Email campaign delivery fails due to DNS configuration after cloud migration

After migrating our Adobe Experience Cloud instance to the cloud, our email campaigns are failing to deliver. We’re getting DNS lookup failures when the Cloud Email Service tries to send campaigns. The error logs show issues with DNS record validation, and our emails are either bouncing or going to spam.

Before the migration, our SPF and DKIM records were configured for our on-premise mail server. Now that we’re using Adobe’s Cloud Email Service, I assume we need to update our DNS records, but I’m not sure exactly what changes are required. The cloud sender authorization process seems different too. Our domain is verified in the cloud console, but emails still aren’t going through. Has anyone dealt with DNS configuration issues after migrating email marketing to the cloud? What specific records need to be updated for SPF, DKIM, and DMARC setup?

SPF is just the first step. You also need to configure DKIM signing for the cloud environment. Adobe’s Cloud Email Service uses different DKIM keys than your on-premise setup. Log into Cloud Manager and navigate to Email Service > DKIM Configuration. You’ll see public key values that need to be added as TXT records in your DNS. The record names usually follow the pattern aec-dkim._domainkey.yourdomain.com. Without proper DKIM configuration, your emails will fail authentication checks and get flagged as spam or rejected entirely.

Another thing to verify is the cloud sender authorization configuration. Even with correct DNS records, the Cloud Email Service needs explicit authorization to send from your domain. In Cloud Manager, go to Email Service > Sender Domains and make sure your domain shows as ‘Verified and Authorized’. Sometimes the verification completes but the authorization step gets stuck. You might need to re-verify the domain or contact Adobe support to complete the authorization process on their end.

DMARC can definitely cause partial delivery failures if it’s not aligned with your new cloud sending infrastructure. With ‘quarantine’ policy, emails that fail DMARC alignment get sent to spam folders or held for review. Since you’ve changed your sending infrastructure to Adobe’s cloud, you need to verify that both SPF and DKIM are properly aligned with your From domain. Check your DMARC reports to see which authentication mechanism is failing. You might need to adjust your DMARC policy temporarily to ‘none’ while you troubleshoot, then move back to ‘quarantine’ or ‘reject’ once everything is working.

Thanks for the guidance. I found the DKIM public keys in Cloud Manager and added them as TXT records in our DNS. I also updated our SPF record to include the Adobe cloud servers. However, I’m still seeing some delivery failures. The DNS record validation in the cloud console shows green checkmarks for both SPF and DKIM now, but about 30% of our emails are still bouncing. Could this be a DMARC issue? We had DMARC set to ‘quarantine’ in our old setup. Does that need to change for cloud email delivery?

DNS configuration for cloud email services is completely different from on-premise setups. You need to add Adobe’s cloud mail servers to your SPF record. The record should include something like include:_spf.experiencecloud.adobe.com. Without this, receiving mail servers will reject your emails because they don’t recognize Adobe’s cloud infrastructure as an authorized sender for your domain. Check your current SPF record and make sure it includes the Adobe cloud sending servers.

I’ll provide you with a complete DNS configuration solution that addresses all three focus areas to resolve your email delivery issues.

DNS Record Validation: First, verify your current DNS records are correctly configured for Adobe’s Cloud Email Service. Use DNS lookup tools to check each record:

For SPF, your TXT record at your domain should include:

v=spf1 include:_spf.experiencecloud.adobe.com include:_spf.yourdomain.com ~all

The include:_spf.experiencecloud.adobe.com authorizes Adobe’s cloud mail servers. Keep your existing SPF mechanisms if you have other legitimate senders. The ~all provides a soft fail for unauthorized servers.

Verify SPF propagation using: dig TXT yourdomain.com or `nslookup -type=TXT yourdomain.com DNS propagation can take 24-48 hours. If you updated records recently, partial delivery failures might be due to some mail servers still seeing old records while others see new ones.

SPF/DKIM/DMARC Setup: For DKIM, Adobe Cloud Email Service generates unique key pairs for your domain. In Cloud Manager > Email Service > DKIM Configuration, you’ll find two public keys (for key rotation). Add both as TXT records:

Record 1: aec-dkim-1._domainkey.yourdomain.com Value: The public key string from Cloud Manager (starts with v=DKIM1; k=rsa; p=…`)

Record 2: `aec-dkim-2._domainkey.yourdomain.com Value: The second public key string

Adobe rotates between these keys automatically. Both must be published for seamless rotation.

For DMARC, update your policy to align with cloud sending. Your DMARC TXT record at _dmarc.yourdomain.com should be:

v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; ruf=mailto:dmarc-forensics@yourdomain.com; fo=1

Start with p=none to monitor authentication results without affecting delivery. This generates reports showing which emails pass/fail SPF and DKIM. After confirming 95%+ pass rates for a week, gradually increase to p=quarantine then p=reject.

The 30% bounce rate you’re experiencing is likely due to DMARC alignment issues. DMARC requires either SPF or DKIM to align with your From domain. Check your email headers - the Return-Path domain (used for SPF) might not match your From domain, causing SPF alignment to fail. If DKIM is signing with a different domain (d= parameter), that also causes alignment failure.

To fix alignment, configure your Cloud Email Service sending domain settings:

1. Go to Cloud Manager > Email Service > Domain Configuration
2. Set ‘Return-Path Domain’ to match your From domain exactly
3. Enable ‘DKIM Domain Alignment’ and set signing domain to your From domain
4. Save and test with a campaign to a few addresses

Cloud Sender Authorization: Even with perfect DNS records, Adobe’s cloud infrastructure needs explicit authorization. Complete these steps:

1. In Cloud Manager > Email Service > Sender Domains, verify status shows ‘Verified’
2. If status is ‘Pending Verification’, click ‘Re-verify Domain’ to trigger a new DNS check
3. Once verified, the status should automatically change to ‘Authorized’ within 15 minutes
4. If it stays at ‘Verified’ without moving to ‘Authorized’, check the authorization logs

Go to Cloud Logs > Email Service and filter for your domain. Look for authorization errors like:

• ‘Sender policy check failed’ - indicates SPF issues
• ‘DKIM signature validation failed’ - indicates DKIM configuration problems
• ‘Domain ownership verification pending’ - might need to re-add verification TXT record

For immediate troubleshooting, use Adobe’s built-in DNS validation tool: Cloud Manager > Email Service > Domain Configuration > Validate DNS Records. This checks all required records in real-time and highlights specific issues.

One common issue after cloud migration: if you have multiple subdomains or email sending domains, each needs separate DNS configuration and authorization. Make sure you’ve configured records for all domains you send from, not just your primary domain.

After completing these DNS updates, wait 24-48 hours for full propagation, then test with a small campaign. Monitor your DMARC reports (sent to the rua email address) to verify authentication is passing. The reports show exactly which authentication mechanisms are succeeding or failing for each receiving domain.

If you’re still seeing bounces after DNS propagation, check the bounce messages for specific rejection reasons. Common patterns:

• ‘550 SPF check failed’ - SPF record missing Adobe’s servers
• ‘550 DKIM signature invalid’ - DKIM public key doesn’t match or is missing
• ‘550 DMARC policy rejection’ - DMARC alignment failing

Each error points to a specific DNS record that needs correction. The cloud console’s DNS validation tool will help identify which record is misconfigured.