Loading

Mandatory IP Allowlisting in Marketing Cloud Engagement

Publiseringsdato: Jun 16, 2026
Beskrivelse

To enhance the security of the Salesforce platform, Salesforce will require that all Marketing Cloud Engagement (MCE) customers use IP allowlisting in enforcement (blocking) mode. This is a key security tool to contain and prevent unauthorized access. IP allowlisting applies to UI Login and API access.

What’s Changing

  • Salesforce is mandating and enabling IP allowlisting in enforcement (blocking) mode for all MCE customers. There will be no change for customers who have already enabled IP allowlisting in blocking mode across their Marketing Cloud Engagement platform.

  • For customers that have not yet enabled IP allowlisting at the enterprise or business unit level, Salesforce will automatically apply a pre-compiled list of IP addresses (based on successful authentications observed over the last six months, minus known malicious IPs). This recommended baseline IP list will be set to enforcement (blocking) mode at the enterprise level and uniformly apply to all Business Units (BUs).

  • For customers who have enabled ”Log Allowlist Violations' (monitoring mode), Salesforce will enable blocking mode as described below in the ‘What to Expect’ section.

Why Is Salesforce Making This Change

To uplift the security of the Salesforce platform, we are mandating the use of IP allowlisting in enforcement mode by all MCE customers. This is a key recommended security tool to contain and prevent recurrence of security incidents. The recommended baseline  IP allowlist data is derived from the observed traffic on the last six months log analysis.

When Does This Change Take Effect

Customers will be notified via email when an enforcement date has been set for their instance.

Who’s Affected

MCE customers who have not yet enabled, or partially enabled, IP allowlisting. Customers are considered not fully compliant if IP allowlisting is disabled or in monitoring-only mode at either the enterprise or business unit level. 

What to Expect

Enterprise (EID) Level: We will enable 'Log Violations and Deny Access' (blocking mode) for your EID. Depending on your EID configuration, the following will apply:

  • If your EID is already in “Log Violations and Deny Access” (blocking mode), your settings will not change.

  • If your EID is in “IP Allowlisting Disabled” or currently has no IP list, we will enable “Log Violation and Deny Access” (blocking mode) and apply Salesforce-recommended baseline IP ranges.

  • If your EID is in 'Log Allowlist Violations' (monitoring mode), we will enable “Log Violation and Deny Access” (blocking mode), keep your existing list, and append Salesforce-recommended baseline IP ranges to ensure continued access.

Business Unit (MID) Level: We will enable "Log Violations and Deny Access" (blocking mode) for BUs that have a current business unit level configuration. Depending on your current BU configuration, the following will apply:

  • If your BU is already in “Log Violations and Deny Access” (blocking mode), your settings will not change.

  • If your BU is in “Log Allowlist Violations” (monitoring mode), we will switch it to “Log Violations and Deny Access” (blocking mode) and append Salesforce-recommended baseline IP ranges to your existing IP list to ensure continued access for all users.

  • If your BU is in “IP Allowlisting Disabled”, we will switch it to “Log Violations and Deny Access” (blocking mode) with the “Enterprise level” list source.

All other business units will inherit the enterprise-level IP allowlisting configuration.

Løsning

Before Enforcement: How to Prepare

No action is required before the enforcement date. To minimize potential disruption, Salesforce has compiled a list of recommended baseline IP addresses based on activity observed over the last six months (excluding known malicious IPs). These ranges will be included in your applied IP list automatically. We recommend waiting until after your enforcement date before making any changes to your IP allowlist settings to ensure your configuration is applied correctly.

After Enforcement: Monitoring

You are responsible for reviewing and maintaining your IP allowlist. After enforcement, continuously review your IP allowlist access logs to catch and add any legitimate newly denied IPs before they cause disruption. We strongly recommend monitoring your access logs on an ongoing basis to identify any denied IPs that may need to be added. If more than 50 ranges need to be added urgently, contact Salesforce Support.

Resources

Common Questions

  • What does “blocking mode” mean?
    Users can log in only from IP addresses on the allowlist. The Access Log tracks login attempts from IP addresses that aren’t on the allowlist. To enable this feature, select “Log Violations and Deny Access” in the Security Settings. Refer to Enable the Login IP Allowlist.

  • Does this apply to UI Login and/or API access?
    Yes, IP allowlisting applies to both UI Login and API access.

  • Are cross-cloud IPs impacted?
    No, cross-cloud IPs are not impacted by this feature.

  • Can I opt-out?
    Currently, customers cannot opt-out from the enforcement of this feature.

Flere ressurser

Change Log

Date

Change

June 16, 2026

Initial publication

 

Knowledge-artikkelnummer

005387198

 
Laster
Salesforce Help | Article