The HTTP Strict-Transport-Security response header (often abbreviated as HSTS) lets a web site tell browsers that it should only be accessed using HTTPS, instead of using HTTP. This prevents man-in-the-middle attacks by telling the browser it should never interact with their domain without first establishing a secure HTTPS connection.
A domain can assert the HSTS policy for all of it's subdomains. This means both the subdomains used for Marketo landing pages and the subdomains for Marketo tracking links must also be secured with SSL certificates. If HSTS is asserted and the Marketo subdomains are not secured, people that visit landing pages or click on tracked links in emails will receive security errors and browsers will not load the pages.
This is resolved with Marketo's Secured Domains solution. Your first tracking link is included as part of the base Secured Domains offering, but if you have multiple tracking link domains, you'll need to purchase additional coverage a la carte. Contact your CSM to add additional domains to your contract, or reach out to Support to help connect your two. There are very few exceptions where a domain utilizing HSTS will NOT need to secure both landing page domains and tracking link domains.
Reach out to your IT and/or web development team to confirm whether or not your domain utilizes HSTS and if both Secured Domains and Tracking Links are necessary for your business. If your website utilizes HSTS and has the "include subdomains" flag set to true, you will need to secure both your landing page domains and tracking link domains in almost all circumstances.
Google Chrome has a built in HSTS checker that you can use to verify your HSTS settings.
1. Visit the root domain of your website with the Chrome browser. For example, if your Marketo landing pages use visit.acme.com, navigate to acme.com. This will load the domain's HSTS policy into Chrome.
2. Navigate to chrome://net-internals/#hsts in Chrome. This will load Chrome's HSTS checker.
3. In the "Query HSTS/PKP domain" section, type in your domain you wish to check. Click "Query".
4. If the query returns "Found" with a list of configuration settings, you will need to check two settings:
If both of the above are true then both Secured Domains for Landing Pages and Tracking Links may be required.
If the query returns "Not Found", or is not using a "FORCE_HTTPS" or "STRICT" policy then the landing page and tracking link subdomains may not have strict HTTPS requirements.
Always verify with your IT and/or web development team as to what your domain's security policies and requirements are. Failure to properly secure your landing page or tracking domains according to your domain's security policy may result in landing pages or tracking links not resolving in browsers. A lack of a strict HSTS policy does not necessarily mean you do not need to secure your Marketo domains.
If you have yet to secure your first tracking link domain in your instance, simply open a Support case and we'll handle the rest, since the first tracking link domain is covered with the base Secured Domains offering on all subscriptions. If you are looking to secure multiple tracking link domains (or landing page domains), you'll need to contact your CSM to purchase additional domains a la carte. Configuration instructions can be found below: