Communications & Readiness Connect

*** Update: Revised Enforcement Dates for Step-up Authentication Upcoming Security Mandate ***The enforcement dates for Time-Based Step-Up Authentication for Report Actions

have shifted due to issues discovered during testing. Fixes are targeted for the 262.8/9 release. 

• Available for Customers — Sandboxes: May 27 – Jun 3 (unchanged)
• Available for Customers — Production: May 27 – Jun 14 (unchanged)
• Enforcement — All Sandboxes: NEW confirmed dates Jun 17 to June 24 [moved from starting June 3]
• Enforcement — Production: NEW confirmed dates: July 1 – Jul 25 [moved from starting June 10]

All other mandates (MFA for All, PRMFA for Admins, TSP, Anomalous Detection) are

by this change. 

For future updates to the release dates, see the Knowledge article. 

• Prepare for the upcoming Step-up Authentication requirements on Report Actions

🎉 Big shoutout to our incredible Forum Ambassador, @Sushil Kumar for an awesome deep dive on "Add Custom Link to Lightning App Record Page"!📘 Check out the article here >> https://help.salesforce.com/s/articleView?id=005336072&type=1 

🔍 Found it helpful? Have thoughts to share?

 Let us know by clicking the "Yes" or "No"  button at the bottom of the article—your feedback helps us improve!> 🔍 Found it helpful?" style="display: block;" />

*** Important change for: All Core Org Admins & Security Contacts ***This update is limited to Salesforce Platform. 

In Progress Enhancements: Immediate Action Required

Salesforce is enforcing these controls now. To avoid service disruption, verify your configuration. 

• Email Domain Verification: Email domain verification is now required to send emails from Salesforce. Learn more about the change and the enforcement timeline.
• High-Risk Connection Blocking: Ensure that your users aren’t connecting to Salesforce via anonymizing VPNs, proxies, or high-risk IP addresses. Salesforce monitors for and blocks high-risk connections through Connected App or API usage and anomaly detection for login activity.

Upcoming Enhancements: Take Action Now

Detailed enforcement dates for each control are available in the linked resources.

• Phishing-Resistant Multi-Factor Authentication (MFA) for Privileged Users, including Admins: Phishing-resistant MFA will be enforced for System Administrators and users who have certain privileged permissions when they log in to any org, including sandboxes. This requirement applies to direct UI and Single Sign-On (SSO) logins. Learn more about how to set up this feature and the enforcement timeline.
• MFA for All: MFA will be enforced for all employee license users who log in via the Salesforce UI or Single Sign-On (SSO) to all orgs, including sandboxes. Learn more about how to set up this feature and the enforcement timeline.
• Step-Up Authentication: Salesforce will enforce identity verification challenges for all users (including those using SSO) when they perform high-sensitivity actions, starting with UI report exports and viewing, and for anomalous behavior while accessing reports. This change applies across all orgs, including sandboxes. To prepare for this change, ensure that your users each have one of the following registered: Salesforce MFA, a current email address, or a mobile phone number. To learn more about how to prepare for this change, see Prepare for the upcoming Step-up Authentication requirements on Report Actions and Prepare for Step-up Authentication in Anomalous Report Export.
• Upcoming Transaction Security Policy (TSP) Enhancements (Shield & Event Monitoring customers): Salesforce will automatically deploy a default TSP for ReportEvent. When enabled, this policy triggers a step-up authentication challenge for UI report exports that exceed 10,000 records. Additionally, a new "Manage Transaction Security Policy" permission will be required, in addition to the "Customize Application" permission, to manage any TSP. Review and assign this new permission to authorized users before enforcement. Learn more about how to set up this feature and the enforcement timeline.

Strongly Recommended but Not Required at This Time

This control is recommended but not mandatory as previously announced.

