Re: Marketo emails showing up as BULK - with no ability to show images

How do you view the source code of an email in OWA?  When I click "view message details", it just provides the email header details and a bunch of encrypted code.  In the Outlook desktop client, it's viewed here:

I think in OWA without extensions the best you have is view-source (that is, browser view-source).

I started to look at the source and noticed in the email header that DKIM is signed by mktosender.com.  Shouldn't this be our domain?

I started to look at the source and noticed in the email header that DKIM is signed by mktosender.com. Shouldn't this be our domain?

Certainly if you are publishing the DKIM pubkey on your domain then it should be using your domain. I think they've been mixing things up lately, but luckily it hasn't affected my "legacy" instances.

Should I raise this issue with Marketo or our own IT team?

You may see two DKIM signatures.  One is your domain and the other is a Marketo domain.

If you don't see your domain also in a DKIM signature it may not be set up in the Marketo Admin console. 

That particular signature indicates that you are sending from a subset of Marketo's IPs reserved for low volume, highly-vetted customers.  I would definitely want to dig into these issues more keeping from a deliverability perspective. 

Kiersti, see the screenshot above - those are the only DKIM signatures found in our header.  And yes, we have this configured in the Admin console:

I just submitted a ticket with Support and asked them to have the Deliverability team take a look at this.

I received the following response from Support:

What the Deliverability team told me is that we are dual-signing DKIM now. Meaning that in the chance that the customer has not set up DKIM, we're signing for them anyway. Dual-signing is fine and it doesn't affect deliverability at all.

What I don't get is that we have indeed setup our DKIM - and even if this is dual-signed (and we have setup DKIM properly) - why is our domain not listed in the DKIM signature within the header?

Sanford Whiteman​, does this sound right?

Your domain must appear in the header if it's signed by your domain. Otherwise it's being single-signed only.

I just sent myself another test email and now notice dual DKIM signatures - it appears it was just enabled a litte while ago:

DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1479161974;     s=m1; d=avanade.com; i=@avanade.com;     h=Date:From:To:Subject:MIME-Version:Content-Type; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1479161974;     s=m1; d=mktosender.com; i=@mktosender.com;     h=Date:From:To:Subject:MIME-Version:Content-Type;

Is there any risk in having this signed by both our domain and Marketo's - especially if recipient email servers block all Marketo emails?

I'd add, too, that Marketo co-signing mail from trusted IPs (and not from untrusted IPs) is a good way to denote that those instances are at least somewhat policed/proper.

Whether "greater than zero trust" is enough to whitelist on in the real world is anothe matter.

If you had a dedicated IP, which serves the purpose (to a degree) of obscuring the Marketo origins of your emails, then it could be questionable to opt back in to being Marketo-connected.

Otherwise, you'd be getting blocked by IP and/or envelope sender anyway, not by a 3rd-party DKIM signature.

Signing an email shows the recipient that there's someone taking end-to-end responsibility for the email content (as opposed to merely permitting the email server to use a sender domain, which is the best SPF can do). If the signer is the same as the From: address domain, that's considered a first-party or "author" signature -- the person who authored the content also signed it. That's the best use of DKIM.

If Marketo is throwing in a 3rd-party signature, that's not going to hurt anything unless the recipient blacklists or negatively weights by DKIM domain. That's pretty rare, but it can happen. DKIM is more often used for positive weighting. It's also a great tool for selective whitelisting because a recipient can say they allow emails that are *signed* and thus attributable to a given domain as opposed to emails that *claim* (via the forgeable From: or MAIL FROM:) to be from that domain.

Dan,

Please reach out through Support on this issue to have this looked at by the Deliverability Team.  There are a lot of reasons for bulk folder delivery that we would need to look into.

Delivery to the bulk folder is often driven by the reputation of the individual sender.  Our team would start with high level questions about how the sender is acquiring their leads and how are they maintaining their database. 

• Do they purchase email addresses? (Best Practices for Purchased Data)
• Do they remove inactive email addresses? (How to Manage Your Marketo Database for Deliverability)
• Have they recently triggered any blacklistings through Marketo?  (Blacklist Remediation)
• We may also look into the content and see if there are any issue with the content that could be causing an issue.

-Kiersti

Hi Greg - It's a very large, global company.