This is an Early AccessEarly Access (EA) features are opt-in features that you can try out in your org by asking Okta Support to enable them. Additionally, the Features page in the Okta Admin Console (Settings > Features) allows Super Admins to enable and disable some EA features themselves. feature. To enable it, contact Okta Support.
A custom email domainA domain is an attribute of an Okta organization. Okta uses a fully-qualified domain name, meaning it always includes the top-level domain (.com, .eu, etc.), but does not include the protocol (https). allows you to present a branded experience to your end usersEnd users are people in your org without administrative control. They can authenticate into apps from the icons on their My Applications home page, but they are provisioned, deprovisioned, assigned, and managed by admins.. Email that Okta sends to your end users appears to come from your custom email domain instead of email@example.com. You can switch to a different custom domain or revert to the default Okta domain, but you can use only one email domain at a time.
Okta sends your super admins a confirmation email after your custom domain is configured and operating correctly. To ensure continuous operation, Okta polls your custom email domain once every 24 hours. If a problem occurs, Okta alerts super admins by email, and Okta-generated emails are sent from the default domain firstname.lastname@example.org until the problem is resolved.
- Only qualified administrators with access to the DNS records of your public custom domain should attempt these procedures.
- Okta strongly recommends that your organization implement the Sender Policy Framework (SPF) to prevent sender address forgery. If you already implement SPF in your custom domain, be aware that you must update the SPF record.
- In AdminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. Console, go to Settings > Email & SMS.
- Click the Sender link. Image
- Select a sender in the Configure Email Sender dialog box.
If you select Custom email domain, enter or edit information in the following fields:
- Email address to send from
- Name of sender
- Mail domain to send from. Note: You must enter a unique mail domain that your organization has dedicated for Okta to send mail from. Later in this procedure, you will add this mail domain to your SPF record as an include-statement to show that you allow Okta to send mail from this domain.
- Save your changes.
- The Save button appears if you chose email@example.com, or if you chose a custom email domain and your orgThe Okta container that represents a real-world organization.'s DNS records do not need to be updated. You are finished after you click Save.
- The Save & View Required DNS Records button appears if you chose a custom email domain and your org's DNS records need to be updated before your settings can take effect. After you click the button, the DNS records that you need to update are shown.
- Update your DNS records using the provided values. Image
- Click a DNS update option:
- I've updated the DNS records — Okta begins polling your DNS records until it detects your updates (up to 24 hours). Your configuration is pending until the DNS updates are detected.
- I will update the DNS records later — Your records are not polled and your configuration is incomplete until you update the relevant DNS records and click I've updated the DNS records. You can view the list of records that require an update at any time.
Add the SPF record to your DNS zone (root domain).
If your root domain already has an SPF record, the following update can prevent spoofers from sending mail that mimics your domain.
For example, if you only send mail from Microsoft Office 365, your SPF record will have an include-statement like this:
example.com TXT v=spf1 include:spf.protection.outlook.com -all
To complete this procedure, you must add another include-statement that specifies the host shown in the first CNAME row in the Configure Email Sender dialog box. (This is also the mail domain that you specified in the Mail domain to send from field.)
Add the host to the existing record to configure a combined SPF record like this:
example.com TXTv=spf1 include:oktamail.example.com include:spf.protection.outlook.com -all
- You can't configure Okta to send emails through a domain that uses SendGrid. Instead, configure a subdomain on your DNS provider for custom Okta emails.
- You can't have more than 10 DNS lookups in your SPF record.