How does Chrome blocking mixed content affect Salesforce Marketing Cloud email deliverability?

Key findings

• Limited direct impact: Chrome's mixed content blocking primarily targets web pages, including images and landing pages, not email messages themselves. Email click tracking links are typically processed by the backend platform of webmail clients like Gmail or Outlook, not directly by the user's web browser.
• Email client warnings: Despite browser-level handling, webmail clients may independently flag or complain about mixed content within emails, especially if the sender is not in the recipient's address book. This can lead to visual warnings or broken elements, potentially affecting engagement.
• Image proxying: Major email providers like Gmail, Yahoo, and AOL proxy images through their own servers, often converting them to HTTPS regardless of the original source. This mitigates many mixed content issues related to images. Outlook also tends to handle mixed content gracefully.
• Industry shift: The broader internet is moving towards universal TLS (HTTPS) for all connections. While email may not be as immediately impacted as web pages, the trend suggests that full HTTPS compliance for all email assets, including links and images, is becoming a best practice to avoid future deliverability or display issues.

Key considerations

• Secure all assets: Although click tracking may not be directly affected, it is a best practice for ESPs and senders to ensure all endpoint links and images within emails are served over HTTPS. This includes custom tracking domains and content hosted on CDNs. Cisco provides resources on securing access, which generally aligns with secure content delivery. This approach is key to robust protection.
• Audit existing content: Regularly review Salesforce Marketing Cloud account settings, landing pages, and hand-coded email templates to identify and update any HTTP links or image sources to HTTPS.
• Leverage ESP features: Ensure your ESP (like Salesforce Marketing Cloud) is configured to use HTTPS for all its default tracking and content hosting. If using older features like classic landing pages, migrate to modern, secure alternatives like CloudPages.
• Monitor deliverability: While direct deliverability impact from browser mixed content blocking is low, consistent warnings or broken content can indirectly harm user engagement and sender reputation. Continuously monitor your email performance and address any signs of mixed content issues.

Key opinions

• Initial confusion: Marketers frequently express uncertainty about how browser-specific security updates, like Chrome's mixed content blocking, translate to email deliverability. There's often a need for clarification on whether these apply to elements like click tracking or just embedded images and linked web content.
• Focus on images and landing pages: The prevailing opinion among marketers is that Chrome's mixed content blocking is primarily geared towards images and landing pages, with less direct impact on email deliverability itself.
• Proxy mitigation: Many marketers acknowledge that major email clients (Gmail, Yahoo, AOL, Outlook) proxy images, effectively loading them over HTTPS, thereby reducing visible mixed content issues for recipients.
• Misleading warnings: Some marketers feel that platform-generated warnings (such as those from Salesforce Marketing Cloud) about mixed content can be overly alarmist or unclear, leading to unnecessary concern among clients about their email deliverability without precise context.

Key considerations

• Client education: It's important to clarify to clients and stakeholders that while browser security is tightening, email clients have different mechanisms for displaying content, such as image proxying. Marketers should explain where the actual risks lie and how they are mitigated.
• Proactive HTTPS adoption: Even if the immediate impact on email deliverability is minimal, marketers should proactively transition all assets, especially images and linked content, to HTTPS to align with modern web standards and prevent future issues. The Automation Champion blog often discusses Salesforce updates, which can inform these transitions.
• Review SFMC configurations: Regularly check Salesforce Marketing Cloud settings for portfolio bases, landing pages, and CloudPages to ensure they are configured to use HTTPS by default.
• Hand-coded content: Pay close attention to any hand-coded emails or landing pages to manually update HTTP image and link references to HTTPS, ensuring consistency and preventing mixed content warnings from rendering.

Key opinions

• Backend processing of links: Experts confirm that click tracking links in emails are typically loaded by the email service's backend platform, not directly by the user's browser, thus isolating them from direct browser-level mixed content blocks.
• No excuse for HTTP: A strong consensus among experts is that there's no longer a valid reason for ESPs not to wrap all their endpoint links (including tracking links) in TLS. The ease of obtaining certificates (e.g., via Let's Encrypt) makes this a fundamental expectation.
• Client-side mixed content: While browsers aren't directly scanning email content, webmail clients (like Gmail and Outlook's web interfaces) can still flag mixed content warnings within messages, especially if the sender is not in the recipient's address book. This is distinct from browser mixed content blocking.
• Universal TLS trend: The email ecosystem, much like the web, is steadily moving towards requiring universal TLS for all content. While web pages are the current primary target, email is quickly catching up in this trend.

Key considerations

• Proactive security measures: Implement HTTPS for all email assets, including image URLs and click tracking links, even if the immediate deliverability impact is low. This is crucial for long-term sender reputation and to avoid future issues as standards evolve.
• Understand client behavior: Be aware that while major clients proxy images, other clients or specific configurations might still display warnings for mixed content. Prioritize securing all elements to ensure a consistent experience.
• ESP responsibility: Demand that your ESP provides secure (TLS/HTTPS) wrapping for all its services, including tracking domains. As noted by experts, modern email deliverability best practices necessitate this.
• Redirects vs. direct insecure links: If a tracking link initially uses HTTP but immediately redirects to an HTTPS page, it's generally less problematic. However, direct HTTP links to insecure content should be avoided.

Key findings

• Chrome's mixed content policy: Chrome is actively deprecating insecure (HTTP) content on secure (HTTPS) pages, progressively blocking or warning about it. This applies to images, audio, video, and other embedded resources.
• Salesforce warnings: Salesforce Marketing Cloud itself issues warnings regarding Chrome's mixed content blocking, primarily indicating impacts on landing pages and images linked within campaigns. Their guidance typically advises migrating all content to HTTPS.
• Scope of impact: While the primary focus is web pages, documentation implies that any embedded or linked content (like images or external scripts) loaded within an email, particularly if it leads to a web page, should comply with HTTPS to avoid browser-level warnings or blockages when that content is accessed.
• HTTPS as a standard: Official documentation from browser vendors and email platforms increasingly positions HTTPS as the mandatory standard for all web and linked content, emphasizing security and user trust.

Key considerations

• Comprehensive HTTPS migration: Follow official guidance to convert all relevant content—including image URLs, custom domains for tracking and landing pages, and any other external resources—to HTTPS. This aligns with broader web security trends and mitigates potential deliverability issues as Google's security expectations tighten.
• Platform-specific instructions: Pay close attention to specific instructions from Salesforce Help documentation regarding securing assets within the platform, such as portfolio base URLs and content on CloudPages. The Salesforce warning about Chrome mixed content outlines these areas.
• User experience: Understand that mixed content warnings, even if not directly blocking email delivery, can degrade the user experience and lead to perceived insecurity. This indirectly affects engagement rates and can impact sender reputation.
• Code review: For hand-coded emails or landing pages, meticulously review the HTML code to ensure all image sources and link hrefs use HTTPS, eliminating potential mixed content issues at the source.