Why is my email deliverability low after changing NS records and delegating from SFMC to AWS?

Key findings

• Authentication failures: A primary cause of low deliverability is missing or incorrect authentication records, particularly DKIM, SPF, or DMARC. Bounce messages indicating 'lacks required authentication' are a clear sign of this problem, notably with stringent ISPs like Yahoo.
• Incomplete DNS migration: Changing nameservers only points your domain to a new DNS host. All existing DNS records (MX, SPF, DKIM, CNAMEs for branded links and bounce domains, etc.) must be accurately copied and configured within the new AWS hosted zone. Failure to do so breaks crucial email functionalities.
• Sender reputation impact: Without proper authentication, emails are easily flagged as spam or rejected, leading to a rapid decline in sender reputation and blocklisting by mailbox providers.
• DNS propagation vs. record accuracy: While a DNS propagation checker (like whatsmydns.net) might confirm NS changes have propagated, it doesn't validate the correctness or completeness of every individual record within that new nameserver.

Key considerations

• Verify all DNS records: Manually check every single DNS entry required by SFMC (including those for bounce handling, click tracking, image hosting, and particularly DKIM selectors) in your new AWS hosted zone. A single missing or incorrect record can cause cascading deliverability issues.
• Prioritize authentication fixes: Address any 'lacks required authentication' bounce messages immediately. This usually means fixing your DKIM and SPF records first, as these are foundational for inbox placement.
• Check for hidden issues: Ensure there aren't issues like overly long TXT records for your DNS provider, or accidental delegation settings that conflict with your new setup.
• Monitor bounce messages closely: Detailed bounce messages provide specific clues about the underlying problem, guiding your troubleshooting efforts efficiently.

Key opinions

• NS changes are critical: Marketers acknowledge that modifying nameservers can have a profound impact on email delivery, as it redirects all DNS lookups for the domain.
• Authentication is often overlooked: Many report that authentication failures, particularly for DKIM, are a common symptom of DNS migration issues, leading to emails being blocked by major providers like Yahoo.
• Hidden DNS complexities: The challenge isn't just nameserver propagation, but ensuring all underlying records within the new nameserver are correctly configured and complete. This is crucial for diagnosing deliverability drops after migration.
• Sender reputation concerns: Experiencing a sudden drop in deliverability to a low percentage (e.g., 8%) immediately raises red flags about sender reputation or being placed on a blocklist, often stemming from authentication failures.

Key considerations

• Thorough DNS checklist: Marketers should use a comprehensive checklist to verify every single DNS record required by their ESP (SFMC) to avoid missing any critical entries for branded links, tracking, or bounce processing.
• Bounce message analysis: Carefully examining bounce messages, like 'Blocked due to spam or sender reputation issue' or 'Message lacks required authentication', provides actionable insights into the specific problems.
• Testing email authentication: After migration, send test emails to verification services or different mailbox providers to confirm SPF and DKIM are correctly configured and validating.
• Seek ESP support: If issues persist, engaging with SFMC support for the definitive list of required DNS entries can help identify discrepancies, especially if similar processes worked previously.

Key opinions

• DKIM is a common failure point: Experts frequently identify broken DKIM configurations as a primary reason for 'lacks required authentication' errors after DNS migrations, stating it's a 'must fix' before further troubleshooting.
• AWS is reliable for DNS: The issue is rarely with the AWS DNS service itself, as many legitimate companies use it. Problems typically stem from misconfigured records during the migration.
• Comprehensive record check is vital: Beyond basic SPF and DKIM, there are often many other DNS entries (e.g., for bounce, click tracking, image hosting) required by ESPs like SFMC that, if missing, can cause silent deliverability or engagement issues.
• Bounce messages are diagnostic: Analyzing specific bounce messages is crucial for pinpointing the exact problem, whether it's an authentication failure or a reputation block.

Key considerations

• Validate DKIM immediately: Use tools like Word to the Wise's DKIM checker to confirm the DKIM public key is correctly published and resolving at the new nameservers.
• Cross-reference all DNS entries: Obtain a complete list of required DNS entries from your ESP (SFMC) and manually verify each one against your new AWS DNS configuration to identify any omissions or errors.
• Consider hidden DNS nuances: Be aware of potential issues such as TXT record length limitations or specific DNS provider behaviors that might affect record resolution.
• Iterative troubleshooting: Fix the most obvious issues first (like DKIM) and then re-test. If problems persist, continue investigating other potential missing records or configuration discrepancies.

Key findings

• Delegation implications: Delegating a domain's nameservers means transferring the authoritative management of all DNS records to the new provider, requiring a complete re-creation of existing records in the new zone.
• Authentication mandates: Major mailbox providers, such as Yahoo, enforce strict email authentication policies, meaning emails without properly configured SPF and DKIM will likely fail delivery.
• SFMC SAP requirements: Salesforce Marketing Cloud's Sender Authentication Package (SAP) requires numerous specific DNS records, including MX, CNAMEs for branding and tracking, and TXT records for SPF and DKIM, all of which must be correctly published for full functionality.
• Importance of DKIM: RFCs and documentation highlight that DKIM validation relies on the public key being correctly published in the DNS, often as a TXT record or via a CNAME, a fundamental aspect of email security.

Key considerations

• Consult ESP documentation: Always refer to the specific DNS setup guides provided by your ESP (e.g., Salesforce Marketing Cloud) for a complete and accurate list of all required records when migrating or delegating.
• Understand authentication protocols: Familiarize yourself with the mechanics of SPF, DKIM, and DMARC to ensure proper alignment and prevent authentication failures that lead to email blocking.
• Use DNS lookup tools: Employ global DNS propagation and lookup tools (e.g., Google Admin Toolbox Dig) to confirm that all records are resolving correctly from various locations after your DNS changes.
• Address specific bounce codes: Pay attention to specific error messages like 'Message lacks required authentication', as documentation indicates these directly point to failures in SPF, DKIM, or DMARC.