Loading

Top-level domain restrictions on DigiCert-issued SSL certificates

Date de publication: Nov 21, 2025
Description
DigiCert : In response to the evolving geopolitical situation in Ukraine, DigiCert is pausing issuance and re-issuance of all certificate types affiliated with Russia and Belarus. This includes suspending issuance and re-issuance of certificates to Top Level Domains (TLDs) related to Russia and Belarus, as well as to organizations with addresses in Russia or Belarus.

This can impact SSL certificates securing Marketing Cloud SAP endpoints and custom domains . Viewers of unsecured content may encounter security warnings in web browsers and email clients, preventing images from loading and warning recipients of insecure content.
 
Résolution

What actions should you take?

The following solutions, listed in preferred order, can be used to address your domain security.

Option 1: Register a new, non-restricted Top Level Domain (TLD) for Sender Authentication Package (SAP) domain page/cloud, click, view and image.

Advantages: The domain can be secured by Digicert.
Disadvantages: The process takes from 1-3 weeks to provision. Inbound activity of click tracking and redirect, email viewed as a web page, and images in content will no longer work for Emails already sent.

Steps:

  1. Register a new domain and provision it in Marketing Cloud.
  2. SAP Provisioning is initiated by completing the SAP form and Private Domain provisioning is initiated by the creation of a support case. Pre-pend [RU/BY Digicert] to the case subject title.
  3. After the domain is provisioned, you should:
    1. Secure the domain in Marketing Cloud Setup.
    2. Associate Cloud Pages and Landing Pages with the new domain.
    3. Republish email Triggered Sends and Journeys.


Option 2: Use a non-restricted TLD already configured in another Marketing Cloud Business Unit (BU) for SAP domain page/cloud, click, view and image.

Advantages: The domain is secured and provisioned in Marketing Cloud.
Disadvantages: The Brand may not be recognized. Inbound activity of click tracking and redirect, email viewed as a web page, and images in content will no longer work for Emails already sent.

Steps:

  1. Submit a support case to change the domain in affected BUs. Pre-pend [RU/BY Digicert] to the case subject title.
  2. After it is provisioned, you should:
    1. Associate Cloud Pages and Landing Pages with the new domain.
    2. Republish email Triggered Sends and Journeys.


Option 3:Use your existing domain and replace the DigiCert certificate with one issued by a different certificate authority (CA). This is known as 'BYOC' - Bring your own certificate.

Advantages: Account Branding does not change for Page, Click and View domain endpoints.
Disadvantages: The process takes from 3-4 weeks to provision.
Required: Marketing Cloud does not support BYOC for Images (Akamai hosted). Therefore, you will need to use the Salesforce (ExactTarget) domain for Images. We do not believe this is a disadvantage because image URLs are not surfaced to the recipient.

Steps:

  1. Submit two support cases: 1) To initiate BYOC process and 2) to use the Salesforce (ExactTarget) domain for Images. Pre-pend [RU/BY Digicert] to the case subject title.
  2. Acquire your SSL certificates based on instructions from Salesforce.
  3. Salesforce provisions the certificates.
  4. After certificates are provisioned, you should republished email Triggered Sends and Journeys.
Numéro d’article de la base de connaissances

000392052

 
Chargement
Salesforce Help | Article