• IP Address Restriction: Salesforce isn’t enforcing the IP address restrictions in profiles or the “Enforce login IP ranges on every request” session setting at this time. However, we continue to strongly recommend that you adopt IP address restrictions and enable the setting, and we may require that configuration in the future. To learn more about how to configure your IP Allowlist permissions, see Restrict Login IP Addresses in Profiles and Set Trusted IP Ranges for Your Org.
• Phishing-Resistant MFA for Non-Admin Users: To ensure the highest level of protection against identity-based threats, Salesforce strongly recommends that you implement phishing-resistant MFA for all users. See Prepare for MFA Enforcement for All Employee Users.

More Information

Join one of these webinars where Salesforce experts will discuss these changes.

• Platform Security Enhancements Webinar Option 1 | May 13 15:00-16:00 UTC
• Platform Security Enhancements Webinar Option 2 | May 13 23:00-24:00 UTC

🎉 Big shoutout to our incredible Forum Ambassador, @Manoj Nambirajan for an awesome deep dive on "Map additional Lead data during Salesforce Import"!📘 Check out the article here >> https://help.salesforce.com/s/articleView?language=en_US&id=005322015&type=1 

🔍 Found it helpful? Have thoughts to share?

 Let us know by clicking the "Yes" or "No"  button at the bottom of the article—your feedback helps us improve!> 🔍 Found it helpful?" style="display: block;" /> #Sales Cloud

*** Important change for:  Update Permissions for TriggeredSend SOAP API by June 19, 2026 ***On June 19, 2026, Salesforce is changing the permission requirements for executing TriggeredSend SOAP API calls within Marketing Cloud Engagement.  

Required Actions

Beginning on June 19, only API users and installed packages that have the required permissions can make TriggeredSend calls via the SOAP API. Depending on your authentication method, update your permissions using these steps.

Installed Package

1. From Setup, in the Quick Find box,enter Installed Packages, and then select Installed Packages.
2. Select the package to modify.
3. In the Components section, click Edit for your integration.
4. In the Channels section, under Email, select Read, Write, and Send.
5. Save your changes.

Username and Password

This step applies only to users with the API User setting enabled. If a user doesn’t have this setting enabled or doesn’t perform triggered email sends, no action is required.

1. From Setup, in the Quick Find box, enter Users, and then select Users.
2. Select a user, and then click Manage Roles.
3. Select Edit Permissions.
4. In the Email | Interactions | Messages | Email section, next to Triggered, select Allow.
5. Save your changes.

Follow the step-by-step instructions in the Knowledge Article to update permissions for packages and API users.

Impact of Noncompliance

If you don't update the permissions by June 19, 2026, your TriggeredSend SOAP API calls will not send emails and return an API Permission Failed error.

Why Are We Making This Change?

To provide a more predictable and streamlined operational environment, Salesforce is aligning the permission requirements for TriggeredSend SOAP API calls used throughout Marketing Cloud Engagement. This change extends the same access controls from our other messaging features to your integrations.

What to Expect

After you update your permissions, your TriggeredSend SOAP API calls continue to function with no impact on the email delivery experience for your recipients.

To ensure uninterrupted service, update your integration permissions by June 19, 2026.

Need help?

Connect with Agentforce on Salesforce Help.

#Marketing Cloud

🎉 Big shoutout to our incredible Forum Ambassador, @Piyusha Pilania for an awesome deep dive on "Report on Cadence Step Overdue Time Using Cadence Tracker Reports"!📘 Check out the article here >> https://help.salesforce.com/s/articleView?id=005321421&type=1

🔍 Found it helpful? Have thoughts to share?

 Let us know by clicking the "Yes" or "No"  button at the bottom of the article—your feedback helps us improve!> https://help." style="display: block;" />

🎉 Big shoutout to our incredible Forum Ambassador, @Lukas Lunow for an awesome deep dive on "View the exact Email Sent from Marketing Cloud on a Sales Cloud Record Page"!📘 Check out the article here >> https://help.salesforce.com/s/articleView?id=005318897&type=1

🔍 Found it helpful? Have thoughts to share?

