How can I quickly identify the cause of the deliverability drop?

Bounce messages often provide specific error codes or phrases, such as 'authentication failure', 'sender reputation issues', or 'blocked for spam'. Analyzing these messages helps pinpoint the exact reason for non-delivery. This is a crucial first step in any deliverability troubleshooting process.

What specific DNS records should I verify after moving from SFMC to AWS?

Salesforce Marketing Cloud (SFMC) often uses a comprehensive set of DNS records for its Sender Authentication Package (SAP), including SPF, DKIM, MX, and various CNAME records for tracking. When migrating from SFMC, you must ensure all these records are accurately transferred to your new DNS provider (AWS Route 53). Missing any of these, particularly the DKIM CNAMEs, can lead to authentication failures.

Does changing NS records truly affect sender reputation and can it lead to blocklisting?

Yes, a sudden change in NS records, especially if it leads to authentication failures (SPF, DKIM), can severely impact your sender reputation. Internet Service Providers (ISPs) rely on consistent authentication to trust senders. A break in this chain can cause your domain to be flagged as suspicious, leading to emails landing in the spam folder or being blocked entirely, effectively placing your domain or IP on an email blacklist or blocklist .

How long will it take for my deliverability to recover after fixing DNS issues?

After fixing the DNS records, it's recommended to start with a period of IP or domain warming , even if you're using the same sending IPs via SFMC. This involves sending emails in gradually increasing volumes to re-establish your domain's positive reputation with ISPs. Monitoring tools and DMARC reports will be essential to track recovery.

Why is my email deliverability low after changing NS records and delegating from SFMC to AWS? - Troubleshooting - Email deliverability - Knowledge base

Experiencing a sudden and drastic drop in email deliverability after changing your domain's NS records and delegating from Salesforce Marketing Cloud (SFMC) to AWS is a common, yet frustrating, scenario. A shift like this fundamentally changes how your domain's email-related records are managed and resolved, which can lead to immediate and severe consequences if not handled meticulously. It is not uncommon to see deliverability rates plummet to extremely low percentages, indicating a significant problem with how recipient mail servers are validating your emails.

When you move your domain's nameservers from one provider (like SFMC, which often handles DNS for its delegated domains) to another (like Amazon Web Services), you are essentially telling the internet where to find all your domain's critical records. If these records, particularly those related to email authentication, are not perfectly mirrored or correctly reconfigured in the new DNS environment, your emails will very likely fail authentication checks. This failure immediately impacts your sender reputation and can cause messages to be rejected or sent straight to the spam folder.

The core issue often stems from incomplete or incorrect migration of DNS records that are vital for email deliverability. While NS record propagation might appear successful, the specific TXT or CNAME records for SPF, DKIM, and DMARC are often overlooked or misconfigured during the transition. Without these records properly in place, receiving mail servers will flag your emails as suspicious, leading to deliverability drops and blocks.

Common DNS pitfalls during migration

When transitioning your nameservers, the primary cause of low deliverability is typically the misconfiguration or absence of essential DNS records on your new AWS Hosted Zone. Salesforce Marketing Cloud (SFMC) often manages these records on your behalf when your domain is delegated to them. Upon delegating your domain to AWS (or any other DNS provider), it is critical that all necessary records are manually, or programmatically, transferred and correctly set up.

Specifically, you need to ensure that your Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) records are accurately replicated and accessible. If these are missing or malformed, recipient mail servers, especially major ones like Google and Yahoo, will fail to authenticate your emails, classifying them as unverified or potentially spam. This leads to immediate rejections or placement in the junk folder, explaining the significant drop in your deliverability rates.

