Knowledgebase

Featured article

(Article Updated - August 2024) Overview A blocklist is a database of IP addresses or domains that have been associated with the sending of unsolicited commercial email or spam. Internet Service Providers (ISPs) and business email networks use information from blocklists to filter out unwanted email. As a result there can be a drop to inbox delivery rates if the IPs or domains involved with sending email are listed on a blocklist. Marketo’s Email Delivery and Compliance team monitors blocklist activity on our IPs and domains daily. When an impactful listing occurs, we reach out to the blocklist, attempt to identify the sender that triggered it, and work with the blocklist organization to get the listing resolved. There are thousands of blocklists, most will not have a significant impact on your delivery rates. Below, we have compiled a list of the blocklists that commonly appear across our sender ecosystem. Each blocklist has been grouped into a top tier (Tier I) by most impactful, to the bottom least impactful tier (Tier III). These may have little to no impact across our sender network. Tier I Blocklist Spamhaus (SBL) Impact: Spamhaus is the only blocklist that we categorize as a Tier I for a reason: it has by far the greatest impact on delivery. It is the most well-respected and widely used blocklist in the world. A listing at Spamhaus will have a negative effect on your ability to deliver emails to your customer’s inbox and can cause bounce rates of over 50%. Evidence suggests that most of the top North American ISPs use Spamhaus to inform blocking decisions. How it works: Unlike many blocklists, Spamhaus lists senders manually. This means they are proactively watching sender activity, collecting data, and base listings on a number of variables. Most commonly senders are listed for mailing to spam trap addresses that Spamhaus owns. Sometimes Spamhaus will list senders based on recipient feedback as well. Next Steps: Please note that every Spamhaus email can be quite different depending on the information provided and the nature of the listing . Because Spamhaus has multiple types of listings, the remediation steps are based on which type of blocklisting has occurred. We have listed the most common types to affect Marketo customers, from most to least impactful. Impact can range from a full block of top severity, to a partial block that is less severe (CSS Data, DBL). If remediation isn’t performed and the problem not addressed, these listings can increase in severity and turn into a full blocklisting. Spamhaus Blocklistings Types SBL (full blocklisting) Considered the most impactful. Remediation steps: Our team monitors closely for Spamhaus listings. Once alerted to the listing, we send an email notifying the customer, and reach out to the Spamhaus contact to start the remediation process. Only a Marketo delivery team member should be in direct correspondence with the Spamhaus contact, to speak on behalf of the customer, and to relay their questions and instructions, ensuring quick resolution and reduced impact. Senders that trigger this listing on a shared IP range will be moved to a more isolated, penalty range (IPB), so as not to impact the other shared senders. Those affected on a Dedicated IP, only impact their own sending and will not be moved. However, depending on the severity of the issue, our team may need to revoke a customer’s ability to send any emails until full resolution. The listing will last until Spamhaus is satisfied that the offending sender has taken the appropriate steps to mitigate the problem. SBL CSS Customers are alerted of the listing with an email containing all the information needed to immediately begin the remediation process. This is part of an automated trigger listing, that allows for a customer to delist directly on the Spamhaus website, after they’ve completed remediation. Remediation steps: Customers will go to the Spamhaus IP lookup website, at https://check.spamhaus.org, where they can check on the status of their IP and continue to monitor it in real time, until it is no longer listed there. Follow the remediation and delisting instructions provided, and check for specific details in the blocklist notification email. DBL (Domain blocklisting) Customers will receive an email notification alerting of the company domain being listed. The email will contain specific information to help narrow down and identify which email source likely triggered it within Marketo. It’s important to note that any email sent from outside of Marketo, that contained the company domain, is suspect. This means, if the sender uses multiple IPs and/multiple email platforms, then any of those could be the source. Remediation steps: Follow the detailed instructions in the email, which will also provide a link to the Spamhaus Domain reputation checker webpage, to check the real time listing status of the affected domain. Once the email source is identified and cause addressed, this customer will follow the online instructions to request to be delisted. Tier II Blocklist SpamCop Impact: SpamCop is not used by any of the major North American ISPs to inform blocking decisions, but it makes it to the Tier II list because it can have a significant impact on B2B email campaigns. SpamCop is considered a Tier I one blocklist for B2B marketers but a Tier II for B2C marketers. SpamCop is a dynamic IP blocklist, that can affect a single IP or a subset of IPs Typically, the block will automatically lift within one business day, but can take longer for relisted IPs. To have triggered a SpamCop listing likely means the sender has a list management problem that should be addressed. How it works: SpamCop lists IPs for one of two reasons: Either the email hit SpamCop spam trap addresses OR A SpamCop user has reported the email unwanted. Most of SpamCop’s spam traps are previously valid addresses that have not been active for 12 months or longer. Remediation steps: If you are seeing a significant number of bouncing emails caused by a SpamCop blocked IP but aren’t sure if your email activity triggered the listing, first identify whether you are sending on a shared sender network or not. If sending from a shared IP range when this occurs, you or any other customer sending from the same network may have contributed to the IP block. This IP block will automatically get dropped within a business day. For those on a Dedicated IP that trigger a listing, refer to the above remediation steps and resources, to address the list management issue. Tier III Blocklist (Low/ No impact ) These are considered the lowest tier and therefore cause the least impact across the Marketo sender ecosystem. Some of these blocklists were more impactful at one time, while others are only impactful based on the sender region (Manitu). Others still can suddenly flare up (Lashback). There are also many blocklists that are ignored (0spam), and are not taken seriously because they do not provide any means to delist once on the list (NoSolicitado) or that they charge money to have the listing removed ( UCEPROTECT ). The pay-to-delist model is not well respected in the email industry. When using blocklist tool checkers, such as MXToolBox, many blocklists will appear, but very few are relevant. Here is our selection of Blocklists you may come across that are least impactful: Project Honey Pot SpamAssassin URIBL/SURBL DrMX PSBL 0spam HostKarma Ascams ZapBL Barracuda Trendmicro Inc. Cloudmark Proofpoint Invaluement ISP Blocklists Some ISPs use internal blocklists to make blocking decisions. Examples include AOL, Yahoo, Gmail, Outlook and Hotmail. If your IP is being blocked by one of these networks, and those networks have a large presence in your lists, a block of this kind could have a noticeable negative impact on delivery. Marketo monitors for significant ISP blocks. Those experiencing deliverability issues with emails not making it to the Inbox and bulking in the spam folder may benefit from additional services with our Email Delivery Consultants. Remediation Steps: Email Delivery Compliance Team works to resolve any ISP blocks. ISP blocks are are usually resolved or lifted within less than 24 hours of a delisting request. Customers experiencing significant blocks for Microsoft domains (outlook.com, live.com, microsoft.com), can submit a request to the delivery team to seek mitigation on their behalf. Additional Resources: Blocklist Deep Dive Abuse Report Deep Dive What is a spamtrap, or spam trap, and why does it matter? Blocklist remediation Blocklist resolution flowchart Successful lead reconfirmation What is a blocklist?

