Top 10 Marketing Cloud Mistakes. Arrows missing a target

Top 10 Marketing Cloud Mistakes (and How to Avoid Them)

Mistakes can be made when using any enterprise platform and Marketing Cloud is no exception to the rule. Most user-based mistakes are caused by taking shortcuts, like an inadequate implementation, failing to invest in training, or not testing. However there are always some mistakes that are inevitable and all part of the learning process. Someone once helpfully explained to me that “you learn Marketing Cloud by making mistakes — the bigger the mistake, the more you learn.” And he was right.

In this post, I’ve identified the top ten mistakes in Marketing Cloud that I see users regularly make, so you can avoid them.

1. From Address Management

The From Address Management feature in Marketing Cloud Setup lets you verify email addresses and domains that you use as your ‘From address’ when sending emails from the platform.

From Address Management in Marketing Cloud Setup

But there’s a lot of ambiguity on what this feature actually does. Some assume that simply by adding email addresses or domains to this feature, you can send emails from the email address or domain. And that’s right, but you’ll also experience deliverability issues. To understand why, it’s first necessary to explain how a mail server works.

When a mail server receives emails, it validates that the outgoing server (which sent the email) has permission to send emails on behalf of the domain. Simply put, it uses a set of security mechanisms to prevent ‘bad guys’ from sending emails on your behalf. This includes checking published DNS (Domain Name System) records for an SPF (Sender Policy Framework) record to validate that the IP address of the server used to send the email has permission to do so. Additionally, most mail servers also check for the presence of a DKIM (DomainKeys Identified Mail) signature header in the email and compare this against the sender’s public DKIM key in the published DNS records, which is a method to sign your emails in a way that will allow the recipient’s server to check if the sender was really you or not. Additionally, some mail servers also use DMARC (or Domain-based Message Authentication, Reporting, and Conformance), which is an email authentication method that checks whether the message’s ‘From’ header matches the sending domain, when SPF or DKIM checks the message (referred to as ‘alignment’).

These DNS records are typically added when a Sender Authentication Package (SAP) or Private Domain is provisioned on your Marketing Cloud account. And without these records, the mail server may filter these emails, which will directly affect email deliverability.

From Address Management is really only for compliance purposes — it ensures that you don’t send an email on behalf of a domain that you don’t own. You should always ensure that the domain used in the ‘From’ address has valid SPF, DKIM and DMARC records. This can be validated by opening an email in your email client and checking for ‘pass’ values for these records in the email header.

Viewing an email source in Gmail web client

2. Email Address Update Behavior

When sending emails from Content Builder or from a Send Email activity in an automation, the email address used to send an email to a Subscriber will not be updated based on the value of your email address field in your Data Extension. That’s because by default, this email address is only used when creating a new Subscriber record at send time.

Subscriber email behavior for different email sending scenarios

If your Sendable Data Extension contains different email addresses for Subscribers (with a matching Subscriber Key) who exist in the All Subscribers list, then you should consider sending the email from a Journey. Alternatively, you can update the email address of the affected Subscribers in the All Subscribers list before sending.

3. Viewing Activities in an Automation

Once an automation has been activated in Automation Studio, it can’t be modified and activities can’t be viewed on the automation canvas without pausing the automation. And there are many scenarios when you would need to view an existing activity in an automation—perhaps you want to review SQL code in query activities or check an activities’ configuration.

Viewing an Activity in an Active Automation

Activities can be viewed without pausing an automation by identifying the activity name in the automation then opening the corresponding activity from the Activities page in Automation Studio, but I see most users opt to pause the automation and view the activities directly in the automation, out of convenience. The danger with this practice is that it’s all too easy to forget to re-activate the automation after viewing (or editing) activities. And I’ve seen entire cross-platform architecture processes stall or break due to users absentmindedly forgetting to reactivate automations after pausing them.

However inconvenient it may seem, you should only open active automations to review the activity names, then locate the corresponding activity on the Activities page, where you can safely view them without impacting active automations.

4. Intersected Roles and Permissions

After a new user account is created in Marketing Cloud, Administrators have to assign a role (or roles) to these users, before they can access platform features. But there appears to be some ambiguity in how roles actually work.

Marketing Cloud has a concept of roles and permissions. A role is essentially a set of predefined permissions that define which tasks users can perform in a business unit. And a permission can have one of three scopes: granted, denied, or undefined. When roles intersect with permissions (for example, a user is assigned multiple roles, with conflicting permissions), ‘deny’ permissions will always override all other permissions. And when a permission is not explicitly granted or denied (that is, they are undefined), Marketing Cloud defaults to a deny permission, unless another role grants that permission.

