Re: Whitelisting instructions to provide to customers?

SanfordWhiteman · ‎08-29-2017

In fairness, Marketo operates from a distinct set of IP addresses (as does everyone except malicious botnets!). Those IP ranges are published for the purposes of whitelisting, so the flipside is they can be used for blacklisting as well, if companies are intent on not receiving communications of a not-entirely-existing-business nature. (And even if you have an IP dedicated to your instance that is for some reason not deliberately published, that Marketo operates the server can still be identified.)

The thing is, it isn't enough for recipients to want your communications, there has to be someone at the IT level who is interested in making this happen. Many of us have dealt with full-on business partners, with billions in shared revenue, being unable to receive Marketo emails!

If a company has built a flexible enough IT infrastructure, they can whitelist based on DKIM signature regardless of source IP, and have total trust that they're only affecting your emails. Or if they have an inflexible infrastructure but aren't really thorough, they'd whitelist the unique sender domain like @em-sj-77.mktomail.com and not be concerned about the collateral damage from other instances using that same domain (and the fact that domains can be forged by people not even using Marketo). Similarly, if their setup is inflexible but they're willing to whitelist a dedicated IP even though it's in an otherwise "dangerous" range (and, it should be noted, can be reassigned to another instance if you stop using Marketo), that will clearly work.

But if their technical setup is inflexible and the IT staff is also inflexible (and/or knowledgeable about the way SMTP works) you're going to be stopped. To allow only Marketo emails that are traceable to one specific domain, you must use DKIM. Only DKIM guarantees that the operator of a domain authorized the email to be sent (by making a change to their DNS zone). Anything else can be forged. (Note that SPF, though irrelevant for most Marketo users anyway, does not prevent message-level forgery/misuse: it can only imply that a server has been approved for general use by a domain owner, not that all individual emails that come out of that server were approved.)

What we've done for special cases (not for the faint of technical ability) is set up an on-premises relay server for specific recipient domains. Since Marketo sends to those recipients via an intermediate stop on a non-Marketo server, the source IP is no longer at Marketo, which usually gets over the principal hurdle. Of course then you must be sure you are not sending spam to your partner domain, because if you do, they may block your corporate IP range so previously okay person-to-person emails won't go through anymore.

Steven_Vanderb3 · ‎08-30-2017

Hi Sanford,

That is why the regex is provided after the munchkin ID, to account for how that can change. But the Munchkin ID is always going to be unique and constant for any one specific instance. Using our return path regex is not going to be overly broad unless you're omitting the Munchkin ID from it.

SanfordWhiteman · ‎08-30-2017

Yep, you can create a regex that would match R-Ps (each of which is an email address -- that was the original thing I was clearing up) that are legitimately emitted by a single Marketo instance. But (a) the recipient would have to support regexen and (b) the regex would have to have a position in the recipient's ruleset that allows it to override private and public blacklists and (c) the recipient would have to trust in the R-P as a overriding filtering mechanism (something I personally never do).

Given that any R-P can be used for outbound connections from a box -- I know Marketo doesn't give tenants control over this, but there's no barrier in a generalized multitenant system, which is all the recipient has to go on -- R-P is forgeable by someone other than the person making the whitelisting request. So if someone is draconian enough to say "I block emails from this MA platform because it sends spam" asking them to whitelist based on something that can be forged by any tenant isn't going to fly.

As a former (and still occasional) enterprise mail admin I don't think anybody should be asking for Marketo-specific whitelisting except for DKIM M1. (Obviously, I don't think Marketo should be blacklisted! Just that dealing with blacklisting should be done at a sophisticated level.)

Tom_Kerlin2 · ‎08-17-2017

Hi Jasmine,

This has come up for us before as well - It would be great if Marketo provided some sort of documentation for clients to send to unmailable recipients.

Here's an eBook Marketo sent me that explains email deliverability in more detail: https://info.dh.com/rs/450-PSA-364/images/eBook-Marketo-Email-Deliverability.pdf

Tom Kerlin

Devraj_Grewal · ‎08-29-2017

Jasmine,

I asked a similar question quite recently: Instructions for customers on how to whitelist Marketo