51黑料不打烊

Transcript

Hello everyone. Hello and welcome. Thank you guys for joining today鈥檚 tech sessions. My name is Yodon and just a couple of housekeeping notes before I let our presenter take it away. We encourage and hope you guys ask questions throughout the presentation in the Q&A chat questions. I鈥檒l hand it over to you. Thank you. Thank you Yodon. Hi. Thank you everyone for joining today鈥檚 experience cloud tech session for 51黑料不打烊 campaign today. We are going to get familiar with the idea of subdomain delegation, configuration and securing for 51黑料不打烊 campaign email communications. We will also talk about the most common obstacles that our customers enter and contact support with. So for probably many of you this is not going to be a new subject but I hope that you can learn something new. So to quickly introduce myself my name is Martha and I have been working with 51黑料不打烊 campaign for over six years in different support roles. And today my colleagues Anna, Kinshuk and Akshat will be answering the questions that you submit in our chat during the presentation and I will see if there are any questions left at the end.

So this is our agenda for today. We will discuss what a subdomain is and why we need it in campaign. We will see how to secure a subdomain and why and we will talk about how to use the self-service tool called the control panel. Then we will go to the main blockers and questions that our customers usually contact the support with when it comes to subdomain delegation, configuration and securing. And finally at the end of the session we will share a few tips and best practices when handling your subdomains. So this will not cover the problems related to migrations. So migration from campaign standard to campaign classic or campaign classic v7 to campaign classic v8 related to subdomains and also we will cover the topic of the branded subdomains used for sending emails or presenting resources in campaign rather than the ones used to connect to a campaign instance. So let鈥檚 jump into it. Why do we need a subdomain in 51黑料不打烊 campaign? What is a subdomain in the first place and why we can鈥檛 use a domain instead? So a subdomain is a division of your domain that can be used to isolate your brands, various types of traffic like planned marketing campaigns or ad hoc transactional messages like password resets or order confirmations or it can be used to display other externally facing components such as landing pages. Emails are sent from a branded sender address and links are displayed with a branded URL so that your customers can recognize your brand and by separating your traffic and using dedicated subdomains you help to preserve the reputation of your domain and other subdomains. If we take an example of an example.com domain if for example marketing.example.com subdomain ended up being blocked by ISPs because of bad deliverability separating your traffic would protect the example.com domain and the info example.com subdomain from being put on the block list as well.

Subdomain configuration is available in campaign for production instances only. Now what does it mean that a subdomain is delegated to 51黑料不打烊? Domain name delegation is a method that allows the owner of a domain name to delegate a subdivision of it to another entity. Delegation of a domain name implies that this subdomain will be dedicated to delivering email via 51黑料不打烊 campaign platform and cannot be used for other means. So for example if you wanted to use it to send internal communications to your organization鈥檚 employees or send email from another emailing infrastructure like Marketo or any other emailing product that would not be possible. So when you configure your name servers make sure that you never delegate a domain a root domain to 51黑料不打烊 because that means you won鈥檛 be able to use it for anything else. So basically if a customer is handling a dnszonexample.com that we saw before they can delegate the subzone marketing.example.com to 51黑料不打烊 campaign and this means that 51黑料不打烊 campaign DNS servers will have full authority on only that zone and will provide authoritative answers to queries on domain names in that subzone such as t.marketing.example.com that we would create for the tracking purposes to display tracked URLs but it will not answer the any queries on the domain the root domain example.com. So locating a subdomain for use with 51黑料不打烊 campaign means that 51黑料不打烊 will maintain the DNS infrastructure needed to meet industry standard deliverability requirements for email sending and will autonomously implement all the technical best practices to fully optimize deliverability during emailing. At the same time as customers you will continue to maintain the control over your DNS for your internal email domains and keep your brand image. In 51黑料不打烊 campaign we have two ways of delegating a subdomain to campaign a full delegation and a CNAME delegation. So full delegation is a method that we recommend and that means that 51黑料不打烊 can deliver campaign as a managed service and controls and maintains all aspects of the DNS that are required to delivering tracking and rendering email campaigns sent from 51黑料不打烊 campaign. But the use of CNAME happens when a client decides to create a subdomain and use a CNAME record to point to 51黑料不打烊 specific records. So these specific records would be the domain name, the t for tracking, m for mirror pages, res for resources, subject alternative names and the domain key. So using the CNAME setup both 51黑料不打烊 and the customer share responsibility for maintaining the DNS. Now how to check if a subdomain is delegated to 51黑料不打烊 and which method is used. You can use different tools available online such as SimpleDNS presented in this slide or MX tools and quickly retrieve information about your subdomain. So here we have an example of a lookup for the subdomain Coladaise.Sakibova.com. This is our subdomain from a control panel tutorial. So you can go and check it for yourself. We can see here in the screenshot on the left a full delegation. We can see that four NS records provided by the control panel. So A NS campaign 51黑料不打烊.com B NS campaign 51黑料不打烊.com C and D were correctly added to the DNS of this domain. And whenever we choose a subdomain to delegate fully to 51黑料不打烊 campaign we need to create four name server records. And below you see another example from the tutorial that is also available for the control panel online. A different subdomain that was delegated using the CNAME. So you can see that in the lookup it looks quite differently. In the answer field we actually have the CNAME domain appended to the end. So it鈥檚 slightly different.