 Let us know by clicking the "Yes" or "No"  button at the bottom of the article—your feedback helps us improve!> 🔍 Found" style="display: block;" />

📣 Summer '26 Release Goodies 🍬

• Summer '26 Sandbox Preview Instructions
• Summer '26 Sandbox Preview Guide
• Summer '26 Calendar and ical format
• Summer '26 Infographic and Key Dates (See Attached) - @Chris Collins Thanks for the infographic.
• Summer '26 Key Dates Admin Blog

🔑 Key Dates for Summer '26

• April 16, 2026 - Pre-Release Preview & Partner
• April 22, 2026 - Release Note Preview
• May 7, 2026 - Sandbox Cut Off - Article
• May 8, 2026 - Sandbox Preview - Article
  • Release in a Box (RIAB)
  • Release Trailhead Module
  • Release Overview Deck (ROD)
  • Release Feature Matrix
• TBD - Release Readiness 

🚀 Summer '26 Major Release Dates 

• June 5, 2026
• June 12,  2026
• June 13, 2026

* Check Salesforce Trust for your org upgrade day and time.

**Immediate Action Required: Verify Your Domains for Email Security starting March 9, 2026 By April 7, 2026**

**Important Date Change Update: 

Salesforce deploys this change in Spring '26, patch 11 (moved from patch 10). To determine the patch version for your org, go to Trust Status, search for your My Domain name or instance, and then select your instance name. 

With this change, verification is required for new domains in existing orgs and for all domains in new orgs, including new sandboxes. 

In existing orgs, Salesforce generated a temporary allowlist of email-sending domains used between January 7, 2026, and February 25, 2026. In sandboxes, verification of those domains is required by April 7, 2026. In all other orgs, including production, verification of those domains is required by April 27, 2026.

What's happening?  

To further strengthen the security of our email services, Salesforce is enforcing 

strict domain ownership verification, starting March 9, 2026. This new requirement adds another layer of security to our existing user-level email address verification. 

What’s Changing?

Salesforce sends user-authored emails only from verified domains, and email domain verification is now mandatory. Emails sent from unverified domains won't be delivered. 

Sending email domains for common public email services, such as gmail.com and outlook.com, are exempt from the domain-level verification requirement. This change also has no impact on emails sent through Gmail and Office 365 (Outlook) integrations or emails sent via the Salesforce Einstein Activity Capture (EAC) tool.

Implementation Timeline

Salesforce deploys this change in Spring ’26, patch 10, starting March 9, 2026. To determine the patch version for your org, go to Trust Status, search for your My Domain name or instance, and select your instance name. 

1. New Sending Email Domains: New domains in existing orgs, and all domains in new orgs and new sandboxes, require immediate verification.
2. Existing Sending Email Domains: In existing orgs, domains that have been used to send mail within the last 30 days must be verified by March 30, 2026 for sandboxes and April 27, 2026 for production orgs.

We recommend that you verify new, planned, and pre-used email sending domains as soon as possible.

Required Action

To continue sending emails from Salesforce without disruption, complete domain verification via one of these methods. With both methods, you make a minor update to your domain’s DNS records to verify ownership.

• DKIM (DomainKeys Identified Mail): Set up a DKIM key via the process detailed in Salesforce Help.
• Authorized Email Domains: Verify your domain ownership with Salesforce by following the process outlined in Salesforce Help. Users with an email address on an authorized and verified email domain can send email from that address through Salesforce.

User email address verification is still mandatory with no exceptions. For more information on the existing user verification process, see Manage User Email Address Verification.

How can I get more information?

If you require further assistance, open a case with Salesforce Customer Support via Salesforce Help.

Additional resources: 

• Requirements to Send Email from Salesforce 
• Verify Your Email-Sending Domains 
• Verify Your Email Domain Ownership