SPF record issues: Your SPF record, a TXT record that lists authorized sending IP addresses, must include the correct SPF mechanism for Salesforce Marketing Cloud. If this record is not correctly moved or updated, emails sent from SFMC will fail SPF authentication. It's crucial to understand what SPF means for email.
DKIM record problems: DKIM relies on a cryptographic key pair, with the public key published in your DNS. SFMC typically provides a CNAME record that points to their DKIM key. If this CNAME record is missing or incorrect in your AWS DNS, your emails will fail DKIM authentication, leading to DKIM errors and immediate deliverability issues, especially with Yahoo, as their bounce messages often directly cite a lack of required authentication.
DMARC record implications: While your DMARC record itself might transfer, its effectiveness hinges on successful SPF and DKIM authentication. If SPF or DKIM alignment breaks due to incorrect DNS, your DMARC policy will instruct recipient servers to reject or quarantine your emails, based on your configured policy (e.g., p=reject or p=quarantine). Learning about SPF, DKIM, and DMARC is crucial.

Typical SFMC DNS records

SPF: A TXT record like "v=spf1 include:cust-spf.exacttarget.com -all"
DKIM: One or more CNAME records, e.g., 10dkim1._domainkey.yourdomain.com CNAME 10dkim1._domainkey.s10.exacttarget.com
MX: An MX record pointing to SFMC's reply handling server, e.g., reply.s10.exacttarget.com
Other records: CNAMEs for image hosting, click tracking, and unsubscribe links, which are part of SFMC's Sender Authentication Package.

The swift hit to sender reputation

The immediate consequence of DNS misconfigurations is a rapid deterioration of your sender reputation. Email providers maintain complex algorithms to assess the trustworthiness of incoming mail. A sudden change in DNS, coupled with authentication failures, signals a red flag. These providers may interpret the change as a potential hijacking or an attempt to send malicious content, even if your intentions are legitimate. As a result, your domain and sending IP addresses can quickly find themselves on internal blocklists or blacklists, leading to severe delivery issues.

When your domain's reputation suffers, ISPs become highly skeptical of your emails. They might enforce stricter filtering, which means even legitimate marketing or transactional emails could be routed to spam folders or rejected outright. This is precisely why you're seeing bounce messages citing "Blocked due to spam or sender reputation issue". It is a direct indication that receiving mail servers no longer trust your sending domain.

Furthermore, moving your DNS to a new provider, even a reputable one like AWS, means that the long-established trust and historical sending patterns associated with your domain under SFMC's DNS management are, in a sense, reset or at least disrupted. While AWS is a widely used and reliable DNS service, it does not inherently carry over your sender reputation. The new DNS setup needs to validate your authenticity for every email sent, and any misstep will immediately register as a negative signal.

SFMC delegated DNS

DNS management:Salesforce Marketing Cloud handles most DNS records automatically (SPF, DKIM, MX, CNAMEs for tracking).
Authentication: Records are set up to align with SFMC's sending infrastructure, often simplifying compliance.
Complexity: Less technical knowledge required for DNS configuration, as SFMC abstracts much of it.

AWS self-hosted DNS

DNS management:AWS Route 53 requires manual transfer and verification of all records from SFMC's prior setup.
Authentication: All authentication records (SPF, DKIM, DMARC) must be precisely configured to match SFMC's sending requirements.
Complexity: Requires a deep understanding of DNS records and how they interact with your ESP.

Steps to diagnose and recover deliverability

The first step in diagnosing this issue is to analyze your bounce messages. These messages provide crucial clues about why your emails are failing. If you're consistently seeing "Message lacks required authentication" or "Blocked due to spam or sender reputation issue", it strongly points to DNS misconfigurations, particularly with DKIM. Even if your nameserver propagation looks correct, the individual records within that nameserver might be incorrect or missing.

Next, you need to meticulously verify all your DNS records in AWS against the ones required by Salesforce Marketing Cloud. This includes not just SPF and DKIM, but also MX records for bounce processing, and any CNAME records used for image hosting, click tracking, and unsubscribe links. These are all part of SFMC's Sender Authentication Package and must function correctly for optimal deliverability. Any missing or malformed record can contribute to deliverability issues and impact your sender reputation.