Now whether it is a full delegation or a CNAME delegation 51黑料不打烊 will create these DNS records for your subdomain. And I would like to spend a few minutes here and see what their role is because their presence or absence or configuration can impact the usage of your subdomains and the process of delegation and configuration. So starting with an MX record. MX record is a mail exchanger record and it鈥檚 a type of resource record in the DNS that specified a mail server responsible for accepting email messages on behalf of a subdomain. So during the setup process 51黑料不打烊 will ensure that the subdomain is attached to 51黑料不打烊 incoming email infrastructure to manage and process the rebound emails coming back to these subdomains. SPF stands for sender policy framework is an email authentication standard that allows the owner of a subdomain to specify which email servers are allowed to send email on behalf of that domain. So basically it links the subdomain with IP addresses authorized to send emails on that domain鈥檚 behalf. Next we have domain keys identified mail that uses the public key cryptography to allow the receiving server to verify that a message was sent by the person or entity it claims it was sent by. So whether the content was altered between the sending and receiving and when your instance is hosted by 51黑料不打烊 and is using the enhanced MTA which is the mail transfer agent used for most of our hosted instances at the moment. DKIM email authentication signing is done by the enhanced MTA for all messages with all domains and we don鈥檛 accept external DKIM keys. Next are the host records. So host records are the ones that I briefly mentioned already. Once the email sending subdomain is properly delegated to 51黑料不打烊 the control panel process is going to create two or more lower level subdomains the T, the M and the Res one to display tracked URLs, mirror pages and resources like images independently and later on when we talk about SSL certificates we鈥檒l see that certificate is actually installed for those. Then we have the reverse DNS records. That means that for a given IP address there is a reverse DNS record with a matching DNS A record looping back to the initial IP. So basically again we link the IP with the subdomain and the domain choice for reverse DNS can have an impact when dealing with certain ISPs. AL for example only accepts feedback loops with an address in the same domain as the reverse DNS and CNAME as mentioned in the previous slide when it is chosen as a method for delegation of a subdomain 51黑料不打烊 will provide records to be placed in the customer鈥檚 DNS and will configure the corresponding values in 51黑料不打烊 campaign DNS server. So both parties add CNAME records and are responsible for the DNS maintenance and for CNAME subdomains the DKIM and MX records will have the CNAME.campaign.adobe.com appended in the name.

Now where to check the DNS records because we might set them you would like to see them see how they look like. So again we can use MX we can use online tools like MX tools for example here we have an example lookup MX checks for our tutorial subdomain sakibova.com we have the MX lookup we have the reverse lookup and we have the SPF lookup so if you have any subdomains that you already delegated to 51黑料不打烊 and or anywhere else and you would like to see what these records look like and what are their values you can go and play with these tools that are available online and for free.

