Okta supports and utilizes Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC) for email validation. Administrators can configure these protocols for custom email domains or rely on the default out-of-the-box support for standard Okta email addresses.

• Okta Identity Engine (OIE)
• Okta Classic Engine
• Sender Policy Framework (SPF) IPs
• DomainKeys Identified Mail (DKIM)
• Domain-based Message Authentication, Reporting, and Conformance (DMARC)
• Custom Email Domain

How does Okta handle email validation?

Okta supports and uses SPF, DKIM, and DMARC for email validation. Okta configures the DMARC policy in Reject mode to prevent email spoofing. Administrators can test this configuration online using the DMARC Inspector tool.

What mechanisms are supported for email validation?

Review the following supported mechanisms for Okta email validation.

• Default: Okta sends emails from the okta.com email address and supports SPF, DKIM, and DMARC out of the box. Administrators do not need to configure additional settings.
• Custom Email Domains: Okta sends emails from the custom domain and supports SPF, DKIM, and DMARC. Review SPF and DKIM for Custom Email Senders and Configuring DMARC for custom mail domain for configuration details.

Related References

• List of IP Addresses That Should be Allowlisted For Processing Okta Email Delivery Successfully
• Configuring DMARC for custom mail domain
• SPF and DKIM for Custom Email Sender
• DMARC Record Checker