Salesforce Security in Summer '26: MFA Enforcement, Domain Verification, and the Health Assessments Agent

Most release recaps bury the security section. Don't skip this one — Summer '26 includes hard deadlines that affect every org, including mandatory MFA. If you're an admin, read this first and put the dates on your calendar.

The deadlines you can't ignore

To counter evolving threats, Salesforce is enforcing a stack of new security controls. The key dates:

• Starting June 2026: Salesforce enforces Multi-Factor Authentication (MFA) for all users, phishing-resistant MFA for Salesforce admins, and login IP address restrictions.
• Email domain verification is now required to send email. If your domains aren't verified, email delivery is at risk.
• Winter '27: Salesforce retires the OAuth 2.0 username-password flow for connected apps.

These aren't optional best practices anymore — they're enforced controls. The username-password OAuth retirement in particular can break integrations silently, so audit your connected apps now.

Email domain verification: act before June 17, 2026

Email is the change most likely to bite you unexpectedly. Salesforce requires you to verify ownership of the domains you send from.

To prevent disruption, starting June 17, 2026, Salesforce automatically updates your temporary allowlist with the domains used to send email in May 2026, and turns on a substitute email address for unverified domains. That's a safety net, not a solution — verify your domains properly so your branded email keeps flowing. (Related sales-side changes like DKIM protection for the Reply-To header are covered in our Agentforce Sales guide.)

A required security contact

Salesforce now requires security contact information on the Company Information page in Setup. This is where Salesforce sends security alerts and incident communications. Use a monitored distribution list, not a single person's inbox, and review it regularly — you do not want to miss an incident alert because it went to someone who left the company.

The Health Assessments Agent: AI-driven security posture

On the brighter side, security gets its own agent. The Health Assessments Agent (part of Security Health Review) lets you:

• Generate on-demand security posture reports with step-by-step remediation guidance.
• Evaluate your org against Salesforce best practices across authentication, permissions, data security, API configurations, and compliance.
• Ask questions about specific findings, get remediation guidance, and track progress across scans.

It's a meaningful upgrade from static checklists to an interactive, AI-assisted review.

Health Check, Shield, and Security Center

• Health Check added several new signals, and admins now receive weekly notifications by default.
• Salesforce Shield cuts clicks and adds power: scan more data (including encrypted data) with Data Detect, schedule and automate scans, manage field-level encryption policy, check for encryption blockers, and download field history changes directly in the Shield App. New Profile ID and Role ID fields on real-time events make Transaction Security policies easier to build with the Condition Builder.
• Security Center adds new alert metrics to strengthen your posture.
• Backup and Recover Next gives you more control, including the ability to start and stop backups on demand.

Identity and domains

• Switch to OAuth 2.0 web-server or client credentials flows before the username-password flow stops working.
• Login history and login events now surface Authentication Context Class Reference (ACR) values sent by SSO identity providers.
• Route domain URLs through the Salesforce Edge Network for performance and reliability.

Your Summer '26 security checklist

• Confirm MFA is enabled for all users — and phishing-resistant MFA for admins — ahead of June 2026.
• Verify your email sending domains before June 17, 2026.
• Add a monitored security contact on the Company Information page.
• Audit connected apps using the OAuth username-password flow and migrate before Winter '27.
• Run the Health Assessments Agent to get a baseline and a remediation plan.
• Review login IP restrictions so legitimate users aren't locked out when enforcement begins.

Frequently asked questions

Is MFA mandatory in Salesforce now? Yes. Starting June 2026, Salesforce enforces MFA for all users and phishing-resistant MFA for admins, along with login IP address restrictions.

What happens if I don't verify my email domains? Email delivery is at risk. As a safety net, from June 17, 2026, Salesforce updates a temporary allowlist and uses a substitute address for unverified domains — but you should verify your domains properly.

When is the OAuth username-password flow retiring? Winter '27. Migrate connected apps to the OAuth 2.0 web-server or client credentials flow before then.

What is the Health Assessments Agent? An AI agent that generates on-demand security posture reports, evaluates your org against best practices, and provides interactive remediation guidance.

Do I have to add a security contact? Yes. Security contact information is now required on the Company Information page in Setup. Use a monitored distribution list.

The bottom line

Summer '26 raises the security floor for every Salesforce org — and several changes carry firm 2026/2027 deadlines. Treat the checklist above as a near-term project, not a someday task. The Health Assessments Agent makes it easier than ever to find and fix gaps, so there's no reason to wait.

Back to the full release overview: Salesforce Summer '26 Release Guide.