SFMC Admin

Multi-Factor Authentication

You’ve probably noticed a pop-up message that appears from the recent times once you login into your Marketing Cloud instance telling you to enable Multi-Factor Authentication aka MFA. Why should you enable it? How to do this? You will get all needed information in this article.

Currently having MFA enabled is optional but will turn mandatory in the near future. So, better get ready.

Security in SFMC 

Let’s take a few steps back before we make a deep dive into MFA and speak about SFMC Security in general. 

Marketers currently work in highly personalized digital marketing landscape and Data Security is a crucial topic, while security comes into responsibility for everyone. Not only the service provider should ensure its solution is secure, but it is also customer’s responsibility to know the security aspects of working with data and being compliant with the recent security standards. 

Marketing Cloud has its own best practices to prevent common security threats such as credential or data loss/theft, phishing attacks, brute force. Amongst those best practices are: 

  • Roles and permissions 
  • Data Encryption (data-in-transit; data-at-rest* (paid add-on feature))
  • Data Retention policies 
  • Content Approval process 
  • SSL Certificates
  • Tenant specific endpoint 
  • SSH File Transfer Protocol
  • IP allow listing 
  • Identity verification (automatically replaced by MFA) 
  • SAML 2.0 SSO (single sign-on) 
  • Audit Trail 
  • Multi-Factor Authentication 
  • Loyal admin 

MFA adds another layer of protection to enhance SFMC login process. A user can successfully login into SFMC instance with passing two-step authentication: providing credentials (username and password), and also by additional verification method. There are in total three of them: 

  1. Salesforce Authenticator mobile app 
  2. Third-Party Authenticator app (TOPT) – Authy, Microsoft Authenticator, Google Authenticator 
  3. Security key (one type) – Yubico’s YubiKey, Google’s Titan Security Key 

Calls, SMS or email verification methods are not allowed for MFA. 


  • Enterprise accounts allow MFA enablement at the top-level account in the tenant. BUs can only view the settings. 
  • SFMC SAML 2.0 SSO is not compatible with MFA, so MFA should be still enabled as an extra safeguard. 
  • Multiple MFA Verification Methods are possible (Salesforce Authenticator + one type of Security Key + one type of TOPT Authenticator App), in case only one method per verification method type is registered. 

MFA Enablement 

Only SFMC Admin could enable MFA.  

First step is to click ‘Get Started’ at the pop-up message which appears after you log in to SFMC instance. 

Marketing Cloud will send a verification code to email address associated with your SFMC user. This code should be pasted in the field and verified.  

Then, you will have a choice of authentication methods available. 

For Salesforce Authenticator: 

  • You need to download and install the app from the Apple Store or Google Play. 
  • In the app select Add an Account option, then a two-word phrase will be displayed. 
  • Click in SFMC to connect the account to SF Authenticator and put the phrase from the app in the displayed field. 
  • Once the request is submitted, both sides should be connected. 
  • Now you can use the app for MFA to approve your logins in SFMC. 

For Security Key: 

  • Connect the Security key to your device and click Register. 
  • Give your security key a name. 
  • Save the setup. 

For Third-Party Authenticator App: 

  • You need to download and install a time-based one-time password (TOTP) authenticator app on your mobile device. 
  • Open the TOTP authenticator app and add an account. 
  • Use the authenticator app to scan the QR barcode that’s displayed on the Connect an Authenticator App screen.  
  • Another option is to manually generate your security key and enter it in the authenticator app. 
  • Enter the key and both sides should be connected. 

You can now log in to your Marketing Cloud account with your password and the value provided by your authentication method. 

All MFA events are logged in SFMC. You can find them in Setup -> Multi-Factor Authentication ->View MFA Events. 

Start using the new MFA Marketing Cloud feature and follow security best practices to build a comprehensive security controls for your marketing platform. 


Official Salesforce MFA Documentation 

Marketing Cloud Security Guide 

Marketing Cloud Security Trailhead 

Journey & Automation

Meet SFMC Behavioral Triggers


Behavioral Triggers start from Behavioral Marketing or Behavioral Targeting – the way you reach out your customers using their past actions and behavior. As examples could serve running a specific targeted ad campaign for a precise audience segment, real-time product/service/article recommendations on your web showed to a visitor, retargeting ads, and others.

Once a customer completes an action – submits a form, clicks on an email link, abandons cart, or makes a purchase – it could be sent through a specific funnel, or a marketing journey. All who have experience with SF Marketing Cloud already know how to setup a Journey and guide a customer through a personalized flow. From the Marketing Cloud July 2020 Release there is currently available another supportive tool, called Behavioral Triggers.