Permission set for the Marketing Cloud Viewer role

I regularly hear of users being unable to access platform features despite being assigned all available standard roles! The reason is that the ‘Marketing Cloud Viewer’ role has a ‘deny’ scope to several platform features, which will trump permission assignments in other roles.

When assigning (or creating) roles in Marketing Cloud, the Principle of Least Privilege (or POLP) should be enforced to ensure that roles are assigned based on a users’ minimal level of access rights that allows them to perform their role.

5. Contact Ejection in Journeys

When a Contact reaches an Email activity in a Journey, the platform evaluates whether the email should be sent to the Contact. And there are several scenarios why emails aren’t sent, which includes unsubscribes, List Detective related reasons, or the Subscriber is on a suppression list. But in all of these scenarios, the Contact is ejected from the journey.

Journey Builder Health feature

This behavior can be validated by reviewing the Contact Details for an email activity, which provides details on ‘Hard Errors’. Then using the Health feature, you can search for individual Contacts to review the paths and activities they were routed through.

While this behavior might be unexpected, it’s clearly intentional. And because a Contact was ejected from the Journey, then any other activities won’t apply to the Contact, like Update Contact, or a different messaging activity (like Push Notification or SMS).

While there isn’t a perfect solution to this problem, if you have multiple messaging activities in your journey other than email, then you may want to create mini-journeys instead, with separate journeys for different messaging channels.

6. Salesforce AMPscript functions

AMPscript includes five functions that enable interaction with Sales Cloud. When Marketing Cloud Connect is used to connect Sales Cloud and Marketing Cloud, these server-side scripting functions perform operations on Sales Cloud data, including retrieving, creating and updating object records. In turn, this is a very convenient way to interact with CRM data in real-time, by retrieving or updating object records directly from landing pages or messages. However, there are a couple of considerations when using these functions.

The first is that the RetrieveSalesforceObjects function (which retrieves records from Sales Cloud) is pretty slow, so you need to identify its appropriate use. I discovered that after including a single function call in an email to retrieve record data from Sales Cloud at send time, I calculated that the send would take 1.5 years to complete (when sending to 2.5m Contacts)!

The second consideration is when using the CreateSalesforceObject function to create object records or the UpdateSingleSalesforceObject function to update existing records, all associated operations in Sales Cloud are subject to lock contention. When a record is updated or created in Sales Cloud, a temporary lock is placed on the record to prevent another operation from updating the record at the same time (which ensures referential integrity). While these locks only last for a few seconds, a given transaction can only wait a maximum of 10 seconds for a lock to be released, otherwise it will time out. Refer to this cheatsheet for more information on record locking.

When AMPscript functions are used to create or update records from an email at send time, then this can result in multiple concurrent lock operations, and in some scenarios cause the operation to timeout and the send to fail.

To avoid these lock contention issues, it’s recommended that you reserve the use of these AMPscript functions on CloudPages, or in emails that are not used for bulk sending (for example, a Triggered Send email with a low send volume). Consider using Synchronized Data Extensions to retrieve object records in near-time and update Sales Cloud records using alternative techniques (which are discussed later in this post).

7. Dynamic Content Caching Behavior

Content blocks in Marketing Cloud are reusable components (either text or image content) which can be shared across multiple emails, or conditionally included as dynamic email content. These content blocks can either be copied into an email (by adding them through the user interface) or referenced in an email using a dynamic content block or AMPscript (a dynamic content block actually writes AMPscript code to programmatically include content).

A dynamic content block in Content Builder

In this scenario, the content block isn’t part of the email, instead it is dynamically included at send time. However, if the email is a Triggered Send email or an Email Activity in Journey Builder (which are Triggered Sends behind-the-scenes), then Marketing Cloud creates a snapshot of the content block the first time it’s rendered by the Triggered Send, and that snapshot (or cached version) is used to render subsequent content, until the Triggered Send is updated.

As a result, if a content block referenced in an email is updated after a Triggered Send is published, but no Subscriber has been sent an email with that content, then the snapshot for the content won’t be created and the updated content block will be included in emails. However, if a content block has previously been included in an email and then the content block is updated, then the email won’t include the new content version.

As a solution, you should pause, publish and restart Triggered Sends after changing content blocks that are referenced in emails. Or for Journey Builder Email activities, you can complete this process by opening the email activity in the running journey, select ‘Activity Summary’ and then click ‘Done’ which will update the related Triggered Send.

8. Email Address as Subscriber Key

A number of Marketing Cloud customers choose to adopt an email address as a Subscriber Key. And there are many reasons why this is a bad idea (in addition to Salesforce stating that you shouldn’t).

Firstly, the Subscriber Key in Marketing Cloud is a System of Record. In other words, it’s a persistent, unique identifier that can’t be updated after the Subscriber record is created. The problem with email addresses is that individuals can change their email addresses at any time, and they may have more than one email address.