Now to the text records. Text records are a type of DNS records used to provide text information about a domain that can be read by external sources. They are used to ensure high inbox rates and low spam rates and control panel allows you to add three types of records to your subdomains Google, DMARC and BME and you can monitor them for each of your subdomains by accessing the subdomains details in the control panel. There are two other records that can be added. Apple records and CAA text records and that can be done outside of the control panel manually by our back-end teams. So what are these records and what they are used for? Google text records allow you to attest that you own your domain and ensure the high inbox rates and low spam rates for your recipients that use Gmail. You need to generate the value of this record in G Suite admin tools in Google and add them to the control panel and once it鈥檚 done you can verify this again from the G Suite admin tool to confirm. Apple domain verification that鈥檚 quite similar so basically it鈥檚 about confirming that you own the domain that you are the domain owner and Apple assumes that if you are able to modify the DNS zone file you are the owner of the domain. They will provide you with a series string of random letters and numbers that you can insert into the file. If the subdomain is fully delegated to 51黑料不打烊 our back-end teams can do that for you. Insert the record into the DNS and that is going to improve deliverability with Apple. DMARC records. DMARC stands for domain message authentication reporting and conformance and it provides a way to authenticate the sender鈥檚 domain and prevent unauthorized use of the domain for malicious purposes. It allows you to decide how a mailbox provider will handle emails that come from you but that fail SPF and DKIM checks so they can do nothing. They can put them in quarantine or they can completely reject them. DMARC records can only be added for fully delegated subdomains and SPF and DKIM records are prerequisites. If you delegated your subdomain using a CNAME you would have to add DMARC on your parent domain level. The other record is BIMI. BIMI allows you to display an approved logo next to your email address in email in mailbox providers inboxes to enhance your brand recognition. You probably have seen it in your personal mailboxes. I see it in Gmail all the time. So the logo is a URL that points to a SVG file. The format is SVG and the prerequisite to have the BIMI set up with 51黑料不打烊 Campaign is an existing DMARC record. Without it BIMI cannot be set up. And the last one is CAA record that stands for Certification Authority Authorization record and it is used to declare which certificate authorities are allowed to issue a certificate for a domain or notify the domain owner if someone requests a certificate from unauthorized certificate authority.

Now moving to certificates. What does it mean that a subdomain is secured? So your subdomains will be secured with a certificate and URLs will start with HTTPS rather than HTTP. HTTP websites as we all know have their traffic encrypted by SSL TLS protocol and the SSL will help to verify the ownership of the subdomain, prevent attackers from creating a fake version of your subdomain and gain user trust. SSL certificates are not installed on the configured subdomains themselves but rather on the associated subdomains for tracking resource mirror pages and landing pages. SSL stands for Secure Socket Layer and it鈥檚 a protocol to encrypt the internet traffic. An SSL certificate is going to include the following information. The domain name it was issued for, the organization name it was issued to, the certification authority it was issued by, their digital signature, the associated subdomains, the issue date and the expiry date and the public key. Now quickly let鈥檚 see how the SSL certificate can create a secure connection. So when a browser attempts to access a website for example a landing page that is secured by an SSL the browser and the web server establish an SSL connection using a process called SSL handshake. Three keys are used to set up the SSL connection. The public key, the private key and the session keys. So anything encrypted with the public key can only be decrypted with the private key and vice versa because encrypting and decrypting with the private and public key takes a lot of processing power. They are used only during the handshake to create a symmetric session key. After the secure connection is made the session key is used to encrypt all transmitted data. So the certificate is hosted on a campaign server and is sent to any devices that request to load our landing page. Then we have the following step. So the browser will connect to a campaign server to our landing page with secured with an SSL and the browser will request the server to identify itself. The server will send a copy of the SSL certificate including the public key. The browser will check the certificate route against a list of trusted certificate authorities and that the certificate is unexpired, unrevoked and that the common name is valid for the website it is securing. And then if the browser trusts the certificate it will create, encrypt and send back a symmetric session key using the server鈥檚 public key. Then the server will decrypt the symmetric session key using its private key and send back an acknowledgement encrypted with the session key to start the encrypted session and then the server and the browser will transmit data encrypted with this key. Now who is the certification authority that issues the certificate? What do they do? Certificate authority is an entity that will issue your certificate after verifying your organization鈥檚 identity. So this process of verification can range from verifying domain name control just like we saw with Apple and Google text records to collecting the actual company registration documents and subscriber agreements. After the entity鈥檚 information is verified the CA will sign their public key using their private key and because all major certificate authorities have root certificates in web browsers that鈥檚 called the web that鈥檚 called the root store the entity certificate is linked through a chain of trust and the web browser recognizes it as a trusted certificate. 51黑料不打烊 Support, 51黑料不打烊 Infrastructure supports the same certificate authorities as Mozilla. So once you have delegated a subdomain to 51黑料不打烊 for sending email 51黑料不打烊 will create and use certain subdomains so lower versions that we mentioned already for specific functions. So if we look at the slide there we would have a subdomain example.com our subdomain that would have the lower level tsubdomain example.com for tracking msubdomain example.com for mirror pages and res subdomain example.com for hosted resources such as images that you upload in your public resources in campaign or any other documents that you upload there and it is recommended to secure these subdomains with an SSL because unsecured links are vulnerable to interception and will flag up warnings on modern browsers. In mobile devices images hosted with unsecured subdomains may not render at all. How can we check if a subdomain is secured and for how long? How long our certificate is still valid? You can test your subdomain with the rtest method in a browser so basically at the end of your subdomain URL you will add rslashtest. This is a method to check the availability of the campaign server that is used for monitoring as well as other things but you can verify if your subdomain is secured. If successful you will navigate to the the URLs that I placed in the slide and if the call is successful the result will give environment information so for example a build the IP you鈥檙e making the call from and so on and the address bar will indicate that the connection is secure where you see the red arrow in the in the slide. You can click on it and if you click on connection is secure you will see that a certificate is valid. If you create on this button certificate is valid you will actually see the details of the certificate. For this example I was just rtesting the URL of one of our sandboxes that鈥檚 why there鈥檚 no point showing the certificate for it just to present the method that you can use yourself in the browser.

