We have been experiencing internal deliverability issues recently. Marketo recently changed our IP range and didn't inform us. Even after adding an exception to our anti-spoofing policy for the newly added IP range, we're still experiencing alerts and internal emails bouncing due to Mimecast's anti-spoofing policy. There doesn't appear to be anything else we can do to fix the issue from our end. This has been ongoing for a couple weeks now and Marketo support has been slow to respond. Has anyone else dealt with this recently and solved the issue?
We are having the same issues. How did you find out that Marketo changed your IP range?
Hi Rich - this has happened in the past to us so I knew once we started having issues to simply ask. Ideally they would alert us but they say that isn't possible. No comment on that:)
Dealt with this most recently a couple of months ago, but it's something I've seen come up several times before--there's many potential points where things may be having an issue: not issuing large enough IP blocks in your whitelist, SPF selector setup, competing DKIM selectors (though odd, this did happen once where someone set up Mimecast to use m1 as a selector as well), etc. It really depends on how your Anti-Spoofing Policy is set up and what criteria you're using for the bypass. I actually recommend against using IP ranges because of this very issue and recommend going with SPF instead.
Hi Lauren Beth,
Yes! We have this problem every so often, which is whenever Marketo changes our IP range. You can file a ticket with Marketo Support and they will give you the new range, then submit it to your IT team and they can whitelist. The downside here is that Marketo does not warn you before they change your IP range so you don't find out until all of your internal employees are suddenly email suspended. Unfortunately, our Anti-Spoofing policy and our internal security team is very strict with our Mimecast restrictions so they will not whitelist the Marketo sending domain or our own company email domain (which isn't advised anyway).
As Courtney mentioned, adding the IP ranges is not the safest way to prevent this. Adding the SPF in your policy settings would be a better idea. While Marketo does not inform when it changes the IP address used for sending emails, we always look at the original email source in Gmail to check our IP and if any changes have been made. This is a manual task done every two weeks but doesn't take more than a minute to verify.
Should be noted that for most Marketo instances, SPF-based bypass is based on mktomail.com (since this record need not be included in your corporate domain's SPF record).
Conversely, if you have the branded sender add-on, you should instead use your corporate domain, as this will already include your Marketo-based permitted senders.
Carley Donovan what's silly about that policy is is that by whitelisting Marketo IPs, they're whitelisting all Marketo subscribers -- so much for being "very strict"! Upgrading a Marketo SPF SOFTFAIL to a FAIL would have exactly the same result (and would have the immense advantage of automatically adjusting to changes in Marketo's IP ranges).
Hi Sanford Whiteman,
Trust me, I know it is silly. I actually sat down with the Mimecast specialist in NYC and went over this with him and he either didn't understand or didn't care. Anyway, we have setup our SPF, but IT won't update the Mimecast settings with the exception of updating the IP range if it changes.