Authorized Email Domains
Authorized Email Domains is a Setup page where administrators specify which email domains are approved for use in the org.
Definition
Authorized Email Domains is a Setup page where administrators specify which email domains are approved for use in the org. When configured, only users with email addresses from authorized domains can log in, helping organizations enforce security policies and prevent unauthorized access from personal email accounts.
In plain English
“Here's a simple way to think about it: Authorized Email Domains keeps shadow accounts from creeping into your org. Add only your corporate domains here, and Salesforce refuses users with email outside the list - preventing personal addresses from accumulating.”
Worked example
The security admin at FinServe Bank adds "finservebank.com" and "finserve.co" as authorized email domains. This ensures that only employees with corporate email addresses can be provisioned as Salesforce users. When someone tries to create a user with a Gmail address, the system blocks it, maintaining the company's email security policy.
Why Authorized Email Domains keep shadow accounts from creeping into your org
When user provisioning isn't tightly controlled, personal Gmail and Yahoo addresses slip into the user list - a contractor never moved over to corp email, a personal address used during a Trailhead trial, a service account someone set up "just for testing." Authorized Email Domains is the gate that prevents this. Add only your corporate domains here, and Salesforce refuses to create or update users with email addresses outside that list.
The reason this matters past basic hygiene is that the User object is the trust anchor for almost everything else - login policies, MFA enforcement, sharing rules, and most audit trails are all keyed off it. Letting personal-domain users accumulate is how orgs end up with active logins six months after someone leaves the company. Configure this early, audit it during every offboarding cycle, and treat any exception as a deliberate, time-bound decision.
How to set up Authorized Email Domains
Authorized Email Domains configure which email domains your Salesforce org can send mail from — "yourcompany.com," "support.yourcompany.com." Setup is paired with DKIM Keys and SPF / DMARC DNS records. Together they tell receiving mail servers "yes, this email genuinely came from Salesforce on behalf of yourcompany.com."
- Open Setup → Authorized Email Domains
Setup gear → Quick Find: Authorized Email Domains → Authorized Email Domains.
- Click Add Domain
Top-right.
- Set the Domain (yourcompany.com)
Each domain you authorize lets Salesforce send From: that domain.
- Pick the Email Domain Type
User Email (per-user from-addresses) / Default No-Reply / etc.
- Tick Email Domain Authentication
When ticked, Salesforce automatically generates and signs SPF + DKIM. You'll need to add corresponding DNS records.
- Add the DNS records (TXT for SPF, CNAME for DKIM)
Salesforce shows the exact records. Add to your DNS provider; wait 24-48 hours for propagation.
- Click Verify
Salesforce checks DNS. If green, the domain is authorized.
yourcompany.com / support.yourcompany.com / etc. Each is its own record.
User Email / No-Reply / Org-Wide.
Auto-SPF + auto-DKIM. Recommended ON.
Pending / Verified / Failed.
- Without Authorized Email Domains, Salesforce sends from sender@<orgid>.bnc.salesforce.com — emails frequently go to spam. Authorizing your domain dramatically improves deliverability.
- DNS changes take 24-48 hours to propagate. Verifying the domain too early shows failure — wait, then re-verify.
- SPF records have a 10-DNS-lookup limit. Adding Salesforce to an SPF record that already includes Marketo, Pardot, and other senders can hit the limit and break SPF for all senders.
How organizations use Authorized Email Domains
Configured early in org setup; no personal-domain users ever joined.
Quarterly offboarding review caught a contractor's personal address; the allowlist would have prevented original assignment.
Pair with SSO enforcement creates the strongest provisioning posture; user identity is corporate-anchored.
Test your knowledge
Q1. Can a Salesforce admin configure Authorized Email Domains without writing code?
Q2. What is the primary benefit of Authorized Email Domains for Salesforce administrators?
Q3. In which area of Salesforce would you typically find Authorized Email Domains?
Discussion
Loading discussion…