Salesforce Tightens Security: What to Get Done Before July 2026

Salesforce Tightens Security: What to Get Done Before July 2026

Starting in July 2026, Salesforce is enforcing a series of security changes that will affect every org. These are mandatory requirements with firm deadlines.

Salesforce triggered this wave of changes in response to a rise in phishing attacks and credential theft. The most vulnerable areas are people, integrations, and login tools.

What Salesforce Is Changing and When

Since April 2026, Salesforce has required verification of all domains from which an organization sends emails. Emails from unverified domains are silently discarded by Salesforce, with no bounce notification and no error message for automations.

From July 1, 2026, phishing-resistant MFA becomes mandatory for all administrators and privileged users, meaning authentication via biometrics or a physical security key (such as a YubiKey). An authenticator app alone will no longer be sufficient to protect privileged accounts.

Also effective July 1, 2026, step-up authentication applies to working with reports. Anyone who runs or exports a report will receive an additional identity verification prompt, even if they are already logged in.

From July 20, 2026, Salesforce will extend MFA to all employee users. Everyone who logs into the platform will need to have an MFA method registered.

What to Check

Before the end of June, an org admin should verify three things: that all outbound email domains are verified in the Deliverability settings, that all administrators have a phishing-resistant MFA method registered, and that other users either have an active MFA method or an up-to-date email address and phone number for backup verification.

A complete overview of deadlines and steps can be found in the official Salesforce security roadmap.

Řízení vztahů s obchodními partnery