What are the options and considerations for pointing an SFMC email subdomain to multiple NS servers?
Michael Ko
Co-founder & CEO, Suped
Published 24 Jul 2025
Updated 19 Aug 2025
6 min read
When setting up email sending with Salesforce Marketing Cloud (SFMC), a common requirement is to point a dedicated email subdomain to SFMC's name servers. This setup is crucial for branding and email authentication, ensuring your emails are delivered effectively. Typically, SFMC asks clients to configure their email subdomain with four specific name server (NS) records.
However, I've encountered situations where a client's hosting provider presents a challenge: they might only allow pointing a subdomain to a single name server, or they are reluctant to configure multiple NS records. This restriction can directly conflict with SFMC's standard implementation, especially when load balancing is a critical requirement for email traffic, which it almost always is for high-volume senders.
Subdomain delegation to SFMC name servers
The most straightforward and recommended approach for SFMC email subdomains is delegation. This involves pointing your email subdomain (e.g., email.yourdomain.com) entirely to Salesforce's name servers. This delegates the DNS management for that specific subdomain to SFMC, allowing them to manage all the necessary records for proper email authentication and routing. Salesforce's documentation details this delegation process, often requiring four NS entries.
Delegation simplifies the setup significantly because SFMC handles the underlying complexity. They automatically manage records like SPF, DKIM, MX, and CNAMEs, which are essential for email deliverability and ensuring emails are not marked as spam or placed on a blocklist (or blacklist). This also ensures compliance with evolving email standards, like those for DMARC and BIMI, without requiring manual updates from your IT team.
While convenient, the primary hurdle with delegation is the hosting provider's willingness or technical capability to implement the required four NS records. Some providers have limitations or specific configurations that prevent this direct delegation, forcing organizations to explore alternative DNS setups. You can find more information on subdomain delegation in Salesforce's subdomain delegation guide.
Self-hosting DNS for the subdomain
If delegating the subdomain to SFMC's name servers isn't an option, the primary alternative is self-hosting the DNS for your email subdomain. This means your organization maintains control over the DNS records for the subdomain on your own DNS servers or through a third-party DNS provider. Instead of pointing the NS records, you would manually configure all the necessary A, MX, SPF, DKIM, and CNAME records that SFMC requires for proper email sending.
Self-hosting provides complete control over your DNS, which can be beneficial if you have specific security requirements or need to integrate with other services on the same subdomain. However, it significantly increases the administrative burden. SFMC typically provides a list of around 20 DNS entries that need to be created and maintained. This can be a complex task, and errors in copying or pasting records (e.g., wrong hostnames, truncated entries, or incorrect formatting) are common.
For instance, managing SPF authentication issues across multiple email service providers (ESPs) and subdomains can become particularly challenging with self-hosting. Each record must be precise to avoid deliverability issues or getting your emails caught in spam filters. Setting up email subdomains and their DNS records is a detailed process that requires careful attention to detail.
Example self-hosted DNS records for an email subdomainDNS
IN MX 10 sfmc-smtp.example.com
IN A 192.0.2.1
IN TXT "v=spf1 include:marketingcloud.com ~all"
_domainkey IN TXT "v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC3zP..."
cloudpages.email IN CNAME example.cloudpages.com
Key considerations and challenges
When deciding between delegation and self-hosting, several key considerations come into play, especially regarding the limitations imposed by hosting providers and the overall management effort. It is uncommon for a hosting provider to truly be unable to create four NS records, but rather they may be unwilling or simply misunderstand the request.
The delegation of DNS responsibility also raises security considerations. While convenient, delegating DNS to a third party (like SFMC) means you are entrusting them with a critical part of your email infrastructure. Although robust security measures are in place, a potential compromise on the provider's side could impact your subdomain. Conversely, self-hosting means your own team is responsible for security, which may or may not be better depending on internal capabilities.
Delegation to SFMC
Process: Point your email subdomain's NS records directly to Salesforce. This is the recommended SFMC approach.
Management: Salesforce manages all DNS records for the subdomain, including SPF, DKIM, MX, and CNAMEs.
Benefits: Simplicity, automatic updates for new features (BIMI, DMARC), and reduced internal IT workload.
Challenges: Potential for hosting provider restrictions on multiple NS records for a subdomain.
Self-hosting DNS
Process: Manually configure all required DNS records (A, MX, SPF, DKIM, CNAMEs) on your own DNS server.
Management: Requires vigilant management of approximately 20 DNS entries provided by SFMC.
Benefits: Full control over DNS records and integration with other internal systems.
Challenges: Increased workload for IT, higher potential for configuration errors, and delays in implementing changes.
Moreover, self-hosting can delay the implementation of crucial security features like HTTPS URLs for landing pages or content hosted on the subdomain. While configuring SPF, DKIM, and DMARC is paramount for deliverability, managing these manually across multiple systems or providers adds a layer of complexity that some organizations prefer to avoid.
Alternative strategies and best practices
If neither direct delegation nor self-hosting a subdomain seems viable or desirable, another option to consider is dedicating an entire top-level domain for use solely with SFMC. This means you would acquire a new domain (e.g., yourbrandmail.com) and point its entire namespace to SFMC. While this allows for the necessary four NS entries at the top level, it means the domain cannot be used for anything else, like hosting a website. It is often described as part of a Sender Authentication Package (SAP) setup in SFMC.
Regardless of the chosen path, accurate DNS record maintenance is paramount for email deliverability. Incorrectly configured DNS records are a leading cause of emails landing in the spam folder or being rejected by recipient servers. It's crucial to understand the implications of each DNS record type, from A records to MX, SPF, DKIM, and DMARC.
Ensuring proper SPF, DKIM, and DMARC alignment is critical for email authentication. Misconfigurations, such as an SPF TempError or DKIM body hash mismatch, can severely impact deliverability. Always verify your DNS settings thoroughly after any changes.
Views from the trenches
Best practices
Always strive for subdomain delegation to SFMC if your hosting provider permits it, as it simplifies DNS management and ensures ongoing compliance with email authentication standards.
Maintain precise documentation of all DNS records, regardless of whether you delegate or self-host your subdomain, to facilitate troubleshooting.
Regularly review your SPF, DKIM, and DMARC records to ensure they are correctly configured and aligned with your sending practices.
Consider engaging a DNS expert if your hosting provider is uncooperative or if self-hosting DNS seems too complex for your internal resources.
Common pitfalls
Assuming your hosting provider can or will support the standard four NS records for subdomain delegation without prior confirmation, leading to delays.
Underestimating the complexity and potential for errors when manually self-hosting a large number of SFMC-required DNS entries, particularly for organizations not accustomed to frequent DNS changes.
Failing to implement proper DMARC policies alongside SPF and DKIM, which can leave your domain vulnerable to spoofing and impact deliverability.
Not having a clear understanding of the difference between delegating a subdomain and self-hosting its DNS, which leads to miscommunication.
Expert tips
Confirm with your hosting provider if they support the delegation of a subdomain to multiple NS servers for specific email sending platforms like SFMC.
If self-hosting, prioritize using CNAME records where possible to simplify DNS management and avoid direct IP address references.
For complex setups, consider a dedicated domain for email sending if subdomain delegation isn't feasible and self-hosting is too burdensome.
Implement DMARC monitoring to gain visibility into your email authentication status and identify any DNS-related issues impacting deliverability.
Expert view
Expert from Email Geeks says self-hosting is likely the only way if your provider limits NS records, or you could dedicate a whole domain for SFMC, though that restricts its other uses.
2022-02-04 - Email Geeks
Expert view
Expert from Email Geeks says delegation can allow the email service provider to evolve subdomain settings as new features like BIMI emerge.
2022-02-04 - Email Geeks
Navigating your DNS options
Navigating the complexities of pointing an SFMC email subdomain to multiple NS servers often boils down to a choice between the convenience of delegation and the control of self-hosting. While delegation to Salesforce is generally the simpler path, it relies heavily on your hosting provider's flexibility.
If faced with restrictions, self-hosting offers a robust alternative, albeit one that demands meticulous DNS management. Ultimately, a thorough understanding of DNS best practices, coupled with clear communication with your hosting provider and internal IT, is essential to ensure your email program achieves optimal deliverability and maintains a strong sender reputation.