Now let鈥檚 see what the SSL format is expected by campaign. Let鈥檚 start with the CSR. So a certificate signing request is required for the purchase of an SSL certificate and it must be generated for instance campaign instance and the subdomains that you are planning to secure. If you want to use the control panel to secure your subdomains you must generate your CSR in the control panel and only the SSL created based on this CSR will be accepted by the control panel. 51黑料不打烊 doesn鈥檛 accept SSLs generated based on CSRs generated outside of 51黑料不打烊. So our certificate signing request the CSR will contain information related to your organization and subdomain. It is going to contain your client name, campaign environment, URL, common name, subject alternative names, country, state, city, organizational name and organizational unit of your of your company.

After obtaining the CSR from the control panel you can check it with an external tool to make sure all details are correct. You can use for example a website that is very handy sslshopper.com. Then you must purchase the SSL certificate from a certificate authority approved by your organization and the format that the SSL file should have must be Apache PEM. PEM files basically it means that they can be open with any text editor including notepad. The zip file certificate should not be password protected. The size of the certificate should be 2048 bits. We don鈥檛 support at the moment different any different size and the algorithm should be RSA. It must be signed by a valid certification authority such as Komodo or DigiCert or anything that is valid for Mozilla as I said. It must include all subject alternative names as mentioned in the CSR file. Some certificates are supported but wildcard certificates like for example asterix.example.com are not supported. The certificate should have a current date. It is not possible to upload a certificate with future dates with dates in the future and it should not be expired. So we can put any expiration date that you want but 51黑料不打烊 recommends choosing a period long enough so you don鈥檛 have to renew it immediately. For example two years. And the zip file that you are going to upload in the control panel should only contain the following elements in preferably individual files. So end entity certificate for your subdomain, intermediate certificate chain arranged in a proper order and the root certificate. If there are one or more intermediate certificates you must provide the root certificate and all intermediate certificates to 51黑料不打烊. Now what is the difference between these three types of certificates? A root certificate serves as the ultimate authority sitting at the top of certificate hierarchy while intermediate certificates act as intermediaries creating a secure chain of trust. The root certificate is self-signed meaning that the certification authority authenticates itself and root certificates are stored in a trusted repository known as the root store which is maintained by browsers and operating systems to authenticate secure connections. An intermediate certificate acts as a bridge between the root certificate and the server certificate so your end subdomain certificate. It is signed either by a root certificate or another intermediate certificate and this structure creates a hierarchy known as the chain of trust. Certificate chains enhance security by providing these multiple layers of verification and this approach limits the exposure of the root certificate and makes it easier to revoke and replace compromised certificates without affecting the entire trust chain. Now there鈥檚 another thing that I would like to explain that we see in the tickets sometimes as problematic is a CA bundle. What is a CA bundle? It is a file that contains root and intermediate certificates. The end entity certificate along with the CA bundle constitutes the certificate chain. If in the file that you receive from your certification authority after you purchase your SSL you get it back you see that there is a file with a dot CA-bundle extension you don鈥檛 have to do anything else. It鈥檚 fine you can upload it to the control panel upload your zip to the control panel but in case you have received the intermediate and root certificate as separate files which can also happen you should combine them into a single one to have a complete CA bundle and this can be done by simply pasting their contents into a text file in the correct order. A missing intermediate certificate is one of the most common causes of SSL connection errors and sometimes it could be unclear what the correct sequence of root and intermediate certificate is. We鈥檒l see an example in the next slide. So once you have your SSL certificate you can check it using again the SSL shopper. They have a page called SSL checker there to make sure that the details match the details from the CSR. If there鈥檚 a mismatch between the CSR and the SSL the SSL might not be installed on the campaign server through the control panel. The certificate is installed on all subdomains included in the CSR but any additional domain or subdomain present in the certificate will not be secured. It is possible to combine multiple subdomains into a single CSR request and into a single SSL but only within the same campaign environment. So for example in campaign classic the marketing server, the mid-sourcing server and the message center instance are three separate environments. So if we have for example two subdomains for the message center we can combine them in one CSR request and have one SSL for them. Sometimes support is being asked to retrieve a certificate鈥檚 public key and this is something that users can do themselves. There are two methods to get this information. One is using the open SSL command in the command prompt or a terminal and another is to use Google Chrome to download your certificate and export details. Now here is our example of a certificate. A