Securing Data In Salesforce Marketing Cloud – Part One of Three


Welcome to the first installment of “Securing Data In Salesforce Marketing Cloud”. This informative article is part of a three-part series created by one of Devs United’s knowledgeable Technical Architects.


Part One covers the pros and cons of the following security features in Marketing Cloud:


  • Login IP whitelisting
  • Key management
  • Identity validation
  • Export email whitelist
  • Roles

Securing Data in Marketing Cloud

One of the main resources that organizations have is their data, so how does Marketing Cloud help us care for and protect it?

To help protect your data, Marketing Cloud provides several features that allow you to best implement the security plan for the unique structure and needs of your organization.  


Marketing Cloud Security Features:


Login IP Whitelisting

The login IP whitelist includes a range of IP addresses you define that indicates which ones can access your account,  and prevents unauthorized IP addresses from logging in. Whitelisted IP addresses allow users using those IP ranges to access the application.

For example, you can specify a range of IP addresses that belong to your network. If a user tries to log in from outside your network, the application would 1) deny access to the user entirely, or 2) allow access, but require the user to go through a two-step verification process to identify themselves. Use login IP whitelist to improve system security and help prevent unauthorized access to your account. The login IP whitelist functionality allows you to log the non-whitelisted users who are attempting to access your account. 



  • You can define different IP ranges for each business unit or whitelist IP ranges at the enterprise level and force the business unit to inherit the parent settings.
  • This feature is included in all accounts by default, with the ability to configure the settings to fit your company’s security requirements.



  • Because this feature is highly configurable, it is not automatically enabled in your account.
  • If you enable Identity Validation and select Allow machines not on Whitelisted IP Addresses access under Security Settings, the login IP whitelist feature will not log these events as violations. This feature allows and does not log all authentication requests made from Salesforce IP addresses

Learn More About This Feature >


Identity Validation

The Identity Validation security setting requires users to authenticate the browser used to access the application. Upon login, the system generates an email with an authentication code to the email address associated with the user account. Requiring users to authenticate their browser provides an added layer of security for your data.



  • The user enters the code in the Activation Code field to log into the appropriate account. Ensure that all users in your account use valid email addresses in their user profile.
  • Identity Validation allows flexibility when setting up your security parameters
  • Once you configure Identity Validation in your account, any user who tries to log in must authenticate the browser based on the rules you set.



  • Identity Validation does not apply to API access, but API users who access the user interface need to validate their devices. Users who access Marketing Cloud via the API only do not need to validate their devices.
  • If you enable Identity Validation and select Allow machines not on Whitelisted IP Addresses access (requires Identity Validation to be enabled) under Security Settings, the Login IP Whitelist feature will not log these events as violations.

Learn More About This Feature >

Key Management

Key management provides a method you can use to manage different types of encryption and decryption options for your data.



  • Use this feature to manage certificates and other security options regarding the encryption, decryption, and digital signing of email messages.  For example, you can use this encryption to verify to the recipient that your email originated from a trusted location and has not been altered since the time of the send.
  • You can use five different types of encryption methods: Asymmetric, Symmetric, Initialization Vector, Salt, SAML
  • Use this feature to encrypt and decrypt files that are imported from an FTP location



  • You might need to contact support if this feature is not enabled in your account
  • If you are encrypting email messages, you will need to be a little bit familiar with AMPScript
  • To transfer and decrypt encrypted files, you’d want to get familiarized with the concept of the safehouse location

Learn More About This Feature >


Export Email Whitelist

Your export email whitelist contains individual email addresses or domains that can receive exports via email from your Marketing Cloud account



  • Once you create an export email whitelist, only users matching the whitelisted criteria can receive exported data. 
  • You can use a wildcard such as * to whitelist entire organizations.



  • Contact your Marketing Cloud account executive to enable this feature for your account
  • Export email whitelisting affects this functionality:
  1. Subscriber export wizard
  2. Export of standard reporting
  3. Export of tracking data from the email tracking pages, including triggered send tracking
  4. Ability to email tracking reports

Learn More About This Feature >



A role is a collection of permissions that allow or deny users to take actions on an item or item property. Not setting a permission is the same as setting the permission to “deny”. 


Different types of roles include these characteristics:

  • User Roles – Permissions stay with the user regardless of business unit
  • Business Unit Roles – Any user working in a business unit acquires the role and permissions of the business unit
  • Individual Role – An individual specifically receives assigned permissions


Marketing Cloud uses the permissions aggregated from all of a user’s roles and determines whether a user can access an item based on this logic:

  • If no permission explicitly grants access to an action, the action is denied.
  • If one of the permissions explicitly denies access to an action, the action is denied.
  • Otherwise, the action is granted



  • Roles assigned to a business unit apply to all users in that business unit, so a single user can have multiple roles.
  • Users inherit roles from their business units. Child business units inherit roles and permissions from the parent business unit when you select the Force Inheritance checkbox.
  • Use roles to manage and control access to actions and to enforce your security policies



  • Enterprise 2.0 accounts use roles and permissions. Contact your Marketing Cloud account representative about the availability of roles and permissions.
  • Deny permissions always override allow permissions. The “deny” permissions that you set in a role trump the “allow” permissions that you set on a particular user.

Read More About This Feature >


Join us again for Part Two of “Securing Data in Salesforce Marketing Cloud,” where we will continue to discuss some of Marketing Cloud’s security features. A Downloadable PDF of the full article will be made available upon the final release of the series!

Marco Murabito
Marco Murabito