If you build personalized links in Salesforce Marketing Cloud using CloudPagesURL() combined with subscriber data and UTM parameters, you likely hit a very painful wall in early 2026. What used to produce a manageable 180–255 character URL is now generating 400–580 character encrypted strings — and external systems are choking on them.
At Genetrix, we fielded multiple urgent calls from SFMC clients in the days following the January 2026 update. SMS gateways were rejecting sends. CRM integrations were silently truncating links. Analytics pipelines were breaking. This guide gives you the exact native workaround we are using across our client environments — no third-party shorteners, no extra budget, and full personalization preserved end to end.
What Happened in January 2026
On January 21, 2026, Salesforce deployed a mandatory, non-backward-compatible security fix across all Marketing Cloud Engagement instances. The vulnerability — catalogued as CVE-2026-22582 through CVE-2026-22586 — exposed subscriber PII through argument injection flaws in the legacy link encryption system, which used hard-coded cryptographic keys.
Salesforce’s fix was technically sound: migrate all link encryption to AES-GCM (Advanced Encryption Standard, Galois/Counter Mode). AES-GCM provides authenticated encryption combining confidentiality and integrity verification. The cost was URL length. The old scheme produced URLs of roughly 180–255 characters. AES-GCM’s overhead pushed that to 400–580 characters — more than double.
The Clean Native Workaround: CloudPage Redirect Proxy
The solution is elegant and entirely native to SFMC. Instead of sending or storing the full encrypted URL, you store it in a Data Extension and use a simple CloudPage as a lightweight redirector. The link that goes into your SMS send, your CRM field, or your file export is short and clean. The heavy encrypted string stays inside SFMC until the moment the subscriber clicks.
How the Redirect Proxy Works
Step-by-Step Implementation
Create the Storage Data Extension
Create a new DE named URL_Storage. You need three fields at minimum: SubscriberKey as Text, Primary Key; Full_Encrypted_URL as Text with a length of 4000; and optionally CreatedDate and CampaignName for tracking purposes. The 4000-character length gives you safe headroom above the current 580-character maximum.
Populate the DE Before Your Send
In your send automation — whether a Query Activity, Script Activity, or a Journey action — generate the full CloudPagesURL() value for each subscriber and write it to the DE against their SubscriberKey. This step ensures the encrypted URL exists in the DE at the moment any subscriber clicks the short link you send them.
Build the Redirect CloudPage
Create a new CloudPage in Web Studio or Classic. Paste the following AMPscript. This page receives the short link click, looks up the full encrypted URL from the DE, and silently redirects the subscriber.
CloudPage — Redirect Proxy (AMPscript)
%%[ VAR @subKey, @fullURL /* Receive the SubscriberKey from the short link query string */ SET @subKey = RequestParameter("sk") /* Look up the full encrypted URL from the storage DE */ SET @fullURL = Lookup("URL_Storage", "Full_Encrypted_URL", "SubscriberKey", @subKey) IF NOT EMPTY(@fullURL) THEN /* 301 = permanent redirect */ Redirect(@fullURL, 301) ELSE /* Fallback for expired or missing tokens */ Redirect("https://yourdomain.com/error", 302) ENDIF ]%%
Use the Short CloudPage Link in Your Send
The URL you drop into your SMS, DE export, or any external system now looks like this:
Short link — used in SMS / DE export / external system
https://cloudpage.yourdomain.com/redirect?sk=%%SubscriberKey%% /* Resulting length: typically 70–120 characters regardless of how long the underlying encrypted URL grows */
Pros and Cons of This Approach
What Works Well
- Zero cost — entirely native to SFMC
- Full AES-GCM encryption and PII security preserved
- Short, consistent URLs external systems can handle
- Click tracking available on the CloudPage
- Works for SMS, API sends, and file exports
- Scales cleanly across multiple campaigns and BUs
Trade-offs to Know
- One extra redirect hop (negligible latency in most cases)
- Click data registers on CloudPage first, not final destination
- Requires a small upfront setup per campaign or BU
Quick 2026 Implementation Checklist
- Use
CloudPagesURL()to generate the full encrypted URL internally only — never send it directly to external systems. - Create
URL_StorageDE withFull_Encrypted_URLfield set to Text, length 4000. - Populate the DE per subscriber before or at the start of your send automation.
- Deploy the redirect CloudPage and test it with a known
SubscriberKeybefore your first live send. - Send only the short CloudPage link externally — SMS, CRM fields, file exports, API payloads.
- Upsize any CRM Text (255) fields storing Marketing Cloud URLs to Text Area (Long) to handle the new AES-GCM lengths.
- Monitor CloudPage performance via SFMC Tracking to catch any redirect failures early.
Frequently Asked Questions
You get full tracking on the CloudPage URL itself. For end-to-end visibility through to the final destination page, add a simple SSJS write to a logging DE immediately before the Redirect() function. This captures the click event with a timestamp and subscriber key without any impact on the redirect speed.
Yes — this is actually the most common use case we are implementing for clients right now. MobileConnect has strict URL length limits and the new AES-GCM URLs break SMS character budgets immediately. The short CloudPage link typically falls well within a single SMS segment.
Yes. Branded short domains via a proper URL shortening service, or MobileConnect’s built-in shortener for SMS-specific use cases, are both cleaner long-term options. For now, this proxy pattern is the lowest-friction, zero-cost gold standard — and it is what we are recommending across all client environments until those options are viable.
No. The full AES-GCM encrypted URL never leaves SFMC until the actual click occurs. The short link only carries the SubscriberKey, which has no PII value on its own.
Change any Salesforce CRM field that stores a Marketing Cloud URL from Text (255) to Text Area (Long). Standard Text fields have a 255-character hard limit which is well below the new 400–580 character AES-GCM output. Also audit any CreateSFObject calls or custom integrations that pass Marketing Cloud URLs downstream — these need the same field type update.
SFMC Giving You Trouble After the January Update?
The AES-GCM change broke more than just URL lengths. Genetrix has been helping SFMC clients audit and fix integrations, deliverability issues, and CRM field mapping since the January 2026 incident. If you are still dealing with the fallout, let’s talk.