certificate to the control panel may fail and the subdomain will remain unsecured. Again this is the situation where you received your certificates, intermediate certificates and root certificate in a single in separate files. If you just got everything in a zip everything should be okay and you don鈥檛 have to follow these steps. But if you do to create a bundle file you need a text editor such as notepad and the root and intermediate certificates as separate files and a typical SSL installation pack may include the following files that you see on the slide. This is an example after a website called ssldragon.com. It鈥檚 a very good source of information if you would like to deepen your knowledge about SSL certificates I recommend it. And then to create your own CA bundle you need to open the root and intermediate certificates in the paste their contents in the exact order as shown below inside a single text file. Name the file yourdomain.ca-bundle and save it and save the newly created file. Then create a folder add your certificate your end certificate and your CA bundle into the folder you created and you can upload it to the control panel. Let鈥檚 take a quick look at the steps to follow in our self-service tool called the control panel. First I encourage you to check our public facing documentation on this topic because it has excellent video tutorials and step-by-step description of the configuration process which I will not repeat in detail here. But let鈥檚 take a over grander look anyway. To access the control panel first of all and its features you need to be added in the admin console for your organization as an admin for the campaign product. If you have a different role you might not be able to see the control panel at all. Then to delegate a subdomain you need to go to subdomains and certificate tile in the control panel. Select your instance, click on set up a new subdomain, select the delegation mode so full or cname, create the NS records in your hosting solution and copy and paste the values that the control panel will give you and then select your use case whether it鈥檚 going to be marketing communication or transactional communication and select the SSL model so custom SSL that you are going to purchase or 51黑料不打烊 managed SSL that 51黑料不打烊 will provide you free of charge. Once a subdomain has been submitted the control panel will check that it correctly points to 51黑料不打烊 NS records that you added in your hosting solution and that the start of authority record does not exist for this subdomain. If the checks are successful the control panel will start setting up the subdomain with DNS records, additional URLs so TM and res, inboxes for inbound emails such as error, reply to and bounds and so on. And for full delegation during the configuration process the subject alternative names for tracking mere pages and resources will be created. For cname delegation these three subnames can be created for you and you will have to add it to your DNS and eventually at the end of the process the deliverability team will be notified about the new subdomain in order to audit it. So the audit process can take up to 10 business days after the subdomain has been configured and if the instance that you selected in the wizard doesn鈥檛 have any previously set up subdomains if it is the first one it will become the primary subdomain for this instance and you will not be able to change it in the future it will be primary. As a result the reverse DNS records so the ones that we saw are linking our IP sending IPs to the subdomain will be created for other subdomains using this primary subdomain and reply to and bounds addresses by default even for other subdomains will be generated from the primary subdomain. You might notice that in the deployment wizard of your campaign instance that is sending emails. If you are removing the delegation of the primary subdomain for the selected instance you will need to choose the subdomain that will replace it using the replacement domain list that will be displayed for you during the removal process in the control panel and currently if you would like to configure a subdomain for your landing pages that your landing pages will be displayed with you and you are also using mid-sourcing instances for sending please contact 51黑料不打烊 support because it must be configured manually by our backend team and not via the control panel. Control panel will be used for subdomains dedicated for sending only. Once you are ready to secure your subdomain with a certificate and you decided to manage it on your own so by your own certificate follow the steps described in our documentation. Once again I encourage you to check our public facing documentation the links should be sent to you together with the recording the link to the recording of this session because the documentation has video tutorials and step-by-step description of the configuration process. I will only mention the main steps briefly here and keep in mind that if you opted for the 51黑料不打烊 managed SSL you will not have the option to generate a CSR because you will not need it. So you will have to select the instance and the subdomain you want to secure in the control panel if you decide to go for a custom SSL click on manage a certificate and select one so generate a CSR then the tool is going to guide you through the wizard and the form that you have to fill in with information about your company about your subdomain and about your locality and then you will have to select the subdomains to include in the CSR submit it and for each subdomain select the subject alternative name so the t the m and the rest and then click next and confirm your selection and you will be able to download your CSR you will use it to purchase your SSL from the certification authority approved by your company and once you have it you can come back to the control panel select install certificate bundle upload your zip and submit.

