Salesforce Trust

Stay Current on Security

Salesforce is committed to setting the standard in software-as-a-service as an effective partner in customer security.


Security Best Practices

Salesforce is dedicated to helping our customers be more secure when accessing our service. With the evolving threat landscape, we strongly encourage customers take action to help prevent unauthorized access to their Salesforce orgs. Learn more about Salesforce Security by reading our latest program brief and white papers: Salesforce Security Overview, Salesforce’s Approach to Security and Protecting Customers with M&A Due Diligence.

We strongly recommend that Salesforce administrators consider taking the following steps to make the experience as secure as possible for Salesforce users, while protecting company data. The following are security features available in Salesforce that provide additional layers of end-user validation or authentication:

Enable Multi-Factor Authentication (MFA)

We strongly advise all customers to enable multi-factor authentication (e.g., two-factor authentication, or 2FA, is a subset of multi-factor authentication) where available. MFA is one of the simplest and most effective ways to enhance the security of your Salesforce user accounts, thereby protecting your company’s data and work flows. By adding a second layer to the user authentication process (such as the Salesforce Authenticator app or a hardware token), admins amplify their org’s security by helping to prevent unauthorized user access — keeping their business running and data secure.

Run Security Health Check or OrgMonitor with Every Release

Health Check is a free tool that comes standard with Salesforce products. Built on our core platform, it allows admins to manage their org’s most important security settings in a single dashboard. Using Health Check, admins can seamlessly identify and fix potentially vulnerable security settings with one click. Customers can also create custom baseline standards to align closer with the individual security needs of their business. Customers with multiple orgs can use OrgMonitor, an open sourced tool, to use the same simple management and prioritization of security settings for all orgs in one view.

Set Login IP Ranges

Login IP Ranges limit unauthorized access by requiring users to login to Salesforce from designated IP addresses — typically your corporate network or VPN. By using Login IP Ranges, admins can define a range of permitted IP addresses to control access to Salesforce. Those who try to login to Salesforce from outside the designated IP addresses will not be granted access. If you are using Professional, Group, or Personal editions, you can configure Login IP Ranges under Security Controls > Session Settings. If you are using Enterprise, Unlimited, Performance, or Developer editions, you can configure Login IP Ranges under Manage Users > Profiles. Learn how to implement this feature.

Educate Users About Phishing

Salesforce highly recommends phishing education for all Salesforce users. Most cyber attacks use malware (malicious software) to infect a computer with malicious code designed to steal passwords, data, or disrupt an entire computer/network. Fortunately, you don’t need to be a security expert to help stop malware.

Some simple recommendations you can make to your Salesforce users:

Teach users to not be fooled by phishing, and to not click links or open attachments in suspicious emails. One of the most effective cyber attack techniques is tricking someone to click a link or open an attachment that installs malware. These are called phishing e-mails because they lure you into opening an email. Phishing email can say something intriguing, useful, or appear to be a legitimate message from a real company (package delivery, payroll, IRS, social networking, etc.).

Instruct users to never open emails from unknown sources. Hackers want people to click on their link so that they can infect the user’s computer. Similarly, teach users that emails received from an unknown source should be evaluated based on the source and whether it makes sense. If not, it may be malicious. The sender's address should always be verified and and any links to URLs can be hovered over to validate them. For example, if the link says it’s from Salesforce, then hovering over the link should show a URL ending in "”.

If you or any of your users are unsure about whether a Salesforce email is legitimate, forward the email to See recent phishing examples below.

Decrease Session Timeout Thresholds

Users sometimes leave their computers unattended or they don't log off. You can protect your applications against unauthorized access by automatically closing sessions when there is no session activity for a period of time. The default timeout is 2 hours; you can set this value from between 30 minutes and 8 hours. To change the session timeout, click: Setup>Security Controls>Session Settings.

Password Policies

Strong password security is an important first step in protecting your Salesforce accounts.

Salesforce recommends these best practices:

  1. Password expiration – Salesforce recommends no more than 90 days to force users to reset their passwords
  2. Password length – Salesforce suggestions minimum password length of 8-10 characters
  3. Password complexity – Admins should require users to include a mix of alpha, numeric, and special characters in their Salesforce password.

    In addition, remind users to never reuse passwords on multiple accounts, or they risk compromise of more than one of their accounts. Last, users need to understand that they must never share passwords with anyone, either online or in person -- this includes their Salesforce password.

Enable TLS 1.2 or Higher

Transport Layer Security, or TLS, is the most widely deployed security protocol for web browsers and other applications that require data to be securely exchanged over a network. To ensure the most secure environment and continued payment card industry compliance, Salesforce requires all secure org connections to use TLS 1.2 or higher (as of Sept. 20, 2019 for Sandbox orgs and Oct. 25, 2019 for Production orgs).

For additional resources, check out Salesforce Disabling TLS 1.1, post your questions to the Official: Salesforce Service Delivery Trailblazer Community Group, or open a case with Support via the Help & Training portal.

Consider Salesforce Shield

As part of your overall security strategy, consider Salesforce Shield. While Salesforce is equipped with many out-of-the-box security controls, Shield complements your security features with enhanced encryption, app and data monitoring, and security policy automation. Shield can help admins and developers build a new level of trust and transparency in business-critical apps.

My Domain

My Domain allows you to add a custom domain to your Salesforce org URL. Having a custom domain lets you highlight your brand and makes your org more secure. Additionally, this allows you to follow our best practices of not specifying instance names in code and integrations (e.g. Following this best practice will provide you and your end-users a more seamless experience during any future maintenances.

Using My Domain, you define a custom domain that's part of your Salesforce domain. A custom domain is actually a subdomain of a primary domain. If we use an example of Universal Containers, their subdomain would be “universal-containers” in this My Domain example:

A custom domain name helps you better manage login and authentication for your org in several key ways. You can:

  • Block or redirect page requests that don’t use the new domain name
  • Set custom login policy to determine how users are authenticated
  • Work in multiple Salesforce orgs at the same time
  • Let users log in using a social account, like Google and Facebook, from the login page
  • Allow users to log in once to access external services
  • Highlight your business identity with your unique domain URL
  • Brand your login screen and customize right-frame content

Learn more about My Domain and how to implement it for your org.


Phishing Examples

Phishing scams use fraudulent emails to get users to reveal confidential information. Such emails typically look as though they come from a legitimate organization and may contain links to what appears to be that organization's site, but is actually a fake site designed to capture information.

Report suspicious emails by forwarding them to

As these scams get more sophisticated, it can be tough knowing whether an email is real or fake. The best way to avoid being tricked is knowing what to look for. Check out these examples of recent scams:

Report a suspicious email