Customizing the Email 'From:' Address
The ‘From:’ address is a global setting that applies to all emails sent from Identity Security Cloud. You can set a single 'From:' address for your whole org, or you can specify one per brand when you configure brands within your tenant.
Important
SailPoint uses the AWS SES cloud email service provider to send emails. Changing the ‘From:’ address could cause common email security solutions to treat Identity Security Cloud emails as spoofed mail. This could cause them to be undeliverable to your environment or to be marked as “external” mail, which might confuse or alarm your users.
To prevent this problem, SailPoint supports additional configurations required by these email security solutions. In most cases, you can work with your own organization’s email admins and DNS admins to complete these configurations. For more complex use cases or if you encounter problems, open a support ticket.
Setting the From Address
To change the 'From:' address for your org or for a brand:
-
Go to Admin > Global > System Settings. The Product Branding page is displayed.
-
If you have multiple brands defined, select the Brand Identity Attribute for the brand you want to configure. The 'From:' address used will be the one specified for the brand the recipient is part of.
If brands have not been set up, this option will be disabled, and the email address you choose will be used for all users in your org.
-
Navigate to 'From:' Address.
-
If your email security solution relies on DKIM authentication, complete the steps to add a domain. This also allows any email address from that domain to be auto-verified as you add them later. Refer to email security protocol requirements for more details.
-
Add and verify a new email address. Email addresses must be verified before they can be used as 'From:' addresses.
- Select Add Email.
- Specify an email address and select Add.
- If you have already verified the domain for this email address, the address will immediately auto-verify. Otherwise, you will receive an email from AWS to that address to confirm that you are the owner. Select the link in that email within 24 hours.
-
Once the email has been verified, choose it from the Select a Verified Email list to set it as the 'From:' address for the chosen brand or for the org.
Verified emails are marked as
Verified
under All Email Addresses and automatically appear in the dropdown list. -
If required by your email security solution, add a custom MAIL FROM domain. Refer to email security protocol requirements for more details.
-
Select Save.
-
Repeat these steps for all configured brands.
Notes
- You can assign up to 10 'From:' addresses for each org.
- Each email address can only be used as a 'From:' address for one org. If you need to reuse the same email address on multiple orgs, such as a sandbox org and a production org, contact SailPoint Support.
Removing a From Address
To remove an email address from your org, select the X icon beside it in the All Email Addresses list.
If the email address is being used by one or more of your brands, the X icon beside it is disabled. Select another email as the 'From:' address for those brands to allow its removal.
Email Security Protocol Requirements: DMARC, DKIM, SPF
Your organization's email security solution determines which configurations you must implement to avoid email authentication problems. Work with your email administrators to understand your solution and the required configurations.
Common email security configurations rely on the DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF) authentication protocols for email authentication. Many organizations implement the Domain-based Message Authentication Reporting & Conformance (DMARC) protocol on top of those authentication methods, to provide a policy framework for how to handle failed authentication.
Email Security Solution | Required Configurations |
---|---|
Authenticating emails with DKIM | Complete DKIM domain verification for your 'From:' email address’s domain. |
Authenticating emails with SPF | No additional configurations are required. This is automatically handled by AmazonSES. |
Satisfying DMARC through DKIM | Complete DKIM domain verification for your 'From:' email address’s domain. |
Satisfing DMARC through SPF | Specify and verify a custom MAIL FROM domain matching your email domain. |
Completing DKIM Domain Verification
If your email security solution uses DomainKeys Identified Mail (DKIM), you must add the domain and configure your DNS to allow emails sent from Identity Security Cloud using that domain to pass DKIM authentication.
- Go to Admin > Global > System Settings.
- In the Product Branding tab, go to the 'From:' Address section.
- Select Add Domain.
-
Specify a domain or subdomain, and select Add.
Note
- You can add up to 10 domains for each org.
- A single domain or subdomain cannot be verified more than once, even on different tenants. However, you can add subdomains to each domain to differentiate between environments. For instance, both
sandbox.sailpoint.com
andsailpoint.com
can be verified.
-
Select the Copy icons to capture the CNAME Records. Work with your DNS administrators to publish them to your DNS.
- Select Close.
The domain appears in the All Domains list with a badge marking its verification status. Once AWS detects the CNAME records, the domain will be marked as Verified
in that list. This satisfies the DKIM requirements. In addition, any email address you add from that domain will be immediately verified.
Important
AWS will try to verify these settings for up to 72 hours. If the CNAME records have not been published to your DNS by then, verification will fail, and you will need to delete the domain from your All Domains list and restart the process.
Note
- If you need to recapture a domain's CNAME values after you close the Add Domain modal, select the Export icon next to the domain in the All Domains list.
Changing the MAIL FROM Domain
When you are using DMARC and satisfying its authentication requirements with SPF, you must configure a custom MAIL FROM domain to allow emails from SailPoint to be recognized as valid, internal communications by your email security solution’s spam filters.
Note
The MAIL FROM domain is the email domain that mailbox clients, such as Microsoft Outlook, see. It indicates where the email originated, such as amazonses.com. You can override that value through this configuration. This is distinct from the address displayed in the 'From:' text field of an email, such as From: no-reply@acme.com
.
- Go to Admin > Global > System Settings.
- On the Product Branding page, in the 'From:' Address section for the org or for a brand, ensure you have selected a verified email address.
- Select Use Custom MAIL FROM Domain.
-
Enter the MAIL FROM Domain to use with that 'From:' address.
- The domain must be a subdomain of your 'From:' address's domain. For example, if the address is
no-reply@acme.com
, the subdomain could be mail.acme.com. - The domain must not be used to send or receive email.
- The domain must be a subdomain of your 'From:' address's domain. For example, if the address is
-
Select Save. This automatically initiates an update of SailPoint's AWS SES settings for your tenant.
Note
If your selected 'From:' email address is from a verified domain, this configuration will be set for the domain. Otherwise, it will be applied to the email address.
-
Use Export or Copy to capture the TXT and MX record values that appear in the table below the MAIL FROM Domain, and work with your DNS administrators to publish them to your DNS. These must be used exactly as provided, with no elaborations or changes.
Once AWS SES verifies that those records are in your DNS, a
Verified
tag appears beside the MAIL FROM domain indicating verification was successful. The verification usually does not take long, though it is dependent on the Time to Live (TTL) configuration for your DNS. If the badge does not appear as expected after adding the records to your DNS, check again to ensure that they have been placed properly.Important
AWS SES will try to verify these settings for up to 72 hours. If the TXT and MX records have not been added to your DNS by then, verification will fail and you will need to select Try Again to reinitiate the verification.
Note
When configuring separate ‘From:’ addresses per brand, if they all come from a shared verified domain, you only need to do the custom MAIL FROM domain configuration once. If you choose email addresses from different domains or if your addresses come from a domain that you have not verified, you must complete these steps for each brand.
To remove a custom MAIL FROM domain, clear the Use Custom MAIL FROM Domain checkbox.
Documentation Feedback
Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.