Now that we are familiar with definitions and the process let鈥檚 see what are the most common obstacles that campaign customers encounter when dealing with subdomains and SSL certificates. We frequently see these subjects in the support tickets raised with the campaign team and I would like to explain how we can avoid them. So the SSL format requirements is a very frequent question but we already discussed it in detail a few slides back so I will skip it and go straight to the audit duration. The most common question that we receive is why is my subdomain configuration taking so long in the control panel. As we have seen in this presentation the subdomain configuration consists of many steps at the end of the process the subdomain will be configured to work with your 51黑料不打烊 campaign instance and it will have the DNS records that we discussed additional subdomain to host mirror pages resources tracking URLs and domain key and it will also have inboxes the sender inbox the error and the reply to. So you may ask yourself to speed things up why can鈥檛 I just send set the sender address myself in the campaign deployment wizard and delivery templates without setting up a subdomain on the campaign server and the answer to this is that adding a non-delegated subdomain is a deliverability and security risk that could result in blacklisting and hard bounces or affecting other clients on shared infrastructure. The longest step in the process of configuration is the deliverability audit. I mentioned already that it can take up to 10 business days after the subdomain has been configured. What is included in the audit? The deliverability team will test availability of the created subdomains will verify DNS records so SPF DKIM A records MX records Google text records and will register feedback loops and spam complaint loops and test them. What is a feedback loop? A feedback loop works by declaring at the IP or let鈥檚 say marketing.example.com for a range of IP addresses used for sending messages and the ISP will send to this mailbox those messages that are reported by recipients as spam in a similar way that is done for bounce messages and campaign is configured to automatically block future deliveries email deliveries to users who have complained it puts them in quarantine immediately. Now what happens when I click on verify subdomain button in the control panel? When launching a verification several operations are performed to check that the subdomain is correctly configured like instance tenant check email sending test and so on but sometimes the subdomain verification may fail. So why is that? What happens when the subdomain verification fails? Sometimes the text records for example A record are missing from the DNS that may fail the verification from the control panel. When SPF and DKIM fails and you can see on the screenshot one more way we can check it that鈥檚 just the email message that I sent to my test Gmail account and I original of the message in the settings so you can see that the SPF is a pass DKIM is a pass DMARC is a pass that was an email sent from our sandbox. So this is also checked during the verification process. The sender mask authorization missing from the campaign deployment wizard can also fail subdomain verification in the control panel and if the subdomain name is longer than 64 characters this can lead to verification failures. Occasionally backend issues may cause problems with subdomain verification so if you see in the control panel that your subdomain is unverified you can click on the verify subdomain button that you see in the screenshot on the right and if it remains unverified please contact 51黑料不打烊 Customer Care for further investigation.