Secondly, email addresses aren’t always unique. A husband and wife might share the same email address, so it’s not a suitable unique identifier for an individual.

Also, when using certain platform encryption products in Marketing Cloud to protect a Subscribers personally identifiable data (like Field Level Encryption or Tokenized Sending), the Subscriber Key value is not encrypted.

Finally, an email address is channel specific. You may have Contacts who haven’t provided their email address and instead prefer to receive messages by SMS, or push message. In short, you can’t guarantee that all Contacts have an email address.

If you don’t have an identifier for a Subscriber (for example, they signed up on your website for a newsletter), then you should consider creating a unique identifier for them.

9. Journey Builder as an ETL Tool

I’ve seen many Marketing Cloud users who choose to use Journey Builder as a convenient Extract, Transform and Load (ETL) tool to bulk upsert object records in Salesforce, rather than a customer journey management tool.

Using Salesforce Activities in Journey Builder to update Salesforce records

While Journey Builder includes different activities for creating and updating records in Salesforce objects, any corresponding operation in Salesforce will be subject to Apex Governor Limits which ensures that processes don’t monopolize shared resources within a multi-tenant environment. As a result, if you’re using Journey Builder to create or update large record volumes in Sales Cloud, then you may experience these limits which can not only cause the upsert operation to fail, but also impact other processes in the same Apex transaction (for example, Apex Triggers).

Additionally, object record locking (explained earlier) can result in Salesforce Activities timing out in a Journey, depending on the object record that is created or updated (the Campaign Member Activity and Task Activity are particularly problematic, as these objects both have a high lock contention).

Journey Builder isn’t really designed as a tool for bulk loading data in Sales Cloud. If you have a requirement to load data from Marketing Cloud to Sales Cloud, then you should consider using an integration platform like Mulesoft. Or technical users may feel comfortable writing a script activity in an Automation that uses the Salesforce Bulk API to upsert records, as detailed in this article.

10. Custom List Detective Allow Entries

Custom List Detective (or CLD) enables you to restrict which Subscribers should receive an email, based on their email username or domain. This feature isn’t enabled by default. You’ll first need to create a support case to have this feature enabled on your account.

Custom List Detective for Usernames in Marketing Cloud

Many Marketing Cloud customers use this feature to override the default List Detective suppression and ensure that emails are sent to email addresses with B2B role-based usernames, like ‘support’ or ‘accounts’.

Unfortunately, the interface is quite misleading. While the interface includes a ‘Create’ button to add usernames to CLD, doing so will actually apply a ‘deny’ sending rule to the username (the interface does not distinguish which type of sending rule is applied to records).

The first time I used this feature, I merrily added many role-based username entries, only to discover (after sending emails) that it had the opposite effect. Adding CLD ‘allow’ entries can only be performed by support, so you’ll need to create a support case for those.


Hopefully, knowing these top 10 common Marketing Cloud mistakes explained in this post will help you to avoid them. Learning Marketing Cloud is a continual process — I’ve been using the platform for nine years and I’m still learning, everyday. You can expect to make mistakes along the way and when you do, it’s actually part of the journey to being an experienced user. To quote Franklin D. Roosevelt, “a smooth sea never made a skilled sailor”.

Have questions about Marketing Cloud? Or want to speak with an expert about how you can get the most out of your Marketing Cloud investment? Get in touch! We’d love to hear from you.

You may be interested in


Best Practices to Keep Salesforce Marketing Cloud Secure

This post was written for Salesforce Marketing Cloud Admins and developers who want to learn how to leverage Salesforce Marketing Cloud (SFMC) while keeping their instance safe. In this blog, we cover three common mistakes SFMC professionals make when it comes to security. Continue reading to understand how to avoid these pitfalls and keep your […]

Read More

Customer Data Problem - CDPs

The Customer Data Problem & Salesforce CDP

The CDP acronym has emerged in recent years as yet another must-have TLA (or ‘three letter acronym’) that every marketing team simply cannot live without. In this article, I explain what exactly a Customer Data Platform is, why you might actually need one, and how Salesforce is working to redefine CDP. Show Me the Data […]

Read More


Einstein Content Selection for Salesforce Marketing Cloud

In this video, Eliot Harper provides an in-depth presentation and demonstration of Einstein Content Selection for Salesforce Marketing Cloud.

Watch Now

Case Studies

Improving Email Efficiency with Salesforce Marketing Cloud

Learn how CloudKettle helped an international travel and hospitality brand increase overall efficiency in Salesforce […]

Read the Case Study

Sign up for the latest tips & news from CloudKettle

Thank you for subscribing.