This FAQ is designed to help you understand the recent communication regarding email authentication and how it ensures your Atamis/Salesforce notifications continue to reach your inbox reliably.
UPDATE: Salesforce have provided their own FAQ which that are updating. This can be found here
1. What is changing with our email notifications?
To improve security and prevent "email spoofing," major email providers and IT departments have tightened rules on how systems like Salesforce send emails on your behalf.
Salesforce now requires that any email sent through the platform—where the "From" address is a user’s email—must come from a Verified Domain. We are implementing this to ensure that alerts like approvals and tasks are not blocked by your internal security filters.
2. Is this why some users haven't been receiving approval emails?
Yes. If your IT department has strict rules against spoofing (where a system sends an email appearing to come from an individual's address), these emails are often silently blocked or sent to junk. Setting up this authentication "unblocks" those delivery issues.
3. Which specific notifications are affected?
While many system-level notices (like TPP/Tender notices) come directly from Atamis domains, several others are sent "on behalf of" individual users. Impacted alerts include:
- Approval Requests
- Chatter Mentions & Updates
- Workflow Alerts
- Task Assignments
4. Are any domains exempt from this?
Yes. Exemptions apply to major Email Service Provider (ESP) domains. You do not need to perform this exercise for users with addresses ending in:
- gmail.com
- outlook.com
- hotmail.com
5. How does this affect external evaluators?
It does not. External evaluators typically interact with the system in a way that does not trigger these specific "on behalf of" authenticated emails. You do not need to ask your IT team to authenticate domains for every external evaluator.
6. What do I need to ask my IT department to do?
You should raise a ticket with your IT Infrastructure or Email/Domain Team.
- Forward them the technical communication provided by the Atamis Product Team.
- Provide them with the list of affected domains (see the "How to Check" section below).
- Once an IT contact is assigned, please cc them on your existing support ticket.
Below is a draft email you can send to your IT teams;
Hi [IT Team Name],
Our strategic procurement partner, Atamis, has flagged an urgent requirement regarding Salesforce’s new mandatory Domain Authorisation and DKIM enforcement. To ensure our outgoing emails (alerts, notifications, etc.) continue to deliver and don't fail entirely, we need to confirm our technical approach.
Atamis will manage the configuration within our Salesforce instance, but they need you to confirm which path fits our security policy:
- Option A: DKIM CNAME Records (Standard) Atamis will generate two 2048-bit CNAME records in Salesforce. You would then add these to our DNS. This allows Salesforce to sign our mail and rotate keys automatically for better security.
- Option B: Domain Authorisation (Newer Method) This is a broader verification of our sending domain. Atamis would generate a specific TXT record (a "Domain Selection" or "Verification" record) in Salesforce. You would add this to our DNS to prove we own the domain, allowing Salesforce to send on our behalf with higher trust levels across the entire org.
Could you please let us know which approach you prefer? Once you confirm, Atamis will provide the specific records for you to publish. You can find more technical context in this Salesforce FAQ.
Best regards,
7. What are the technical options for IT?
Your IT team generally has two ways to resolve this:
- DKIM (DomainKeys Identified Mail): Your IT team adds specific DKIM keys (digital signatures) to your domain settings. This proves Salesforce has permission to send as your company.
- Email Domain Authorisation: An alternative method to verify ownership of the domain within the Salesforce organisation to ensure mail flow is permitted.
UPDATE: There is a workaround which Salesforce have issued, this changes the FROM domain for unauthorised domains from yourdomain.com to email@orgId.sfcustomeremail.com. We will default to this position if you do not confirm the route you wish to take before 27 April 2026.
8. Does Sandbox need to be updated?
Yes. Your sandbox environment will also require these updates to ensure emails sent during testing are delivered.
Atamis Domains: Atamis will manage the update for the
atamis.co.ukdomain.Your Domains: You will need to coordinate with your IT team to ensure your own company domains are authorised within the sandbox as well.
How to Check Which Domains are Affected
To identify which domains need to be authorised by your IT team, please follow these steps to generate a list of active domains in your organisation.
Step 1: Extract list of Active Users from Atamis
- Log into Atamis.
- Create a new Report of type ‘Users’.
- Report Filters: Leave "All Time" and "Active Users" filters in place.
- Add a filter for User Type = "Standard".
- Delete all default columns on the report.
- Add ‘Email’ as the sole column.
- Run the report and Export it to Excel.
Step 2: Extract the list of Domains
Once you have the report in Excel (where Column A contains the email addresses):
Option 1: Using Co-Pilot in Excel
- Use the prompt: "Extract the unique list of email domains from the information held in column A."
Option 2: Extracting manually
- Add a new title to Column B: ‘Domain’.
- In Cell B2, enter the formula: =TEXTAFTER(A2,"@")
- Drag this formula down to all rows.
- Copy Column B and use ‘Paste Values’ to remove the formulas.
- Delete Column A.
- With Column B selected, go to Data > Remove Duplicates.
- Tick ‘My list has headers’ and click OK.
Note: You can ignore any atamis.co.uk domains and the exempt ESP domains (Gmail, Outlook, Hotmail) mentioned above. The remaining list should be shared with your IT department.
Related to
Updated