In Experience Cloud, password reset emails contain a one-time URL/token that expires as soon as it is opened. When a user's email client or a third-party email security scanner automatically scans and opens URLs in incoming emails — such as the Safe Links feature in Microsoft Outlook or similar enterprise email scanning tools — the reset token is consumed by the scanner before the user can click the link. This causes the link to appear expired or redirects the user to the Experience Cloud login page rather than the Forgot Password page.
There is no way to detect or prevent such services from consuming the one-time URL/token from the Salesforce side. However, Salesforce provides a profile-level setting to mitigate this behavior.
A profile-based setting under Password Policies called "Don't immediately expire links in forgot password emails" was released to help organizations overcome this type of external interference. This setting forces the reset link to remain valid until the user confirms the password reset request by clicking the button on the provided reset password page. Once they confirm, the user must set their new password. If they do not successfully set the password, they must request a new link.
To enable this setting for affected profiles:
If an Outlook user is experiencing this issue, ask them to perform the following steps to disable link preview scanning:
Users experiencing this issue through email clients or third-party scanners other than Outlook — or if the Outlook solution above does not resolve the issue — must contact the provider of their email software directly. Salesforce cannot provide support for third-party email software behavior.
View and Edit Password Policies in Profiles
Password Policy Fields in Profiles
000381667

We use three kinds of cookies on our websites: required, functional, and advertising. You can choose whether functional and advertising cookies apply. Click on the different cookie categories to find out more about each category and to change the default settings.
Privacy Statement
Required cookies are necessary for basic website functionality. Some examples include: session cookies needed to transmit the website, authentication cookies, and security cookies.
Functional cookies enhance functions, performance, and services on the website. Some examples include: cookies used to analyze site traffic, cookies used for market research, and cookies used to display advertising that is not directed to a particular individual.
Advertising cookies track activity across websites in order to understand a viewer’s interests, and direct them specific marketing. Some examples include: cookies used for remarketing, or interest-based advertising.