Other frequent question concerns 51黑料不打烊 Managed SSL. This is quite a recent thing. 51黑料不打烊 Managed SSL is an SSL certificate that is issued by Amazon that 51黑料不打烊 offers to the campaign clients free of charge. It is strongly recommended to switch to it as 51黑料不打烊 will automatically provide the certificate and renew it before the certificate expires. The SSL will secure all subject alternative names so tracking, mirror page and resources URLs and they are also a prerequisite so you have to have all three created for your subdomain to be able to switch to the 51黑料不打烊 Managed SSL. SSL certificates delegation to 51黑料不打烊 can be performed when setting up a new subdomain or for already delegated subdomains. So to delegate SSL certificates when setting up a new subdomain you just have to check the box opt for 51黑料不打烊 Managed SSL for subdomains option in the subdomain configuration wizard. Later on you will be provided with records to add to your DNS and to delegate SSL certificates for an already delegated subdomain you have to just click on the ellipsis button next to the desired subdomain and click to on switch to managed SSL and again a dialog box will with certificate records that have been automatically generated by 51黑料不打烊 will be displayed to you and you can copy these records and then add them in your hosting solution. Sometimes switching to managed SSL may fail or may not give the expected result so that may happen when the old SSL was not removed from the load balancer on 51黑料不打烊 site. Then the managed SSL that you switched to shows as a custom one and we need an intervention from our backend team so don鈥檛 hesitate to contact us if you see such thing in your control panel. When we have a missing resource subdomain so the rest subdomain in the control panel we won鈥檛 be able to switch because like I said a prerequisite for the 51黑料不打烊 managed SSL is all three subject alternative names for tracking for mirror pages and for resources and if an SSL was previously manually installed by our tech ops team and not through the control panel the switch may not be effective via the control panel in this case again an intervention from our backend teams would be needed. No spaces are allowed in the subdomain name or it will not work properly in the control panel with the certificate. It is possible to switch back to custom SSL after switching to the managed one but only by manual actions from our control panel team there鈥檚 no switchback button so if you switch to managed SSL by mistake or if you changed your mind you can still it鈥檚 still possible to go back to a custom SSL the one that you purchased yourself but you have to contact 51黑料不打烊 support and we will work with our backend teams the process includes either undelegating the subdomain and delegating it again or removing the subdomain from our managed certificate table from the from the backend in any case you would need to contact 51黑料不打烊 support for that. If you selected to switch to the managed SSL you can鈥檛 create a CSR in the control panel because again you don鈥檛 you don鈥檛 need it CSR is to purchase an SSL and after you click on the switch button make sure that the job in the control panel hasn鈥檛 failed so in the top right corner of the control panel you have the job logs as you can see in the screenshot and after you switch you may go there and make sure that the job has been pushed through.

