Use Visualforce Email Templates with Guest Users

In Spring ‘20, Salesforce introduced a security policy that affects Visualforce email templates that are used for emails sent to guest users in Experience Cloud sites.

Emails that use Visualforce email templates send information based on a user’s access to Salesforce data. But because data access for guest users is limited in Salesforce, the templates don’t work after you apply the security change.

Data access is divided into two main categories, or contexts.

• System Context—A user’s permissions are ignored, and the request executes irrespective of permissions. These permissions can include the keywords with sharing, without sharing, and inherited sharing.

  If a Visualforce email template is requested from a feature running in system context without sharing, the email is rendered in system context.

• User Context—All the user’s permissions and access settings are followed.

  If a Visualforce email template is sent from any other context, the email is rendered in user context.

For more information on context, see the Apex Developer Guide.

To ensure that a Visualforce email template runs in system context and is visible to guest users, add the renderUsingSystemContextWithoutSharing="True" attribute to the emailTemplate tag. Setting renderUsingSystemContextWithoutSharing="True" doesn’t override existing security settings for email object visibility. For example, to let a partner site member see User objects from a customer site, add the partner site member to the customer site and set renderUsingSystemContextWithoutSharing="True".

Warning When renderUsingSystemContextWithoutSharing="True", the email template runs in system mode, which bypasses user permissions, field-level security, and organization-wide defaults. Be careful when using this setting so that you don't inadvertently expose sensitive data. Before using this setting, assess the impact of the guest security policy and, if necessary, update the Visualforce email templates instead.

If the security policy changed a guest user’s access to email templates, update the template's context wherever a guest user can generate an email.

• When using Apex’s Messaging Class, ensure that your Apex class has the without sharing keyword in the definition. This keyword is required when you’re sending an email directly or from an Apex trigger.
• When using a Flow, ensure that you invoke it from an Apex Class that has the without sharing keyword, or from Process Builder.

No updates are needed if one of these features is used to trigger an email for a guest user:

• Process Builder
• Workflows

Note Classic Visualforce email templates must be edited in Salesforce Classic, but they can be used in Lightning Experience with Process Builder, Workflow Builder, and Apex calls.