How do non-branded domains and shared SFMC hostnames impact email deliverability and what configurations are best?
Michael Ko
Co-founder & CEO, Suped
Published 15 Apr 2025
Updated 17 Aug 2025
8 min read
When managing email deliverability, especially with platforms like Salesforce Marketing Cloud (SFMC), understanding the nuances of domain configuration is critical. Many organizations use non-branded domains or shared SFMC hostnames for various email elements like image hosting, click tracking, and view links. While this might seem convenient or inherited from older setups, it can significantly impact your email deliverability and sender reputation. This practice often ties your brand’s email performance to the sending habits of other users on a shared infrastructure, leading to potential blocklists (or blacklists) and inbox placement issues.
The goal is always to ensure your emails reliably reach the inbox. This means establishing clear ownership and control over all aspects of your email sending infrastructure. Relying on shared domains can expose your email program to risks beyond your control, making it harder to diagnose and resolve deliverability problems.
The impact of shared SFMC hostnames
Shared hostnames refer to the generic domains provided by email service providers (ESPs) like SFMC for elements within your emails that aren't the primary sending domain. These can include domains for tracking clicks, hosting images, and managing email opens. For example, you might see links or image sources pointing to image.s4.sfmc-content.com or cl.s4.exct.net. While functionally these work, they carry a significant deliverability risk.
The main issue with shared hostnames is shared reputation. When multiple organizations use the same domain for tracking or image hosting, the reputation of that domain is a collective average of all users' sending behaviors. If a few bad actors (spammers or senders with poor practices) share those hostnames, their negative reputation can impact your email program, even if your own sending practices are impeccable. This can lead to your legitimate emails being flagged as spam or outright blocked by recipient inboxes.
This risk is particularly pronounced with large ESPs like Salesforce Marketing Cloud, which serve countless customers. The collective bad behavior from some users can lead to the shared hostnames ending up on a blacklist or experiencing URL blocks at Internet Service Providers (ISPs), like Google. Such blocks mean your emails might not reach the inbox, severely impacting your marketing campaigns and overall communication effectiveness. It's a key reason why your emails might be going to spam.
The risk of shared reputation
Using shared SFMC hostnames for your email components means your domain's reputation is influenced by the sending practices of countless other users on the platform. If others engage in spammy behavior, it can lead to blocklisting (or blacklisting) for the shared domains, directly affecting your deliverability.
Achieving brand consistency and control
The ideal configuration for email deliverability involves a fully branded sending environment. This means that all aspects of your email communication, including the sender address, image hosting, click tracking links, and bounce domains, should use your own domain or a dedicated subdomain. For instance, instead of cl.s4.exct.net, your click links would appear as clicks.yourbrand.com. This consistency builds trust with mailbox providers and recipients, as it clearly associates all email activity with your brand.
Branding all your email touchpoints provides you with full control over your sending reputation. When your domains are consistently used, any positive sending behavior you exhibit, such as low complaint rates and high engagement, directly contributes to your domain's reputation. Conversely, any issues can be isolated and addressed without being affected by other senders on a shared infrastructure. This control is fundamental for long-term email deliverability.
Beyond reputation, ensuring proper email authentication with SPF, DKIM, and DMARC on your branded domains is paramount. While DMARC can pass with either SPF or DKIM alignment, having both align for your brand's domain (or its subdomains) is best practice. It provides redundancy and strengthens your authentication posture. Implementing SSLs on your branded image and click domains also adds a layer of trust and security, preventing potential browser warnings and ensuring a seamless user experience.
Element
Non-Branded (Shared SFMC)
Branded (Custom Domain)
From address
Your domain, but may be impacted by shared IP reputation.
Your domain or subdomain with controlled reputation.
Salesforce Marketing Cloud offers the Sender Authentication Package (SAP) as the comprehensive solution for branded email sending. SAP provides a single branded domain that is used across all aspects of your email program, including your sending domain, links, images, and unsubscribe pages. This consolidates your email sending reputation under your brand, giving you greater control and reducing reliance on shared infrastructure.
With SAP, SPF and DKIM records are configured to align with your chosen branded domain, ensuring robust email authentication. This alignment is crucial for DMARC (Domain-based Message Authentication, Reporting & Conformance) to pass, which in turn significantly improves your deliverability. Even for private domains not explicitly part of the SAP, enabling a multi-bounce domain can help achieve SPF alignment for them, further solidifying your authentication.
While DKIM alignment is often considered the more critical factor for DMARC pass, especially by major mailbox providers, SPF alignment also plays a role, and certain ISPs may specifically block mail based on SPF. Therefore, configuring your account to use hostnames you control wherever possible, ideally through SAP, will improve your deliverability now and in the future. This is especially true given recent updates from mailbox providers emphasizing strong authentication.
