In January 2026, Salesforce changed how its Marketing Cloud Engagement platform encrypts tracked email links. The fix addressed a vulnerability that could have exposed CloudPages content — like landing pages, microsites, forms, subscriber data from preference and unsubscribe centers, and email content via web view links. But the fix created a new problem: All tracked links generated on or before January 21, 2026 were expired. Calls to action, unsubscribe links, preference centers, “view as web page,” and CloudPages URLs broke overnight. I got together with my colleague Jess Burn, an email security expert, to analyze the fallout.

Salesforce’s fix made a mess for marketers

Obviously, emails with nonfunctioning links fail as marketing and sales tools; there is no way for a customer to engage with the message. But the magnitude of this breakdown also:

  • Tarnishes trust in senders. Users don’t think emailers with broken emails respect the intimacy of their inboxes. They worry that broken links are a sign of fraud. And they don’t care if the cause was out of a sender’s control.
  • Triggers meltdowns in deliverability. The new, encrypted links from Salesforce cause line wrapping issues in some Microsoft email environments, breaking DKIM signatures. This, in turn, increased authentication failures, bounces, and spam complaints. Overall deliverability for the four days surrounding the incident dropped 25%.
  • Makes emails break the law. Many regulatory regimes, like the US CAN-SPAM Act, Canada’s anti-spam legislation (CASL), and the EU’s GDPR, require opt-out mechanisms to remain functional and clearly available, usually for 30 to 180 days. Organizations with Salesforce-generated unsubscribe links in older emails now face potential penalties unless they provide an alternative, working opt-out.
  • Raises questions of responsibility. A vulnerability serious enough to justify breaking every historical link forces hard questions about third-party risk oversight, security assurances, and how much operational disruption vendors can introduce in the name of remediation. Even without a confirmed breach, customers, regulators, and cyber insurance underwriters expect evidence of vendor due diligence, monitoring, and response planning.

Highly regulated sectors feel this most acutely. Financial services, healthcare, higher education, and the public sector often design communications like policy updates, consent notices, and account action notifications to remain accessible for months. When those links fail, it undermines both customer experience and evidentiary records used to demonstrate consent and suppression.

What to do now

Organizations are still digging out from this storm. Our advice is to treat this as an exercise in building trust with your recipients. This will mean making long-term repairs, not implementing some quick patches. Marketers and security pros should immediately:

  • Identify what’s broken in older, relevant communications. Inventory any pre‑January 21 sends tied to onboarding, account activation, policy notices, benefits, renewals, or legally required e-deliveries.
  • Rebuild where it matters. Replace legacy links with post‑change links and resend or retrigger journeys where the CTA still matters.
  • Stabilize deliverability. Study deliverability records to audit your overall reputation health and identify particular problem areas to reconstruct. Recheck DKIM, SPF, and DMARC alignment and test for edge cases introduced by longer URLs.

And for the longer term

After recovering from the near-term impact of this event, marketers and their security colleagues should:

  • Treat email platforms as critical infrastructure. ESPs sit at the intersection of personal data, consent, regulated communications, and brand trust. Teams that fare better in incidents like this classify ESPs as high‑risk third parties, test breaking vendor actions in tabletop exercises, and maintain at least one vendor‑independent unsubscribe path. Salesforce’s January 2026 change is a reminder that security fixes at platform scale always have a blast radius. Governance and disruption response planning must account for that.
  • Prioritize the fundamentals in vendor selection. No doubt the AI feature race is on.  But this incident reminds that AI won’t matter if the foundation of your program is unreliable.  The Forrester Wave: Email Service Providers, 2026 will be out by the end of March to help you find a partner that nails the basics and can help you innovate with emerging tech.  In the meanwhile, understand all of your available options.

Forrester clients can schedule a Guidance Session to discuss what this incident means for their Salesforce Marketing Cloud environment, including unsubscribe resilience, third‑party risk posture, and how to prepare for the next platform‑scale security change without scrambling.  We can also help with email marketing and email security vendor selection, email marketing best practices, and deliverability strategies.