CNAME and Target

Instructions for working with Adobe Client Care to implement CNAME (Canonical Name) support in Adobe Target. Use CNAME to handle ad blocking issues or ITP-related (Intelligent Tracking Prevention) cookie policies. With CNAME, calls are made to a domain owned by the customer rather than a domain owned by Adobe.

Request CNAME support in Target

  1. Determine the list of hostnames you need for your SSL certificate (see FAQ below).

  2. For each hostname, create a CNAME record in your DNS pointing to your regular Target hostname

    For example, if your client code is “cnamecustomer” and your proposed hostname is, your DNS CNAME record looks similar to:  IN  CNAME

    Adobe’s certificate authority, DigiCert, cannot issue a certificate until this step is complete. Therefore, Adobe cannot fulfill your request for a CNAME implementation until this step is complete.

  3. Fill out this form and include it when you open an Adobe Client Care ticket requesting CNAME support:

    • Adobe Target client code:
    • SSL certificate hostnames (example:
    • SSL certificate purchaser (Adobe is highly recommended, see FAQ): Adobe/customer
    • If the customer is purchasing the certificate, also known as “Bring Your Own Certificate” (BYOC), fill out these additional details:
      • Certificate organization (example: Example Company Inc):
      • Certificate organizational unit (optional, example: Marketing):
      • Certificate country (example: US):
      • Certificate state/region (example: California):
      • Certificate city (example: San Jose):
  4. If Adobe is purchasing the certificate, Adobe works with DigiCert to purchase and deploy your certificate on Adobe’s production servers.

    If the customer is purchasing the certificate (BYOC), Adobe Client Care sends you the certificate signing request (CSR). Use the CSR when purchasing the certificate through your certificate authority of choice. After the certificate is issued, send a copy of the certificate and any intermediate certificates to Adobe Client Care for deployment.

    Adobe Client Care notifies you when your implementation is ready.

  5. Update the serverDomain to the new CNAME in at.js.

Frequently Asked Questions

The following information answers frequently asked questions about requesting and implementing CNAME support in Target:

Can I provide my own certificate (Bring Your Own Certificate or BYOC)?

You can provide your own certificate. However, Adobe does not recommend this practice. Management of the SSL certificate lifecycle is easier for both Adobe and you if Adobe purchases and controls the certificate. SSL certificates must be renewed every year. Therefore, Adobe Client Care must contact you every year to obtain a new certificate in a timely manner. Some customers can have difficulty producing a renewed certificate in a timely manner. Your Target implementation is jeopardized when the certificate expires because browsers refuse connections.


If you request a Target bring-your-own-certificate CNAME implementation, you are responsible for providing renewed certificates to Adobe Client Care every year. Allowing your CNAME certificate to expire before Adobe can deploy a renewed certificate results in an outage for your specific Target implementation.

How long until my new SSL certificate expires?

Certificates issued before September 1, 2020 are two-year certificates. Certificates issued on or after September 1, 2020 are one-year certificates.

What hostnames should I choose? How many hostnames per domain should I choose?

Target CNAME implementations require only one hostname per domain on the SSL certificate and in the customer’s DNS. Adobe recommends one hostname. Some customers require more hostnames per domain for their own purposes (testing in staging, for example), which is supported.

Most customers choose a hostname like Adobe recommends following this practice, but the choice is ultimately yours. Do not request a hostname of an existing DNS record. Doing so causes a conflict and delays time to resolution of your Target CNAME request.

I already have a CNAME implementation for Adobe Analytics, can we use the same certificate or hostname?

No, Target requires a separate hostname and certificate.

Is my current implementation of Target impacted by ITP 2.x?

In a Safari browser, navigate to your website on which you have a Target JavaScript library. If you see a Target cookie set in the context of a CNAME, such as, then you are not impacted by ITP 2.x.

ITP issues can be resolved for Target with just an Analytics CNAME. You need a separate Target CNAME only in ad-blocking scenarios where Target is blocked.

For more information about ITP, see Apple Intelligent Tracking Prevention (ITP) 2.x.

What kind of service disruptions can I expect when my CNAME implementation is deployed?

There is no service disruption when the certificate is deployed (including certificate renewals).

However, after you change the hostname in your Target implementation code (serverDomain in at.js) to the new CNAME hostname (, web browsers treat returning visitors as new visitors. Returning visitors’ profile data is lost because the previous cookie is inaccessible under the old hostname ( The previous cookie is inaccessible due to browser security models. This disruption occurs only on the initial cut-over to the new CNAME. Certificate renewals do not have the same effect because the hostname doesn’t change.

What key type and certificate signature algorithm is used for my CNAME implementation?

All certificates are RSA SHA-256 and keys are RSA 2048-bit, by default. Key sizes larger than 2048-bit are not currently supported.

How can I validate that my CNAME implementation is ready for traffic?

Use the following set of commands (in the macOS or Linux command-line terminal, using bash and curl 7.49+):

  1. Paste this bash function into your terminal:

    function validateEdgeFpsslSni {
        for edge in mboxedge{31,32,{34..38}}; do
            echo "$edge: $(curl -sSv --connect-to $domain:443:$edge:443 https://$domain 2>&1 | grep subject:)"
  2. Paste this command (replacing with your hostname):


    If the implementation is ready, you see output like below. The important part is that all lines include, which matches the desired hostname. If any lines include CN=*, the implementation is not ready.

    $ validateEdgeFpsslSni *  subject: C=US; ST=California; L=San Jose; O=Adobe Systems Incorporated; *  subject: C=US; ST=California; L=San Jose; O=Adobe Systems Incorporated; *  subject: C=US; ST=California; L=San Jose; O=Adobe Systems Incorporated; *  subject: C=US; ST=California; L=San Jose; O=Adobe Systems Incorporated; *  subject: C=US; ST=California; L=San Jose; O=Adobe Systems Incorporated; *  subject: C=US; ST=California; L=San Jose; O=Adobe Systems Incorporated; *  subject: C=US; ST=California; L=San Jose; O=Adobe Systems Incorporated;
  3. Validate your new DNS CNAME with another curl request, which should also show

    curl -sSv 2>&1 | grep subject:

    If this command fails but the validateEdgeFpsslSni command above succeeds, wait for your DNS updates to fully propagate. DNS records have an associated TTL (time-to-live) that dictates cache expiration time for DNS replies of those records. As a result, you might need to wait at least as long as your TTLs. You can use the dig command or the G Suite Toolbox to look up your specific TTLs.

If you are using CNAME, the opt-out link should contain the "client=clientcode parameter, for example:

Replace clientcode with your client code, then add the text or image to be linked to the opt-out URL.

Known limitations

  • QA mode is not sticky when you have CNAME and at.js 1.x because it is based on a third-party cookie. The workaround is to add the preview parameters to each URL you navigate to. QA mode is sticky when you have CNAME and at.js 2.x.
  • Currently the overrideMboxEdgeServer setting doesn’t work properly with CNAME when using at.js versions before at.js 1.8.2 and at.js 2.3.1. If you are using an older version of at.js, this setting should be set as false in order to avoid failing requests. Alternatively, you should consider updating at.js to a newer, supported version.
  • When using CNAME, it becomes more likely that the size of the cookie header for Target calls increase. Adobe recommends keeping the cookie size under 8 KB.

On this page