The path to dedicated deliverability
Salesforce Marketing Cloud's Sender Authentication Package (SAP) provides a comprehensive solution for achieving full domain branding. It ensures all email components, from sending domain to clicks and images, use your custom domain, consolidating your reputation and significantly improving deliverability.
Managing complex domain scenarios
For organizations managing multiple brands or distinct sending needs, ensuring proper domain configuration for each can be complex. If each brand requires a completely separate sending identity, including distinct body domains for links and images, then separate SFMC accounts might be necessary. This allows each brand to maintain its own unique domain setup and reputation, preventing cross-contamination of deliverability issues.
While DMARC primarily relies on DKIM or SPF alignment to pass, it's important to understand the nuances of how these authentication methods interact with your domains. For example, even if your DMARC records pass due to DKIM alignment, a shared bounce domain that lacks proper SPF alignment could still cause deliverability issues with some ISPs, particularly after recent changes from Yahoo and Microsoft. Therefore, ensuring alignment across all authentication mechanisms and domains is a more robust approach.
It is also crucial to verify that your DNS records are correctly configured for all private domains, especially for bounce subdomains. This includes ensuring SPF and MX records are in place. While some legacy SFMC delegated bounce domains may not have an A record, it's generally recommended for better deliverability, particularly for smaller ISPs that might otherwise block your mail. Regular auditing of your DNS settings is a key part of maintaining good email hygiene.
Shared hostnames scenario
Reputation: Your brand's email reputation is tied to all other senders using the same shared domains.
Deliverability: High risk of blocklisting (or blacklisting) or URL blocks due to others' bad sending practices.
Branding: Inconsistent branding, as links and images point to generic ESP domains.
Control: Limited control over the reputation of non-sending domains.
Fully branded domains (SAP) scenario
Reputation: Your brand's reputation is entirely isolated and controlled by your sending practices.
Deliverability: Improved inbox placement due to dedicated, consistent branding and authentication.
Branding: Consistent brand presence across all email elements.
Control: Full control over the reputation of all your email domains and subdomains.
Views from the trenches
Best practices
Implement SAP for full domain branding, ensuring all email components use your custom domain or subdomains.
Enable multi-bounce domain in Salesforce Marketing Cloud to ensure SPF alignment for all private domains.
Regularly audit DNS records for all your branded domains, including SPF, MX, and A records for bounce subdomains, to catch any misconfigurations.
Segment email sending for distinct brands into separate SFMC accounts if full branding and independent reputation are critical for each.
Common pitfalls
Relying on shared SFMC hostnames for images, clicks, or bounces, which subjects your brand to the collective reputation of other senders.
Assuming DMARC pass via DKIM alignment is sufficient without also striving for SPF alignment, which can lead to blocks by some ISPs.
Overlooking the need for an A record on bounce subdomains, potentially causing deliverability issues with smaller or stricter mailbox providers.
Failing to monitor your
Expert tips
Prioritize achieving strong DKIM alignment for your domains, as it is often the primary factor for DMARC authentication by major mailbox providers.
Even if not strictly 'required' by all ISPs, having an A record for your bounce subdomains adds a layer of robustness to your email authentication, preventing unexpected blocks.
Understand that managing multiple distinct brands within a single SFMC account might necessitate careful consideration, especially if each brand requires its own independent sending identity and reputation.
Always test your email setup, including domain configurations, using a
Expert view
Expert from Email Geeks says: You have multiple non-branded domain touchpoints using shared domains, and if any of them get a sour reputation at Gmail, you will end up with blocked mail.
2024-03-27 - Email Geeks
Expert view
Expert from Email Geeks says: By using SFMC and ExactTarget hostnames in your message, you are sharing reputation with other SFMC and ExactTarget customers, which can be problematic due to potential spammers.
2024-03-27 - Email Geeks
Securing your email sending infrastructure
The impact of non-branded domains and shared SFMC hostnames on email deliverability is a critical consideration for any email marketer. While older accounts might have inherited configurations that rely heavily on shared infrastructure, the evolving landscape of email authentication and sender requirements demands a shift towards full domain branding. Implementing Salesforce Marketing Cloud's Sender Authentication Package (SAP) is the most effective way to gain control over your email sending reputation, ensuring all your email elements are branded and properly authenticated.
By investing in a fully branded setup, you protect your email program from the unpredictable sending behaviors of others and build a strong, consistent reputation with mailbox providers. This proactive approach not only improves inbox placement but also strengthens your brand identity and ultimately drives better results from your email marketing efforts. Prioritizing branded domains is not just a technicality, it is a strategic move for long-term email success.
image.s4.sfmc-content.com (shared domain).
Microsoft. Therefore, ensuring alignment across all authentication mechanisms and domains is a more robust approach.
