Your Link Has Expired: The Impact of SFMC’s Recent Security Incident

Key takeaways

• Salesforce Marketing Cloud (SFMC) experienced a major security incident that expired all email links generated before January 21, causing widespread disruptions.
• The incident led to broken links, compliance issues, increased bounce rates, and severe damage to sender reputations, especially for Microsoft inboxes.
• To recover, senders should monitor DKIM pass rates, resend critical emails, test unsubscribe functionality, and update systems to accommodate longer tracking links.
• Building trust in email marketing requires staying ahead of security challenges, mailbox provider changes, and evolving consumer expectations.

On January 24, teams sending emails from Salesforce Marketing Cloud (SFMC) experienced major disruptions due to a potential security vulnerability. 

You can read the full security notification here.  

The TLDR version: to address the flaw, Salesforce moved to a new method of authenticated encryption. While this solved the shortcoming, the new solution wasn’t compatible with the old encryption method. This meant all email links generated before January 21 expired and no longer worked.  

The average length of the new links was more than double the old ones, creating an unforeseen problem at Microsoft: Legacy rules inserted line breaks when messages exceeded character limits—breaking Domain Keys Identified Mail (DKIM) signatures.    

What was the impact? 

Senders (and their subscribers!) felt the impact right away. The broken links meant all click-through traffic from emails sent before January 21 was directed to generic error pages.  

This caused serious compliance issues because unsubscribe links no longer worked. Plus, the resulting authentication failures caused a massive increase in bounce rates. 

Unsurprisingly, this created major deliverability problems for senders—especially because this failure happened immediately after a major Microsoft outage (from January 22-23). This outage also generated big uplifts in soft bounce activity for emails delivered to Hotmail, Outlook, and Microsoft 365.  

Validity’s data shows the incident severely damaged sender reputations, driving sharp increases in authentication failures, bounces, and spam complaints as recipients worried broken links were a sign of fraud. 

See what happened to one large email program’s Sender Score during the event. 

Average inbox placement rates at Microsoft inboxes plummeted. Overall deliverability dropped by ± 25 percent. Remember that SFMC senders are only a subset of this cohort—many of them saw inbox placement rates close to zero percent in the immediate aftermath of this incident!  

Microsoft Global Inbox Placement Rates: January 2026 

How to safeguard your program 

Events like these highlight the importance of monitoring sender reputation metrics using tools like Sender Score.  

When senders experience performance dips, they can review changes in their bounce profile using tools like Bounce Lookups to understand what is happening. Close monitoring of your DKIM pass/fail rates will also help identify related issues.    

For senders who were impacted by the SFMC incident, we recommend the following steps to get your email programs back on track: 

• • Identify all sends before the January 21 cutoff with links likely to be clicked again (for example, unsubscribe requests and preference center access).
  • Resend critical emails (e.g., legal notices, real-time offers, or engagement journeys), with new, valid links. 
  • Create a custom redirect to reroute traffic from legacy tracking links, so they resolve to fallback web pages that are familiar to your customers and consistent with your brand.  
  • Specifically test your unsubscribe functionality (both the organic links and the one-click headers required for compliance with bulk sender requirements). 
  • Republish all evergreen journeys and automations, which will ensure SFMC rewraps all email links with the new encryption scheme.  
  • Test any integrations and API calls to ensure they can handle the longer links. 
  • Expand your CRM’s URL fields to accommodate the longer values they now need to hold, which will avoid truncating or invalidating them. 

Keeping consumer trust at the forefront 

As we move into 2026, trust has become the foundation of any sender-subscriber relationship. Consumers are more alert to email fraud, and as threats grow more sophisticated, earning and keeping that trust requires staying ahead of constant change. 

Understanding what’s coming next is just as important as responding to today’s challenges.  

To explore how mailbox provider requirements are evolving, how AI is reshaping inbox access, and what new signals and regulations will define success, join Danielle Gallant, Al Iverson, and me for our upcoming Litmus Live session: “Where is email marketing headed in 2026?” (See the full conference agenda here.) 

The insights shared will help senders protect trust, build stronger relationships, and maximize long-term revenue in an increasingly complicated email ecosystem.