Expand my Community achievements bar.

Join us on September 25th for a must-attend webinar featuring Adobe Experience Maker winner Anish Raul. Discover how leading enterprises are adopting AI into their workflows securely, responsibly, and at scale.

Breaking Down Barriers: How Adobe Journey Optimizer's Custom Delegation Feature Is Solving Enterprise Compliance Challenges

Avatar

Employee

9/3/25

When enterprises face compliance requirements that restrict third-party domain management, we didn't just listen—we rebuilt how domain configuration works.

 

The Core Challenge

Traditional marketing automation platforms require customers to delegate DNS management to the platform provider. For regulated enterprises, this creates an impossible choice:

Screenshot 2025-06-13 at 4.24.29 PM.png

Why This Feature: Addressing Enterprise Compliance Challenges

In highly regulated industries, marketing teams often face a critical barrier: compliance requirements that prevent third-party domain management. Whether it's HIPAA in healthcare, FINRA in financial services, or SOX compliance for public companies, these organizations need complete control over their domain infrastructure. This provides a complete separation between customer infrastructure and platform services :
- No shared credentials between systems
- Customer-managed certificates with full SSL chain control
- Isolated infrastructure with no cross-customer dependencies

Key Enterprise Requirements:

Complete Domain Control: DNS records must remain under customer management
Certificate Ownership: SSL certificates must be generated and managed internally  
Regulatory Compliance: Zero third-party dependencies for regulated communications
Security Standards: No shared credentials or external access to domain infrastructure

The Four-Phase Setup Process

Screenshot 2025-06-13 at 4.23.15 PM.png

 

 

Phase 1: DNS Configuration

image-2025-6-13_1-27-12.png

 

In this phase, you configure the required DNS records in your own DNS management system. The platform provides you with the exact record specifications and validates them in real-time.
1. In the UI, click the "Download CSV" button to get the required DNS records
2. Configure the following records in your DNS management system:

Record TypeNameValue/TargetPurpose

TXT adobe._domainkey.yoursubdomain.com DKIM public key (provided by Adobe) Email authentication and anti-spoofing
MX yoursubdomain.com 10 ind2.feedback.adobe.net(according to the region) The MX record points to Adobe so that bounce and complaint emails go directly to Adobe’s servers. It must stay under adobe.net since Adobe manages the mail flow, compliance, and deliverability, and this cannot be hosted by the customer.
A yoursubdomain.com 192.243.228.1 Email delivery infrastructure
TXT yoursubdomain.com "v=spf1 redirect=_spf.yoursubdomain.com" SPF policy redirect
TXT _spf.yoursubdomain.com "v=spf1 ip4:4.188.230.193 -all" Actual SPF IP allowlist
CNAME data.yoursubdomain.com data.yoursubdomain.com.data.adobedc.net Data collection and tracking

3. After configuring all records, check the confirmation box in the UI indicating completion

Please Note:

DMARC Validation: DMARC policy is mandatory and must be configured at either subdomain level (_dmarc.yoursubdomain.com) or parent domain level (_dmarc.yourdomain.com) for complete email authentication. Setup cannot proceed without proper DMARC configuration.

Screenshot 2025-06-16 at 3.29.04 PM.png

 

Optional DNS Records(can be configured later):

 

These records must be configured in your DNS management system like

- Google Domain Verification: TXT record for Google Workspace/Gmail integration
Additional Security Records: CAA records, additional DKIM selectors, etc.

 

Phase 2: SSL Certificate Setup

Screenshot 2025-06-16 at 3.18.02 PM.png

 

The SSL certificate setup process involves several steps using the platform's UI:


Step 1. Click the "Generate CSR" button to create a new Certificate Signing Request
CSR Requirements: 
- Country Code: 
Must be 2-letter ISO country code (e.g., US, CA, GB)
Key Length: RSA 2048 or 4096-bit (cannot be changed after subdomain creation)

image-2025-6-5_2-6-12.png

 

 

Step 2. Use the "Download CSR" button to save the generated CSR file


Step 3. Submit the CSR to your Certificate Authority (CA) for signing


Certificate Requirements: 

Subject Alternative Names (SANs): The certificate must include both data.subdomain.com and cdn.subdomain.com within a single certificate. For example, if you are trying to delegate example.adobe.com then by data.subdomain.com we mean data.example.adobe.com and by cdn.subdomain.com we mean cdn.example.adobe.com

-The SANs must be added by the customer by requesting them from their Certificate Authority (CA). We will only provide the CSR for data.subdomain.com.

- If supported by your certificate issuing portal, add both subdomains as peer entries.