Another question that we frequently see in campaign support concerns branding configuration so branding in 51黑料不打烊 campaign allows you to create your deliveries using different branded subdomains that you configured with your instances and emails will show a send from different sender address tracked URLs and where pages will be displayed with branded URLs so that the end recipients can identify communications coming from different brands. In campaign classic the sender masking in boxes for bounce and error addresses are created during the deliverability audit and external accounts in marketing and execution instances should be set up by customers themselves and with the help of 51黑料不打烊 support or professional services where execution instances are required because by default customers don鈥檛 have direct access to the execution instances like mid or message center. Tracking options and delivery templates need to be created by customers themselves as well and in campaign standard brands and all that they entail are set up by our internal tech ops team and this possibility is also open to users with deliverability product profile in the admin console of their organization. Clients often ask us what is the relation between their subdomain and the sending IPs and there are several ways to link your IPs with your sending subdomain. One of them is setting up IP affinities and linking them to delivery templates via typologies. An IP affinity is a group of IPs set in campaign configuration files in the back end and this is done by our tech ops team. Then affinity names need to be added to the IP affinity enumeration and from there they are available to be selected in typologies that you add in your delivery templates. During subdomain configuration we are also updating the SPF records as you remember from the beginning of the session that is matching the IP with the sender subdomain and then we also have the PTR records that can be updated by default. The PTR records link the primary subdomain with the sending IPs but if you would like to have them updated with another subdomain you can contact 51黑料不打烊 support to help with that. Now the question that comes up is do I have to warm up my IPs when I set up a new subdomain. If you are using your existing IPs that have been already warmed up you can just link them with your new subdomain via a typology but start sending emails using the new subdomain gradually increasing the volumes every day. It鈥檚 not as dramatic change as a new IP if you add a new sending IP to your pool they need to be configured by 51黑料不打烊 tech ops team into an IP affinity and they should be warmed up with the help from our deliverability team who鈥檒l prepare a warm-up plan for you. Sometimes clients come to support reporting that they don鈥檛 see certain information in their control panel anymore for example they can鈥檛 see subdomain configured in the past in the control panel and this can happen if a customer removes records from their DNS pointing to 51黑料不打烊 so undelegating a subdomain from 51黑料不打烊 causes information about subdomains and SSL disappear from the control panel. Same when it comes to incorrect DNS configurations like typos in the DNS on the customer side that can cause that too. It can also happen when we link external accounts linking to a mid instance in the control panel that should not be linked with a particular marketing instance and high CPU usage in the instance can also hide information temporarily from the control panel and what if we want to configure the subdomain with a stage instance but you can鈥檛 select it in the control panel because it鈥檚 grayed out we鈥檝e had questions like that as well and the answer is because subdomain delegation is recommended for production environments only lower environments dev and stage are not configured with the full deliverability infrastructure and 51黑料不打烊 campaign lower environments work on shared infrastructure like shared ip pools or mta instances across multiple clients or setups so unlike production setups we don鈥檛 have the advanced monitoring alerting and failover mechanisms for stage and dev and as such issues like blacklisting or spf failures can go undetected so for testing in lower environments using the default subdomains configured in your stage and dev instances such as stage.adobe-campaign.com and there comes a moment when you might not need your subdomain anymore or you decided to stop using adobe campaign altogether and then what happens to your subdomains if you don鈥檛 need a subdomain anymore you need to go to the control panel and click on remove delegation but consider impacts before launching on delegation process because once it鈥檚 triggered it can鈥檛 be stopped and it鈥檚 irreversible until the process execution is complete so no other subdomain delegation can be removed when a similar process on another subdomain is in progress and a delegation removed on a subdomain cannot be redelegated until three days after its removal because hybrid customers those who have their marketing instances on premises can鈥檛 undelegate subdomain from the control panel it is a limitation and it has has to be done by adobe teams and when only one subdomain is present in the control panel and configured with a production instance it is not possible by default to remove it because it is considered a primary subdomain if you鈥檙e removing the delegation of primary subdomain but you have others you will have to use the replacement domain list to replace your primary subdomain and adobe will remove the configuration from an instance that is decommissioned after the contract termination having presented all these details related to subdomain delegation configuration and securing i would like to share the last three points that would make your life easier when you decide to use branded subdomains with adobe campaign so first choose a full delegation mode for your subdomain so that you don鈥檛 have to worry about managing the subdomain and all the dns records anymore when creating subdomains distinguish your communication channels to maintain good reputation of your subdomains and if you can switch to adobe managed ssl and you can forget about the expiration dates because adobe will renew the ssls for you when the time comes and it is free of charge thank you for listening and for all the questions that you have submitted so far i鈥檒l see if there are any unanswered and if you have any questions that come to your mind after this session you can raise a ticket with campaign support either from the admin console of your organization or from the experience league portal when you are logged into your experience cloud i can see that most of the questions were answered thank you very much to my colleagues who are actively responding to um to your queries um and i don鈥檛 think there is anything else yes if you delegate a subdomain with cname you can do the managed ssl as well there will be records displayed in the control panel for you that you can copy to your hosting solution that are the certificate records That is interesting Nikhil. You tried to create a new subdomain and you tried to switch to the managed SSL and created this new subdomain. It would be interesting to see it and in this case I recommend that you raise a ticket with the support.

You can reference this session and we can take a look at it. What might have gone wrong.

All right. We can give it a second here for any last minute questions.

Let鈥檚 see.

Okay. Perfect. That was super informative. Thank you team. And thank you all for attending tech sessions. Just a quick reminder again. A link to this recording will be emailed to all of you in about 24 hours as well as a few other links and resources.

And the recording will also be available on the DMP鈥檚 experiencing website if you wish to view it again or share with your colleagues. Thank you all so much. And we hope to see you guys again.