Should I start with a new SFMC subdomain?

Start with root-cause diagnosis first. Use a new subdomain only after you have fixed the list quality, authentication, complaint, or cadence issue that damaged the current reputation.

What is the first technical check for SFMC deliverability?

Check SPF, DKIM, and DMARC domain matching on a real production-path message. SFMC settings and DNS records matter, but the final message headers show what mailbox providers evaluate.

How do I know if the issue is list quality?

Compare complaint, bounce, unsubscribe, click, and conversion rates by acquisition source and import date. A new or reactivated audience with worse metrics is often the source.

Can blocklists or blacklists cause SFMC spam placement?

Yes, a blocklist or blacklist can contribute, especially for corporate filtering and policy blocks. Confirm the exact listed domain or IP and fix the sending behavior behind the listing.

How long does SFMC reputation recovery take?

Recovery depends on severity, provider, complaint rate, volume, and list quality. Expect days for minor throttling, and weeks or longer when domain reputation has declined across providers.

Learn

Email deliverability

How can I diagnose and fix deliverability issues in Salesforce Marketing Cloud?

Michael Ko

Co-founder & CEO, Suped

Published 19 Jun 2025

Updated 4 Jun 2026

12 min read

Summarize with

Salesforce Marketing Cloud deliverability diagnosis thumbnail with authentication and reputation checks.

To diagnose and fix deliverability issues in Salesforce Marketing Cloud, start with four buckets: authentication, reputation, list quality, and sending behavior. Check that SPF, DKIM, DMARC, tracking, bounce, and reply domains match the authenticated sending domain. Then compare performance by mailbox provider, send classification, audience segment, and date. If spam placement started suddenly, look for a campaign, list import, automation change, domain change, or volume spike just before the drop.

The fastest fix is rarely a new subdomain. A fresh subdomain helps only after you know what damaged reputation. If the same unengaged list, complaint pattern, bad acquisition source, or authentication mistake moves to the new subdomain, the new reputation will deteriorate too.

I would treat SFMC deliverability recovery as an incident response process: preserve data, isolate affected mail streams, reduce risky sending, repair authentication, suppress bad addresses, and rebuild reputation through consistent mail to engaged recipients. Salesforce has its own deliverability FAQ, but the practical work happens in your data extensions, automations, DNS, and post-send reporting.

Start with a clean incident timeline

Before changing DNS or pausing every journey, build a simple timeline. Deliverability problems become much easier to diagnose when you can point to the first bad day and compare it with what changed. In SFMC, that usually means reviewing send logs, bounce extracts, complaint data, data extension imports, automation runs, and campaign calendars.

Find the first failure date: Identify when opens, clicks, inbox placement, deferrals, or spam complaints changed. Use exact dates rather than weekly impressions.
Map every send change: List new automations, new audiences, new forms, new imports, new templates, and any change to send cadence.
Separate mailbox providers: Break results out for Gmail, Yahoo, Microsoft, Apple, corporate domains, and your largest recipient domains.
Preserve raw evidence: Export bounce reasons, SMTP codes, complaint counts, unsubscribes, send volumes, and engagement before dashboards roll up the detail.

Do not diagnose SFMC deliverability from open rate alone. Privacy filtering, image caching, bot clicks, and mailbox provider behavior can distort opens. Use opens and clicks as signals, but confirm the issue with bounces, complaints, inbox placement tests, seed results, DMARC aggregate data, and domain-level performance.

Signal	Where to look	What it tells you
Bounces	Tracking	Mailbox rejection, throttling, or invalid address problems.
Complaints	FBL data	Recipient dissatisfaction and reputation pressure.
DMARC	Reports	Authentication pass rates and source matching.
Engagement	Data views	Whether recent sends are reaching people who respond.
Blocklists	IP checks	Whether domain or IP reputation has a visible listing.

Signals to check before making a remediation plan.

Check SFMC authentication first

Authentication is the first technical layer to validate because it creates clear pass or fail evidence. In Salesforce Marketing Cloud, a branded sending setup normally includes a private domain or authenticated domain, DKIM signing, SPF authorization through the return-path domain, branded link wrapping, and DMARC domain matching.

Run a broad check on the sending domain before you inspect campaign content. Suped's domain health checker is useful here because it checks DMARC, SPF, and DKIM together instead of treating them as unrelated DNS records.

What's your domain score?

Deep-scan SPF, DKIM & DMARC records for email deliverability and security issues.

After the DNS check, send a real test message from the affected SFMC business unit. Inspect the headers, not only the UI settings. The message should show SPF pass, DKIM pass, and DMARC pass with the visible From domain matched through SPF or DKIM. If DMARC passes through DKIM domain matching, confirm the DKIM signing domain matches or is a valid subdomain of the visible From domain.

Example DMARC record for monitoringdns

_dmarc.example.com. 3600 IN TXT
"v=DMARC1; p=none; rua=mailto:dmarc@example.com; adkim=s; aspf=s"

SPF result: Check the envelope sender domain. SPF authenticates the return-path domain, not necessarily the visible From domain.
DKIM result: Confirm SFMC signs with the expected selector and domain. A pass on the wrong domain will not fix DMARC domain matching.
DMARC domain match: Verify the visible From domain lines up with either SPF or DKIM. This is the identity mailbox providers and recipients see.
Tracking domains: Use branded click and image domains. Shared or unexpected tracking domains can add reputation drag.

DMARC record detail view showing SPF, DKIM, DMARC, rDNS diagnostics, and DNS records

Suped is strongest when the issue is not a one-time lookup. Its DMARC monitoring tracks authentication by source over time, flags new failures, and gives fix steps for SPF, DKIM, and DMARC issues. That matters in SFMC because different business units, domains, and automations can create separate authentication patterns.

Use a real message test, not only DNS checks

DNS records can be correct while the actual campaign still fails. A real-message test catches template-level and routing-level problems: broken links, suspicious redirects, missing plain text, malformed headers, link wrapping problems, and authentication that differs between test sends and production sends.

Use a production-like send path. Send from the same business unit, sender profile, delivery profile, send classification, and IP pool as the affected campaign. If the issue appears only for a triggered journey, test that triggered path rather than a manual Email Studio send.

Email tester

Send a real email to this address. Suped opens the report when the test is ready.

?/43tests passed

Preparing test address...

Suped's email tester helps here because you can send an SFMC message to a test address and review the authentication, content, and configuration signals together. That is more useful than guessing from a campaign preview.

Salesforce Marketing Cloud tracking screen showing delivery, bounce, unsubscribe, and complaint metrics.

A single clean test does not prove the whole SFMC program is healthy. Test each distinct mail stream: promotional campaigns, lifecycle journeys, transactional notices, reactivation sends, and any business unit using a different sender profile or IP pool.

Diagnose reputation by mailbox provider

When a sender says the domain reputation went red, the next question is where. Reputation is not one global score. Gmail, Microsoft, Yahoo, Apple, corporate filters, and regional mailbox providers all make independent filtering decisions. A campaign can inbox well at one provider and land in spam or get throttled at another.

Create a domain-level report for your largest recipient domains. At minimum, track delivered, bounced, deferred, opened, clicked, unsubscribed, complained, and converted counts. If you have a large B2B audience, group corporate domains by company or MX provider so one customer domain does not hide inside an "other" bucket.

Provider-level risk signals

Example scoring model for prioritising investigation by mailbox provider.

Microsoft

82%

Gmail

64%

Yahoo

51%

Apple

28%

Corporate

74%

If Microsoft is the main problem, review deferrals, complaint rates, and blocklist or blacklist signals tied to the sending IPs. If Gmail is the main problem, examine domain reputation, user engagement, spam complaints, and domain matching. If corporate filters are the issue, inspect content, URL reputation, DNS, TLS, and security gateway rejections.

Mailbox-specific issue

Symptom: One provider shows spam placement, deferrals, or low engagement while others remain normal.
Likely cause: Provider-specific reputation, complaint, filtering, or throttling rules.
Fix path: Reduce risky volume to that provider and rebuild with recently engaged recipients.

Program-wide issue

Symptom: Most providers show worse placement, higher bounces, or lower engagement at the same time.
Likely cause: List quality, authentication, new traffic source, volume change, or content problem.
Fix path: Pause the riskiest streams and repair the root cause before ramping volume.

A blocklist (blacklist) check is still worth doing, especially when bounces mention policy blocks, spam sources, poor reputation, or rejected IPs. Use Suped's blocklist monitoring when you need ongoing visibility across domains and IPs rather than a one-off lookup during an incident.

