On January 21, 2026, a platform-wide security update in Salesforce Marketing Cloud generated an issue that caused links in previously sent emails to stop working. Salesforce Security identified a vulnerability within Marketing Cloud Engagement and responded by deploying enhanced encryption across the platform. While this critical update strengthens data protection, it exposes a risk to organizations that requires immediate awareness and action.
What happened
- At 3:00 PM PST on January 21, Salesforce implemented stronger encryption for all system-generated links, which resulted in all previously generated tracking links to forcibly expire. Links in emails sent after this date are now protected by robust AES-GCM encryption and are not vulnerable to previous exploits. However, users should be aware of potential impacts, organizational risk and marketing activity insights resulting from this update.
- Broken links: recipients who click on links within emails generated before the update, including click tracking URLs, unsubscribe links, preference centers, “View as Web Page” links and CloudPages are redirected to an error page or default expiration notice, unless a custom landing page has been configured.
- Increased bounce rates: URL length increased dramatically, from 180–255 characters to as many as 580 characters. This change resulted in unexpected deliverability issues, particularly for recipients on Microsoft domains such as Outlook, Hotmail, MSN and Live, resulting in elevated bounce rates between January 21 and January 25.
Risks: compliance and customer experience
As noted above, unsubscribe and preference links may not function, which could create compliance risks under anti-spam laws. Regulatory requirements like the CAN-SPAM Act, GDPR and Canada’s Anti-Spam Legislation (CASL) differ across regions, but many include expectations such as:
- Provide a clear, functioning unsubscribe mechanism.
- Honor opt-out requests within 10 business days.
- Not require log in, fees or extra steps to unsubscribe.
- Ensure the mechanism works for at least 30 days after send.
If a user cannot unsubscribe because links expired or broke, that’s technically noncompliance, even if it is unintentional.
What to do next
Be aware. Understand the organization’s level of risk.
- Run spot checks on emails that went out 30 days prior to the upgrade to ensure links work.
- Engage with legal and compliance teams (or a trusted partner, like Protiviti), to help guide actions that can be taken to address the issue.
Take action. Based on the organization’s level of risk, consider the following actions:
- Document the incident internally (date, scope, root cause, impact).
- Implement custom URL expiration redirect pages. Redirect expired links to a branded CloudPage or external site that offers helpful options, including customer care, unsubscribe and preference management. This preserves compliance and customer trust.
- Update URL expiration policies. Set them to the maximum recommended by Salesforce, 60 days, to balance security with user experience.
- Audit automations and data stores. Identify any workflows or databases storing legacy Salesforce Marketing Cloud URLs, which may no longer function due to the increase in URL length from a maximum of 255 characters to 580 characters.
- Create a free-standing preference page accessible through the company’s website and not limited to clicking on a link in an email to allow users to opt out.
- Resend emails with fresh links, if needed.
- Always align Legal, Marketing Ops and Compliance on this narrative and future operational marketing governance.
Partnering on rapid response and transformation
Protiviti recognizes that urgent platform changes demand a rapid and coordinated response. Our team has deep expertise in application modernization, compliance and digital transformation. We help clients assess and remediate compliance risks arising from vendor-driven changes, design scalable solutions for link management and customer communications and develop custom landing pages and automation enhancements to ensure uninterrupted customer experience.
When change is sudden, speed and expertise are critical. Protiviti’s proven frameworks and innovative tools enable organizations to adapt quickly, minimize risk and turn disruption into opportunity.
To learn more about our Salesforce consulting services, contact us.