This new feature works together with Predictive and Personalized Recommendations (Einstein Recommendations). The users of Personalization Builder (Author’s note: The Builder itself is retired and migrated to Einstein features) are familiar with them.

  1. Firstly, you configure Collect Tracking Code and install it on your website. It is a JavaScript snippet to capture your known customers and anonymous visitors’ behavior and events at the user level on your web pages.
  2. Secondly, you configure your catalog source – a Product Catalog. Items in your catalog should be uploaded or streamed to determine which product recommendations to show in the emails or web.

Once all prerequisites are met you can start creating your Behavioral Triggers. Each trigger will be used to write engagement data about customers’ actions to a specific target Data Extension. Actions that could be tracked are simple browser session, cart abandonment, customer’s lapse, subscription to a newsletter, sign up, content view/download, click-throughs, etc. When creating Behavioral Trigger, you can set the suppression period and suppression rule time frame. All created Triggers are available in Behavioral Triggers dashboard. You can edit, pause, and resume the triggers.


With Behavioral Triggers you can use behavioral data written into Data Extensions in journeys and emails:

  • In Journey Builder Behavioral Trigger Data Extensions could be used as a Data Extension entry source.
  • In Content Builder emails subscriber’s abandoned items can be dynamically added by using Behavioral Triggers content block (see email content block configuration below).


To raise your open, click-through and conversion rate you need to consider one of 3 popular retargeting strategies: email retargeting. Behavioral Trigger configured for a cart abandonment process will be a perfect match. Abandoned products could be included into email content and cart abandoned audience will be used as an Entry Source for the Journey. This highly personalized behavioral campaign will help you to recover the purchases and increase sales.

SFMC Email

Interactive Email Form Block Discovery

Innovative, engaging and interactive email form blocks are live in Salesforce Marketing Cloud Content Builder since March 2020 Release. The form enables marketers to easily build interactive form that rendering in the customer’s inbox. When the form is submitted, data is written to a Data Extension and the customer is landed on a specifically created CloudPage to see some Thank You content.

Which use cases are supported by an interactive form block?

Almost any that come into your mind. You can either start from scratch, create a review from already prepared template, update subscriber’s profile with progressive profile form, or present some variations of a case or lead form for Salesforce data integration.

What assets are needed to build an interactive email form:

  1. CloudPage – there is a new type available called Interactive Email Page. If the general Cloud Page is created, you will not see the one in CloudPages Destination drop down list.
  1. Data Extension – in the second step of a form creation you have selection of your response capture. It could be already existent Data Extension, or the one you let create automatically when the form is created.
  2. Fallback Content – here it is important to grab your attention: not all email clients support interactive forms. That is why you need to think about your fallback state, that will be displayed in that worse case. This could be a button that links to the form on the CloudPage, for instance. Or, you can also choose to show nothing.

From the technical perspective the form itself is built with the help of AMPscript.  

VAR @CPID, @deExtKey, @encodedDeExtKey, @CPURL, @qsStart, @qsValueStart, @qsValue, @unmappedFields
SET @CPID = “2516”
SET @deExtKey = “018FF1D8-AA54-4163-AE62-C352D946ACEA”
IF (@CPID == “undefined”) AND (@deExtKey == “undefined”) THEN
RaiseError(“Please select a CloudPage and Data Extension and assign all fields to data attributes on the Interactive Email Form Block.”)
ELSEIF (@CPID == “undefined”) THEN
RaiseError(“Please select a CloudPage on the Interactive Email Form Block.”)
ELSEIF (@deExtKey == “undefined”) THEN
RaiseError(“Please select a Data Extension and assign all fields to data attributes on the Interactive Email Form Block.”)
SET @encodedDeExtKey = URLEncode(@deExtKey,1,1)
SET @CPURL = CloudPagesURL(@CPID,’ic_deN’,@encodedDeExtKey)
SET @qsStart = IndexOf(@CPURL,’?’)
SET @qsValueStart = Add(@qsStart, 4)
SET @qsValue = Substring(@CPURL, @qsValueStart)
VAR @linkToClickCode, @link2C, @regexPattern, @trackedClickLink
SET @linkToClickCode = ‘Interactive Email Form Submit
SET @link2C = TreatAsContentArea(“submitTrackingClick”, @linkToClickCode)
SET @regexPattern = ‘href=”(.+?)”‘
SET @trackedClickLink = RegExMatch(@link2C, @regexPattern, 1)

You can recognize @CPID as a CloudPage ID, @deExtKey as a Target Data Extension for the Response Capture, and other technical parameters to raise an error in case unexpected error occur (RaiseError), to link to a CloudPage with encrypted values (@CPURL), etc.

