Do not receive the MFA authentication or Activation emails
14004
Created On 11/21/22 15:31 PM - Last Modified 09/11/25 11:10 AM
Question
What to do if I am not receiving the MFA authentication emails or Activation emails ?
Environment
OKTA
Answer
Not receiving Activation emails or MFA verification emails from Palo Alto Networks has to be checked from the sender's side as well as from the recipient's side.
When Palo Alto Networks (sender) sends out an email via OKTA (activation email, MFA verification email etc.), two basic requirements need to be met.
1. Email deliverability
2. Avoid unwanted emails to reach recipients
To ensure email deliverability, Okta uses a well known and reputable email service provider which is registered with proper records, and Okta also ensures that proper DNS records are configured for the sending domain.
When Palo Alto Networks sends an email from sso-mail.paloaltonetworks.com via Okta, it is required to configure several DNS records that authorize Okta’s email service provider to send on the sender's behalf.
We confirmed with Okta that Palo Alto Networks configurations are correct on Okta side with no missing or incorrect values.
If You (recipient) do not receive an email from Palo Alto Networks, it needs to be checked why your email server rejected the message. Once the email was rejected by the recipient, Okta cannot change any variables from their side to “force” your email server to accept and deliver the messages.
If your email server rejects a message, Okta's email service provider will place your email ID on a “blocked recipient” list to avoid sending additional unwanted messages to the recipient's server.
Prior to opening an Admin case with us, take these initial troubleshooting steps:
1. Check all of your email folders (including spam) for the MFA authentication email (the email is sent from sso-mail.paloaltonetworks.com)
2. Make sure that these IP addresses are whitelisted by your internal IT Team:
23.249.212.62
23.249.212.63
23.249.212.64
23.249.212.65
3. Test whether you can resolve DNS to our SSO page. Check if you are reaching the server:
>nslookup
>sso.paloaltonetworks.com
If the response is a series of DNS request timeouts, the URL is not resolving.
5. Check with your IT Team whether you have DMARC/DKIM setup. This setup on a firewall might reject or delay the MFA authentication email.
6. Find out if your organization is using Mimecast. If your organization is using Mimecast, we advise you to first open a ticket with the Mimecast Support Team for further assistance.
7. Check if the recipient mail box is correctly set up before the email is sent out from Okta. If a user is created in Okta before the mail box is fully set up, the email will bounce back.
8. Check if the recipient mail box is full, if the address is valid.
If after completing the above steps, you are still facing the issue, visit the Customer Support Portal home page for further assistance.
Include the following in the case description:
1. List the initial troubleshooting steps that you took.
2. In case of not receiving MFA verification emails, let us know if you are willing to switch to a different MFA method as a workaround (Google Authenticator or OKTA). If this is not an option for you, let us know why you are required to use email MFA.
3. Let us know if you are the only user in your company network who is not receiving the authentication / activation emails. If others are affected, send us the email addresses of the other users.
Additional Information
The MFA verification code you receive via email is valid for 5 minutes.