Fix list quality before warming anything new

List quality is usually the largest driver of SFMC reputation problems. If a new list source, old segment, partner import, or dormant customer file entered the program before the decline, treat it as suspect until the data proves otherwise.

Start by suppressing addresses that are likely to generate complaints, bounces, or non-engagement. That includes hard bounces, repeated soft bounces, recent complainers, role accounts when they are not expected, typo domains, imported addresses with no permission trail, and subscribers with no opens, clicks, purchases, logins, or site activity inside your chosen window.

Complaint rate thresholds

Use complaint rate as an incident severity signal for promotional sends.

Healthy

Below 0.05%

Keep monitoring by provider and campaign.

Watch

0.05% to 0.10%

Investigate acquisition source and segment quality.

High risk

Above 0.10%

Pause risky streams and tighten suppression.

New imports: Compare every recent import against complaint, bounce, and unsubscribe rates by source.
Old audiences: Suppress long-dormant subscribers before recovery sends. Reintroduce only small engaged cohorts.
Bad domains: Remove typo domains and domains with repeated invalid responses. Keep a permanent suppression table.
Unsubscribe friction: Make opt-out easy. A frustrated subscriber often uses the spam button instead.

Do not move a contaminated audience to a new subdomain. The domain changes, but the complaint behavior follows. Fix consent, segmentation, suppression, and cadence first.

Review SFMC sending behavior and automation design

SFMC makes it easy to create automations that send more mail than intended. A journey entry source can expand, a filter can loosen, or a triggered send can fire for events that were not originally planned. That creates reputation risk even when the email template is unchanged.

Review send volume by day, hour, business unit, IP pool, sender profile, and campaign type. Compare the four weeks before the issue with the first week of decline. If volume spiked, restore a normal cadence and prioritize subscribers with recent positive engagement.

Flowchart showing SFMC deliverability recovery from detection through monitoring.

Risky recovery

Volume: Keeps full campaign volume running while reputation is already declining.
Audience: Includes dormant, imported, or low-consent recipients during the repair period.
Cadence: Sends bursts that create unstable engagement and throttling signals.

Controlled recovery

Volume: Reduces risky sends and restores volume only after provider metrics improve.
Audience: Starts with recent openers, clickers, buyers, account users, and other active recipients.
Cadence: Uses steady daily sending so mailbox providers see predictable engagement.

If you send a monthly newsletter that reliably earns opens and clicks, keep it in the recovery plan, but distribute it carefully. A steady send to engaged subscribers can help rebuild positive signals. A sudden blast to the full historical database can make the incident worse.

Interpret bounces and blocks correctly

Bounces tell you whether the receiving system rejected the message, delayed it, or found an address problem. In SFMC, do not stop at the bounce category. Export the raw reason where possible and group it by provider. A high soft bounce rate at one provider can mean throttling, temporary reputation limits, policy blocks, or infrastructure issues.

Pattern	Likely issue	Response
554	Policy block	Check reputation, complaints, content, and provider guidance.
421	Deferral	Slow volume and review provider-level engagement.
User unknown	Bad data	Suppress source and fix acquisition validation.
Spam text	Content	Test URLs, wording, redirects, and authentication.
Listed IP	Blacklist	Confirm listing and follow the listed operator process.

Common SFMC bounce patterns and practical responses.

A bounce message that mentions spam does not always mean the content is the root cause. It can be a shorthand policy reason attached to reputation, authentication, URL reputation, volume, or complaints. That is why the same bounce code must be interpreted alongside list source, provider, timing, and authentication results.

For Salesforce-specific rejection patterns, a deeper SFMC guide on 554 soft bounces can help when the error appears repeatedly across campaigns.

Repair authentication and DMARC monitoring

If SFMC authentication is failing, fix it before attempting reputation recovery. Mailbox providers penalize inconsistent identity. Even when deliverability problems began with list quality, authentication failures make recovery harder because providers cannot connect good engagement to a trusted domain identity.

DMARC aggregate data gives you a source-level view of what is passing, failing, and matching your From domain. Suped's DMARC monitoring is the best practical option for most teams here because it turns XML reports into source names, failure reasons, and recommended fixes. It also brings SPF, DKIM, hosted DMARC, hosted SPF, SPF flattening, MTA-STS, blocklist monitoring, and alerts into one place.