What you can see from the User Interface is simple drag&drop options, that make it easier to select CloudPage response capture, right type of field for the form, design of the elements, etc.

For the input capture you have plenty of options available.

You can also use hidden fields to pass information you already know behind the scenes. These fields could be passed in AMPscript format, for example %%=v(@value)=%%. Don’t forget to define this ‘value’ in the block before the form, for example:

set @value = AttributeValue(“value”)

For the rating option, you are limited to present ‘star’ images. But there are available several special workaround options.

First simple option is to use ‘Button Single Choice’ as an input choice. You can then amend the buttons in Design Tab.

The second option is more global. In case you want to add some customizations to your form, you can copy the raw code of the form that is available in the Code View Tab and amend it on a side accordingly. Then paste back to the email as an HTML block. Don’t forget to test the form carefully then! 😊

Need more info?

Check official documentation that covering how to create an interactive email page, form block and having FAQ section.

There is a Trailhead module created especially to explain how interactive email can improve your marketing strategies.

You can also ask me directly writing an email to or in Twitter.


A story of DESelect

What is DESelect, who invented it, how the idea went to life? 

DESelect is an app for Salesforce Marketing Cloud (SFMC)  that makes segmentation easy for marketers. It was created by Jonathan van Driessen (our CTO) and I. The idea to create an app like this came to me in August 2018, when I still worked as a consultant at an automotive company. There, I noticed the troubles marketers were having with data and SQL queries in SFMC and came up with the idea for DESelect. Shortly after, we started working intensively on the app and began building relationships with potential customers and partners.

DESelect allows segmentation without the need to rely on SQL. Instead, we propose an intuitive drag-and-drop interface that allows users to create advanced segmentation in Salesforce Marketing Cloud.

Why Deselect, who is in a team, what is the final destination? How you found the resources to make it come true? 

Why DESelect? 

Because data has remained a challenge for marketers (and given its importance, likely the topic will remain key), because we really believe in the Salesforce platform, and finally because we are convinced that we can make a worthy contribution.

Our mission is to become the preferred segmentation solution for Salesforce Marketing Cloud. I’m glad to recognize the fact that we are confidently moving in this direction.


I (Anthony) spent 7 years in CRM and Marketing Automation, leading projects for national and international organizations. Earlier I also founded a mentoring program for startups and a booking site for sailing trips, and I am a self-taught programmer. Jonathan is a serial entrepreneur who’s founded companies such as,, and InfinitySleeves and has published on the Salesforce AppExchange before. We co-founded DESelect and have taken the roles of CEO and CTO respectively. 

We got two teams: Our Customer team (marketing, sales, partnerships) and Product team (dev, support, customer success), both tasked with delivering great customer experience for DESelect customers and partners.


Although we seem to have sparked the attention of a few Angel investors and VCs, we remain bootstrapped until this day. For a long time, Jonathan and I kept contracting part-time and did not pay ourselves anything within DESelect so we could re-invest. In fact, employees started earning money before we did. 

It was brutal sometimes. There were several months in early 2019 when I was working 7/7 days a week while managing or being otherwise engaged in 3 consulting projects (not counting DESelect).

Now we are seeing traction and the Salesforce community reacts very positively to our solution. Today we are considering different financing options to accelerate our growth.

How hard it is to put an app for app exchange? Your 3 dos and dont’s for those who think of creating something cool for the community. 

Free of charge or paid app? Your personal view on it. 

Many underestimate the AppExchange security review which you must pass in order to be listed, which can take weeks to months end-to-end. We had the advantage that our team has done similar things before. From a business point of view: Start building the relation with Salesforce early on and show that you are serious. It helps if you can demonstrate you actually add value to the platform. From a technical point of view: Be diligent and follow the process. Don’t try to “wing” it. Our app was around from before we launched on the AppX and ‘Trust’ is our primary principle. As such, we already had high-security standards, passed Salesforce’s security review on the first go, and are now listed on the AppX.

Something cool from your side you can promote for readers-demo for example, free 2 week installation, etc 

To get a quick DESelect intro and demo, check out this video (1:54).

Readers who want to learn more about us can book a demo here.Finally, for SIs (system integrators) reading this: Know that we already work with partners and can enable you in several ways, including offering a DESelect partner account. For more information, contact