch to domain allowlists or SNI where possible — the Salesforce IPv6 ranges will publish at least two months before each cutover. Government Cloud is first in early 2026.

    Reference: my-domain

  3. 3. Migrate SAML connected apps to External Client Apps

    Inventory every connected app used for SSO/SAML or as an integration target. For each, plan an ECA equivalent — the OAuth flows, consumer-key handling, and access policies are different. Schedule the work in a sandbox first; new orgs already disable connected-app creation by default.

    Reference: connected-app, external-client-app-manager, oauth, single-sign-on-settings

  4. 4. Rehearse the email-domain verification cutover

    Walk the Spring '26 mandatory-verification timeline against your DKIM rollout. Verify every sending domain in a Full sandbox, enable *Use a substitute email address for unverified domains* on Deliverability, and run a test send from each org-wide email address. Production cutover is May 4, 2026; sandboxes Apr 14, 2026.

    Reference: dkim-keys, authorized-email-domains, deliverability, full-sandbox

  5. 5. Replace legacy host names and instanced URLs

    In Setup, run the *Update References to Legacy Host Names* Release Update preview. Identify any hard-coded legacy `*.salesforce.com` URLs in custom code, integrations, email-template merge fields, and metadata. Switch them to the org's My Domain URL. Plan the instanced-URL migration before Winter '27.

    Reference: my-domain, hyperforce-assistant

  6. 6. Run the Apex sharing-recalculation review

    Enable *Update Apex Code and Flows for Changed Sharing Recalculation Behavior* in a sandbox. Walk through the guided code review for every custom sharing trigger and any Apex that calls `Database.getRunningOrganizationLogonSettings()`-style sharing helpers. Add coverage for the new behavior before activating in production.

    Reference: apex-managed-sharing, sharing-rule, apex-triggers, apex

  7. 7. Architect the Salesforce Functions exit

    For each Functions deployment, document inputs, outputs, runtime, latency requirements, and dependencies. Pick a target — Heroku for Node/Java/Ruby, MuleSoft for integration-heavy work, External Services for simple HTTP, or Apex callouts for low-volume cases. Estimate effort and timeline; Functions is closed to new purchase and renewal.

    Reference: salesforce-functions, mulesoft-integration, apex

  8. 8. Validate Hyperforce-region readiness

    If your data-residency strategy targets Italy or Sweden, confirm the relevant clouds (Data 360, Marketing Cloud, Platform, MuleSoft, Tableau Cloud) are now available there. Update the Hyperforce public IP allowlists to include the new inbound ranges. Run Hyperforce Assistant if migration is still pending.

    Reference: hyperforce, hyperforce-assistant

Related dictionary terms

See Admins take →See Developers take →See Consultants take →