- Certificate Authority: Any trusted CA that your organization uses

Certificate Format: PEM format with complete certificate chain


Sample PEM file format

-----BEGIN CERTIFICATE-----
MIIDXTCCAkWgAwIBAgIJALc3... (base64 encoded data)
-----END CERTIFICATE-----


Step 4. Once received from CA, use the "Upload Certificate" button to upload the signed certificate

 

Important Notes:
- Both data and CDN subdomains must be included in the same certificate
- Certificate validation occurs immediately upon upload

- Once delegation is complete, the customer can view the certificate's expiration date on the subdomain screen. They will also receive expiry warnings 30 days before expiration and must upload a renewed certificate well in advance to avoid downtime or potential data loss

- Customers can either regenerate the CSR or download the existing one to issue a new certificate, which should then be uploaded using the Upload Certificate button


Screenshot 2025-06-13 at 4.27.29 PM.png

 

Phase 3: FBL Registration 

image-2025-6-13_1-28-36.png

 

Once the customer completes the FBL registration with assistance from their deliverability consultant for the OTP, they should check the box to confirm the registration is done (more details available here), and then click the 'Continue' button in the top right corner.

 

Phase 4: CDN Record Configuration 

image-2025-6-13_1-29-45.png

 

After all the above steps are complete , you'll be prompted to configure the CDN record:
1. Download the CSV containing the CDN record, this will used to serve assets like images.  
2. Configure the following in your DNS management system:

3. Check the confirmation box in the UI and click "Submit" to proceed to final verification

The final phase involves automated validation of your complete setup. The platform verifies that all DNS records are properly configured, certificates are valid, and email delivery infrastructure is ready.

 

Verification Checklist:
- DNS records properly configured and propagated
- SSL certificate valid and properly chained  
- Email authentication (SPF, DKIM, DMARC) verified

Common Setup Issues and Troubleshooting

Understanding potential challenges and their solutions helps ensure a smooth setup process:

DNS Configuration Issues

If DNS validation fails, these might be the causes:
Incorrect IP address: Verify the A record points to the exact IP address provided in the setup instructions
DNS propagation delays: DNS changes can take up to 48 hours to propagate globally - wait and retry validation
DKIM record formatting: Ensure the TXT record name exactly matches adobe._domainkey.yoursubdomain.com with the provided public key value
Missing DMARC policy: DMARC record must exist at either _dmarc.yoursubdomain.com or _dmarc.yourdomain.com
SPF configuration issues: Verify both the redirect record and the actual SPF record are configured correctly

Certificate Upload Issues

If certificate validation fails, check these common issues:
CSR mismatch: Certificate must be generated using the exact CSR provided by the platform
Missing SAN domains: Certificate must include bothdata.subdomain.com and cdn.subdomain.com in Subject Alternative Names as peers. The cdn.subdomain.com needs to added as SAN by the customer with the help of their CA.
Certificate expiration: Ensure the certificate is valid and not expired
Format issues: Certificate must be in proper PEM format with correct headers and footers

Setup Requirements and Restrictions

Important requirements enforced during setup:
Country Code: Must be exactly 2 letters (ISO format like US, CA, GB) - this is validated directly in the interface
Key Length: RSA 2048 or 4096-bit only (cannot be changed after subdomain creation)  
Certificate Authority: Must use a trusted CA that your organization has approved
DNS Management: All DNS records must be configured in your own DNS management system
Domain Ownership: You must have administrative control over the domain being configured

Others

If you encounter issues not covered above:
- Check that all DNS records have properly propagated using DNS lookup tools
- Verify your certificate meets all technical requirements before uploading
- Ensure your DNS management system supports all required record types
- Contact support with specific details about which validation step is failing

Benefits for Your Organization

Operational Advantages

Faster Setup: Automated validation reduces configuration time from weeks to days
Reduced Errors: Real-time validation prevents common misconfigurations  
Transparency: Full visibility into every configuration step

Security and Compliance

Complete Control: All domain infrastructure remains under your management
Zero Dependencies: No third-party access to your domain or certificate infrastructure
Industry Standards: Support for all major compliance frameworks

Marketing Capabilities

Full Platform Access: Use all Journey Optimizer features without compromise
Real-Time Decisioning: Instant campaign optimization while maintaining security
Unified Experience: Seamless integration with other platform capabilities

Adobe Journey Optimizer's No Delegation feature eliminates the impossible choice between compliance and marketing capabilities, allowing enterprises to maintain complete domain control while accessing advanced marketing automation. This breakthrough proves that the future of enterprise marketing lies in solutions that deliver both security and functionality without compromise.

1 Comment