If you are struggling to identify the specific missing records, consider reaching out to SFMC support. They can provide a comprehensive list of all DNS entries required for your domain's full functionality within their platform. Cross-referencing this list with your current AWS DNS configuration is a critical step. Tools that perform DNS lookups can help you quickly identify discrepancies and diagnose deliverability issues.

Key troubleshooting steps

Analyze bounce messages: Look for specific error codes or phrases, especially related to authentication or reputation.
Verify DNS records: Use a reliable DNS checker to confirm all SPF, DKIM, DMARC, and other SFMC-specific CNAMEs are present and correctly configured in AWS.
Contact SFMC support: Obtain a complete list of all required DNS entries for your domain to ensure nothing is missed.
Monitor deliverability: Once fixes are applied, closely monitor your inbox placement rates and bounce reports to track improvement.

Getting back to strong deliverability

The transition of NS records and delegation from SFMC to AWS can indeed cause a significant drop in email deliverability, primarily due to misconfigured or missing DNS records critical for email authentication. The impact of changing nameservers on email deliverability is often underestimated, as it affects the fundamental way email servers verify your sending domain. While the initial NS change is propagated quickly, the devil is in the details of the individual DNS records.

Successfully restoring your deliverability requires a thorough review of your DNS setup, ensuring all authentication records (SPF, DKIM, DMARC) are correctly in place and verifiable. Once these foundational elements are fixed, your sender reputation will begin to recover, and your emails should see improved inbox placement. Patience and continuous monitoring are key throughout this recovery phase.

Views from the trenches

Best practices

Always obtain a comprehensive list of all required DNS records from your previous ESP (e.g., Salesforce Marketing Cloud) before migrating nameservers to a new provider like AWS.

Prioritize verifying SPF, DKIM, and DMARC records immediately after changing nameservers, as these are critical for email authentication and avoiding spam filters.

Use an independent DNS lookup tool to confirm that all records are correctly propagated and accessible globally, not just relying on local caching.

Monitor bounce messages and DMARC reports closely for immediate feedback on authentication failures and sender reputation issues.

Gradually ramp up email sending volume (IP warming) if you are also changing your sending infrastructure alongside DNS to build new sender reputation.

Common pitfalls

Forgetting to migrate all Salesforce Marketing Cloud specific CNAME records for features like click tracking, image hosting, and unsubscribe links, which can cause functional issues and impact deliverability.

Assuming that successful nameserver propagation means all individual DNS records are correctly set up, leading to overlooked misconfigurations.

Underestimating the impact of broken DKIM, SPF, or DMARC on sender reputation, which can quickly lead to blocklists (blacklists) and severe deliverability drops.

Not having a proper backup of all existing DNS records before initiating any changes to nameservers or migrating to a new DNS provider.

Failing to check for DNS record length limits with the new provider, especially for TXT records like SPF, which can sometimes exceed limits.

Expert tips

Marketer from Email Geeks says: Changing nameservers can have a huge, immediate impact on email delivery rates.

Marketer from Email Geeks says: Bounce messages indicating 'Blocked due to spam or sender reputation issue' and 'Message lacks required authentication' are direct signs of DNS problems.

Expert from Email Geeks says: Authentication failures are highly concerning and should be the first area to investigate.

Expert from Email Geeks says: Even if nameserver propagation seems fine, verify that all individual records within the nameservers are correct and not stale.

Expert from Email Geeks says: If SPF records appear correct but DKIM is broken, prioritize fixing DKIM immediately as it's a critical first step in troubleshooting.

Marketer view

Marketer from Email Geeks says that changing nameservers can have a huge, immediate impact on email delivery rates.

July 3, 2024 - Email Geeks

Marketer view

Marketer from Email Geeks says that bounce messages indicating 'Blocked due to spam or sender reputation issue' and 'Message lacks required authentication' are direct signs of DNS problems.

July 3, 2024 - Email Geeks