Overview
Starting in Spring ’26, Salesforce requires that any corporate email domain used to send emails through Practifi is verified as owned by your organization. If your team sends emails from within Practifi using a corporate address (for example, advisor@yourfirm.com), your Practifi Administrator will need to complete a one-time domain verification before those emails can be delivered.
This article walks through what’s changing, who’s affected, and how to verify your domain.
Please note: If your organization sends emails only through a Gmail or Office 365 integration, or only uses public email domains like gmail.com or outlook.com, this change does not apply to you.
- What’s Changing
- Does This Affect You?
- Key Deadlines
- How to Verify Your Domain
- How This Relates to Practifi
- Additional Resources
What’s Changing
Salesforce is adding a domain-level ownership check on top of its existing user-level email verification. Previously, verifying an individual user’s email address was enough. Now, Salesforce also needs to confirm that your organization owns the domain itself (the part after the @ sign).
Emails sent from an unverified corporate domain will not be delivered. This applies to any email sent using Salesforce’s built-in email tools, including emails triggered by workflows, flows, and manual sends from records.
Does This Affect You?
You are likely affected if:
- Your Practifi users send emails from a corporate email address (e.g., advisor@yourfirm.com) using Salesforce’s built-in email features
- Your organization has not yet set up DKIM or Authorized Email Domains in Practifi
You are NOT affected if:
- Your users send from Gmail or Outlook addresses (gmail.com, outlook.com, and similar public email domains are exempt)
- Emails are sent via your Gmail or Office 365 integration within Salesforce
- Emails are sent via Salesforce Einstein Activity Capture (EAC)
If you’re unsure whether this applies to your organization, check with your Practifi Administrator. A quick way to confirm is to review the email addresses assigned to your Practifi users. If any use a corporate domain, that domain needs to be verified.
Key Deadlines
| Milestone | Date |
|---|---|
| Enforcement begins for new domains | March 9, 2026 |
| Deadline for existing domains in Sandbox orgs | March 30, 2026 |
| Deadline for existing domains in Production orgs | April 27, 2026 |
After these dates, emails sent from unverified domains will silently fail. There will be no error messages or bounce notifications; the emails simply won’t be delivered.
How to Verify Your Domain
Your Practifi Administrator needs to add a DNS record for each corporate sending domain. This is a one-time configuration change, coordinated with whoever manages your organization’s DNS (typically your internal IT team or domain registrar).
There are two methods. Your admin only needs to complete one.
Option 1: DKIM (Recommended)
DKIM (DomainKeys Identified Mail) is the preferred approach because it also improves email deliverability by cryptographically signing outgoing messages. This helps receiving mail servers confirm that emails from your domain are legitimate and haven’t been tampered with in transit.
- In Salesforce Setup, use the Quick Find search to search for and select DKIM Keys.
- Click Create New Key.
-
On the Create a DKIM Key page, select the 2048-bit option.
- For Selector, enter a unique string of up to 62 letters, digits, and hyphens to identify this key. Start with a letter or number. For example, example-sf-a.
- For Alternate Selector, enter another unique string of up to 62 letters, digits, and hyphens. Start with a letter or number. For example, example-sf-b. Salesforce uses the alternate selector to auto-rotate your keys.
- Enter the domain name used to send email from Practifi. After you save a DKIM key, you can’t edit the domain name.
- For Domain Match Pattern, enter a comma-separated list of domain patterns that the domain name must match before Salesforce signs an email with this DKIM key. Here are two examples of a recommended domain match pattern value:
- Domain: example.com and Domain Match Pattern: example.com
- Domain: mail.example.com and Domain Match Pattern: mail.example.com
- Click Save.
- Salesforce will generate two CNAME records. Share these with whoever manages your DNS.
- Once the DNS records are published (this can take up to 48 hours to propagate), return to the Manage DKIM Keys page in Salesforce Setup and click Activate.
Option 2: Authorized Email Domains
If DKIM isn’t an option for your organization, you can verify your domain using a TXT record instead.
- In Salesforce Setup, use the Quick Find search to search for and select Authorized Email Domains.
-
Click Add.
- Enter your domain in the Domain Name field.
- Click Save.
- Salesforce will provide a TXT record. Share this with your DNS manager.
- Once the DNS record is published, return to Salesforce and click Verify.
Please note: If your organization uses more than one corporate domain for email (e.g., yourfirm.com and yourfirmadvisors.com), each domain must be verified separately.
How This Relates to Practifi
This is a Salesforce platform requirement, not a Practifi change. No updates to Practifi are needed, and Practifi's functionality is not affected. However, because Practifi runs on the Salesforce platform, any emails sent from within your Practifi environment are subject to Salesforce’s email delivery rules. Verifying your domain ensures that emails triggered by Practifi workflows, advisor communications, and other automated processes continue to reach their recipients.
Additional Resources
To learn more about email domain verification in Salesforce, please consult the following Salesforce documentation:
Salesforce Help article - Set Up DKIM
Salesforce Help article - Authorized Email Domains
Questions?
If you’re unsure whether this applies to your organization or need help completing these steps, contact your Client Success Manager or reach out to Practifi Support.
Comments
Article is closed for comments.