An overview of the Secure Sockets Layer (SSL) security protocol and its configuration process in Marketing Cloud Engagement.
SSL certificates keep online interactions private even though they travel across the public Internet, and they give your visitors the confidence to transact with your website. SSL validates site identity and secures data in transit. All Marketing Cloud Engagement domains are secured by default with SSL before use.
| cloud.<custom domain>.com | cloud subdomains serve pages from the CloudPages landing pages product |
| click.<custom domain>.com | click subdomains are used to generate subscriber-specific click-tracking URLs |
| view.<custom domain>.com | view subdomains are used to generate 'View in Browser' links when the %%view_email_url%% Personalization String is called |
| image.<custom domain>.com | image subdomains serve images and related assets stored in Content Builder |
.
SSL isn’t included with Sender Authentication Package (SAP), but you can purchase it to secure the domain types listed in the preceding section. For existing customers, your domains are secured on your behalf. When you renew your contract, you must purchase SSL SKUs to address any usage that exceeds your entitlements. New customers must obtain four SSL SKUs for SAP and one SSL SKU for each additional CloudPages domain.
a. Salesforce purchases the SSL certificate on your behalf via DigiCert or Amazon.
b. You provide your own certificate. This option isn't supported for image subdomains.
We recommend allowing Salesforce to purchase the certificate on your behalf. This option has the quickest turnaround, and makes renewal seamless.
Even if you supply your own certificate, you must purchase an SSL SKU.
If you plan to use Salesforce-provided certificates, use the Domain SSL Certificates page in Marketing Cloud Engagement Setup to secure your domain. Find detailed usage guidelines in Secure a Custom Domain and Secure a Domain Using a Custom SSL Certificate.
.
CAA records control the list of certificate authorities (CAs) allowed to issue certificates on behalf of a domain. When no CAA records exist, all CAs can issue on a domain's behalf. When any CAA record exists, the CAs allowed to issue on behalf of that domain and its children are limited to those explicitly allowed by these records.
If CAA records exist and Salesforce-supplied certificates are used to secure custom domains on self-hosted DNS, ensure these record are in place:
<SAP domain> CAA 0 issue "digicert.com"<SAP domain> CAA 0 issue "amazon.com"
Record should be inserted at the SAP domain level or higher.
Restrictive CAA records can be inserted by network admins without the knowledge of Marketing Cloud SAP owners. If you use Salesforce-supplied certificates, make sure that your admins are aware so that CAA record updates are made in accommodation of this requirement.
.
000387921

We use three kinds of cookies on our websites: required, functional, and advertising. You can choose whether functional and advertising cookies apply. Click on the different cookie categories to find out more about each category and to change the default settings.
Privacy Statement
Required cookies are necessary for basic website functionality. Some examples include: session cookies needed to transmit the website, authentication cookies, and security cookies.
Functional cookies enhance functions, performance, and services on the website. Some examples include: cookies used to analyze site traffic, cookies used for market research, and cookies used to display advertising that is not directed to a particular individual.
Advertising cookies track activity across websites in order to understand a viewer’s interests, and direct them specific marketing. Some examples include: cookies used for remarketing, or interest-based advertising.