Configure a custom email domain

A custom email domain presents a branded experience to your end users. Email that Okta sends to your end users appears to come from your custom email domain instead of noreply@okta.com. You can switch to a different custom domain or revert to the default Okta domain, but you can use only one email domain at a time.

About admin roles for this task

You must be a super admin or org admin with access to the DNS records of your public custom domain.

Before you begin

Okta strongly recommends that your organization implement the Sender Policy Framework (SPF) to prevent sender address forgery. If you already implement SPF in your custom domain, be aware that you must update the SPF record.

Start this task

  1. In the Admin Console, go to Settings > Email & SMS. Select the Email tab. Or, if you enabled Branding EA, go to Customizations >Email.
  2. Click the Sender link.
  3. Select a sender in the Configure Email Sender dialog box.
  4. If you selected Custom email domain, enter or edit information in the following fields:
    • Email address to send from
    • Name of sender
    • Mail domain to send from. This must be a unique mail domain that your organization has dedicated for Okta to send mail from. In step 8, you will add this mail domain to your SPF record as an include-statement.
  5. Save your changes.
    • The Save button appears if you chose noreply@okta.com, or if you chose a custom email domain and your org's DNS records don't need to be updated. You are finished after you click Save.
    • The Save & View Required DNS Records button appears if you chose a custom email domain and your org's DNS records need to be updated before your settings can take effect.
  6. Update your DNS records using the provided values.

  7. Select a DNS update option:
    • I've updated the DNS records — Okta begins polling your DNS records until it detects your updates (up to 24 hours). Your configuration is pending until the DNS updates are detected.
    • I will update the DNS records later — Your records aren't polled. Your configuration is incomplete until you update the relevant DNS records and click I've updated the DNS records. You can update the records at any time.
  8. Add the SPF record to your DNS zone (root domain). Or, if your root domain already has an SPF record, update it to prevent spoofers from sending mail that mimics your domain.

    An SPF record specifies the mail servers that your organization has authorized to send mail from your domain. For example, if you only send mail from Microsoft Office 365, your SPF record has an include-statement like this:
    example.com TXT      v=spf1 include:spf.protection.outlook.com -all
    1. Add another include-statement specifying the host shown in the first CNAME row in the Configure Email Sender dialog box. This is also the mail domain that you specified in the Mail domain to send from field.

    1. Add the host to the existing record to configure a combined SPF record like this:
      example.com TXTv=spf1 include:oktamail.example.com include:spf.protection.outlook.com -all

Okta sends your super admins a confirmation email after your custom domain is configured and operating correctly. To ensure continuous operation, Okta polls your custom email domain once every 24 hours. If a problem occurs, Okta alerts super admins by email, and Okta-generated emails are sent from the default domain noreply@okta.com until the problem is resolved.

Known issues

  • You can't configure Okta to send emails through a domain that uses SendGrid. Instead, configure a subdomain on your DNS provider for custom Okta emails.
  • You can't have more than 10 DNS lookups in your SPF record.
  • You can't use more than one custom email domain at a time but you can switch to a different custom email domain. If you switch to an org in the same cell, its custom email address must have a different top-level domain.

Related topics

Customize an email template

Configure a custom URL domain

Configure a custom Okta-hosted error page

External sources