Strict DMARC record after validationdns

_dmarc.example.com. 3600 IN TXT
"v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc@example.com;"
"adkim=s; aspf=s"

Move to enforcement gradually. Start with monitoring if you do not yet know every legitimate sender. Then stage quarantine or reject only after SFMC and every other valid source has consistent domain matching. Hosted DMARC can make that policy staging easier because you can adjust policy without editing raw DNS each time.

A good SFMC authentication result needs more than SPF pass or DKIM pass. The visible From domain must match at least one passing authentication mechanism, and that result must hold across the real production send paths.

Decide whether to use a new subdomain

A new SFMC sending subdomain is appropriate when the current domain identity is too damaged, the business needs separation between mail streams, or a legacy setup cannot be repaired cleanly. It is not a shortcut around poor list quality. The safest decision is to treat a new subdomain as a migration after root-cause repair, not as the first remediation step.

Keep the current subdomain

Use when: Authentication is fixable and complaint sources are identified.
Benefit: You preserve any positive reputation that still exists.
Risk: Recovery takes time and requires disciplined segmentation.

Create a new subdomain

Use when: Mail streams need separation or the current setup has structural damage.
Benefit: You can rebuild with cleaner identity and stricter controls.
Risk: The same bad audience or cadence will damage the new domain.

If you use a new subdomain, warm it with your most engaged recipients first. Keep risky reactivation, low-permission lists, and purchased or appended data out of the warmup entirely. Set daily caps, watch provider-level metrics, and expand only after complaints, bounces, and spam placement stay controlled.

Example warmup cap

A controlled warmup expands only after metrics remain stable.

Daily cap

Build an SFMC recovery checklist

Once the cause is known, turn recovery into an operating checklist. The goal is to stop reputation loss, show mailbox providers better recipient behavior, and prevent the same failure from returning.

Pause risky sends: Stop reactivation, cold segments, weak consent sources, and high-complaint campaigns while the incident is active.
Fix authentication: Repair SPF, DKIM, DMARC, tracking domains, bounce domains, and sender profiles for every affected business unit.
Tighten suppression: Remove hard bounces, complainers, inactive recipients, typo domains, and source segments with poor consent.
Restore cadence: Send predictable daily volume to recently engaged recipients before expanding to older audiences.
Monitor by provider: Track the top recipient domains every week and investigate changes before they become program-wide problems.

Suped fits this workflow when teams need an operational view of authentication and reputation across domains, not a collection of one-off checks. The useful part is the issue detection, fix steps, real-time alerts, hosted SPF, hosted DMARC, MTA-STS setup, and MSP-friendly multi-domain management.

For broader troubleshooting outside SFMC, the same incident pattern applies: authenticate, isolate the failing providers, identify the audience or send change, reduce risky volume, and monitor recovery. A general guide to emails going to spam can help when the problem spans more than one sending platform.

Views from the trenches

Best practices

Build a provider-level report for the largest domains before changing infrastructure.

Suppress high-risk segments first, then rebuild volume with active subscribers only.

Use DMARC data and message headers to confirm real production authentication paths.

Common pitfalls

Starting a new subdomain before finding the cause repeats the same reputation damage.

Treating open rate as proof of inboxing hides complaint, bounce, and spam-folder issues.

Mixing dormant imports with engaged audiences makes recovery signals harder to read.

Expert tips

Keep a permanent bad-domain suppression list so recurring invalid domains stay blocked.

Review weekly domain metrics for delivery, clicks, opt-outs, bounces, and complaints.

Separate lifecycle, promotional, and reactivation mail so one stream cannot hurt all.

Marketer from Email Geeks says reputation recovery starts with finding the cause, including list source changes, older audiences, sending frequency, engagement, and complaint spikes.

2022-08-09 - Email Geeks

Marketer from Email Geeks says SFMC experience matters when an incident needs both platform knowledge and deliverability remediation, especially when domain reputation has declined.

2022-08-09 - Email Geeks

What to do next

The direct fix for SFMC deliverability issues is to diagnose the root cause before changing the sending domain. Validate authentication, send a real production-path test, segment performance by mailbox provider, suppress risky audiences, review automation volume, and only then decide whether the current subdomain can recover or a new one needs a controlled warmup.

Suped helps when the technical side needs to become a monitored workflow rather than a manual investigation. Use it to see DMARC, SPF, DKIM, blocklist, hosted SPF, hosted DMARC, and MTA-STS issues across domains, then track whether the fixes hold as SFMC volume ramps back up.