This will provide the allowed IPs for the Sender Policy Framework (SPF) records and information about the DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting & Conformance (DMARC).
- Okta Classic
- Okta Identity Engine (OIE)
- Sender Policy Framework (SPF) IPs
- DKIM
- Custom Email Domain
1. Okta uses Sendgrid to send emails from the production service. Okta has DNS, dedicated IPs, and domain authentication (DKIM and SPF) configured through SendGrid to separate Okta senders from each other and other senders on Sendgrid.
The following Sendgrid IP addresses are dedicated to only sending Okta emails to Okta customers:
- 167.89.110.192
- 167.89.126.180
- 167.89.14.31
- 167.89.21.169
- 198.21.5.209
- 50.31.57.204
- 159.183.193.109
- 159.183.213.105
- 159.183.213.107
- 159.183.214.96
- 159.183.213.204
- 159.183.200.101
- 149.72.233.170
- 149.72.90.103
- 192.254.124.136
Okta does not have a dedicated outbound MTA. Sendgrid does not have company-specific outbound MTAs, which would not be scalable or feasible.
2. Okta supports and uses SPF, DKIM, and DMARC for email validation.
There are two supported mechanisms:
Default
- Emails sent from okta.com email address.
- •SPF, DKIM, and DMARC are supported out of the box.
- Admins do not have to set up or configure anything.
Custom Email Domains
- Emails sent from the custom domain.
- SPF, DKIM, and DMARC are supported.
- See SPF and DKIM for Custom Email Senders.
- See Configuring DMARC for custom mail domain.
Okta DMARC policy is set up in Reject mode to prevent email spoofing. This can be tested online using this tool.
