Hello, we target IT professionals including many IT security roles.
We've received feedback that having the large marketo tracking link is turning people off of clicking because they can't verify the link before clicking. Is anyone else in the security space facing this issue? Is there a way around it?
The tracking link represents a unique combination of lead, email, target href, and href id. You shouldn't expect to represent this key information in a smaller string (it could be done, but there's nothing technically wrong with the current implementation).
But I don't understand how anyone could "verify" a link like http://click.example.com/fg849UIa any more than they can "verify" http://click.example.com/O030pcnR0100PXLQ0Z0IfYO. How would the verification steps differ? They still would have no idea, just by hovering over the link, what the final target page is. (This is the same with any link: unless you're trying to combat phishing attempts against well-known banking or ecommerce sites, there's nothing inherently more trustworthy about pages.mycompany.com vs click.myothercompany.com.)
In any case, the answer is: you can turn off link tracking as well as link tokenization. Then you'll have no record of click activity or subsequent web activity unless the lead manually fills out a form. I wouldn't bother using Marketo under those restrictions but YMMV.
Hi Sanford, we are in the security industry so yes, a lot of people will not click unless they CAN verify the link.
I'm just curious if other people are facing this problem, the obvious solution is to turn off link tracking, but it's not the most convenient for us marketers who would like statistics.
Has anyone faced this issue and come up with any solution? i.e. send customers newsletters with no tracking links, but send other emails with tracking links? any pros/cons?
You didn't explain what "verify" means. The "large Marketo tracking link" is no more or less verifiable than a shorter link at the same tracking domain. If their means of verification is "does the link have non-human-readable alphanumeric characters" then [a] they aren't serious security people and [b] you can't solve this and still use unique per-lead links.
Ultimately, if they're creeped out by any URL they don't recognize then obviously you can't track the links you send them. There's no magic here: if http://click.example.com/r843256hgs87 makes them paranoid but http://www.example.com/the_static_page_name.html doesn't, you have to send the latter (non-tracked, non-tokenized).
I ran into similar issues with our target audience (engineers), they don't like tracked links, and we had a few people making a huge deal out of forms with pre-fill enabled ("how do you know it's me? why is my data displayed publicly? why are you storing my information?")
There isn't really a workaround, we send some emails without any tracking and disable pre-fill on many forms.
Data is definitely important but user experience/satisfaction comes first.
Absolutely! Didn't mean there isn't significance from a privacy perspective. A unique identifier (or alphanumeric string that merely appears to be a hash or unique key) connotes per-lead tracking. So if people are tracking-sensitive, you have to turn off both tracking and tokenization (mktoNoTok and mktNoTrack) since both create "tracking-like" URLs. Can't have it both ways, though, was my point. Either MUA/UA click activities are tagged to the lead, or the activities are anonymous.
But from a security perspective using a tracking domain has no direct significance. You can send people to the untracked, undecorated www.example.com/my_totally_innocent_page.html, but no amount of hovering over the link (if that's what's meant by "verification") can tell them that the link will redirect to www.malice.com/here_is_your_trojan.exe. They similarly don't know know where plain ol' www.example.com is about to lead them -- or where that place is going to redirect them next. Only if the email appears to come from an extremely well-known company like PayPal would hovering over the link and seeing the creatively misspelled www.paypa1.com provide any kind of preliminary verification. Real verification is what mail link scanners are for -- checking, in a sandboxed environment, to see if after one or more redirects, the target URL is malicious. A security professional would know that a given domain name with numbers after it is no more or less safe than that same domain name with a good-lookin' page name, or with no page name at all.
But from a security perspective using a tracking domain has no direct significance.
I'll emend this to say that if your tracking domain is not running over SSL, or is running over SSL but is not on the HSTS preload list, while in contrast the target domain is on HSTS preload, then linking to the tracking server is indeed less secure than going straight to the target. But this isn't because it's a tracking server but because of its plaintext-ness or SSL-strippability.
Yes exactly - to some it is APPEARING like the links aren't "verifiable" even though marketo only appends a bunch of numbers/letters to the end and you can still see where the link is going as much as you could on any other link like you mentioned.
Iryna Zhuravel -- anecdotally do you think more people are clicking? Or can you tell from your web visitors or any other metric has increased since NOT tracking certain links? I'm potentially interested in only NOT tracking our customer newsletter, for example. But want to make sure that I can defend my idea