403 Forbidden errors for email campaign links clicked in email clients

This article addresses 403 Forbidden errors that occur when you click email campaign links in an email client, while the same links work when you open them directly in a browser. The issue affects friendly campaign URLs that are rewritten and evaluated by Dispatcher authorization logic. To fix this, review the Dispatcher auth_checker configuration, confirm rewrite handling, and restrict authorization checks to protected paths only.

Description description

Environment

Adobe Experience Manager (AEM) with Dispatcher

Issue/Symptoms

  • Links in email campaigns return a 403 Forbidden error when you click them in an email client.
  • The same URLs work correctly when you copy and open them directly in a browser.
  • Affected URLs typically use friendly paths such as /sc/... and include tracking parameters such as mkt_tok.
  • No changes were made to the AEM or Dispatcher configuration when the issue appeared or resolved.

Example error:
403 Forbidden You don’t have permission to access this resource.

Cause

The issue occurs when the Dispatcher auth_checker is configured too broadly, causing public campaign pages to be treated as protected content. This results in 403 errors for legitimate public links when friendly URLs are rewritten and evaluated against secured paths.

Resolution resolution

To address the issue, follow these steps:

  1. Open the Dispatcher farm configuration file for the affected site and review the auth_checker section. Review the filter or url patterns that determine which requests are evaluated by the authorization check.

  2. Review the rewrite rules for the affected campaign URLs.

    • Confirm that friendly URLs such as /sc/... are rewritten to /content/... paths.
    • Verify that DispatcherUseProcessedURL 1 is enabled so Dispatcher evaluates the rewritten URL.
  3. Restrict the scope of auth_checker so it is not applied broadly to public campaign paths (for example, /sc/*.html) and is limited only to paths that require authentication (for example, /content/secure/...). Use a configuration pattern such as the following:

    code language-none
    /auth_checker {
      ...
      /filter {
        /0001 { /glob "/content/secure/*" /type "allow" }
        /0002 { /glob "*" /type "deny" }
      }
    }
    
  4. Confirm that tracking parameters such as mkt_tok do not affect Dispatcher cache or authorization logic for public pages.

  5. Send a test email and verify that links under /sc/... no longer return 403 Forbidden when you click them in an email client.

recommendation-more-help
experience-cloud-kcs-help-kbarticles