Issue Changing your primary domain can be a bit of a daunting task if you don't know where to start, this guide will walk you through the steps you will need to take to use a new domain with your Marketo instance. Solution Create your new CNAME and point that to your Marketo instance. If this new CNAME is going to be used as your primary domain, then the Domain Name in Admin > Landing Pages will need to be changed to reflect your new domain and your old domain should be added as a domain alias so any old links will be redirected to your new domain Add Additional Landing Page CNAMEs Adding a new branding domain is recommended when changing your domain. This will allow tracked links in emails add a tracking cookie when being directed to your new domain. A new CNAME will also need to be created for this and will need to point to the original tracking link for your instance. Add an Additional Branding Domain with Workspaces If you plan on signing your emails with your new domain, setting up a new SPF/DKIM record is recommended to help keep your deliverability rates as high as possible. Set up SPF and DKIM for your Email Deliverability Set up a Custom DKIM Signature

Technically, you cannot move records backwards in a progression status. The only so called “backward” status that you can change the record to is a progression status of “Not In Program”; however, doing this removes them from the membership of the program. If you do this procedure, this will allow you to re-add them with a different status. We mentioned technically this cannot be done but logically, there is another method that allows you to juggle the record’s progression status but in a more lateral movement with what appears to be in a “backward” state. This is all dependent on how you have your channel steps configured. To access your channel steps, please do the following: Choose Admin Choose Tags Click the + next to Channel Locate the channel you wish to configure and highlight it Click the drop-down menu towards the top of Tag Actions, and select Edit You should now see a pop-up window that allows you to configure the status steps for that channel like the following example: This is a article attached image If you configure statuses that have the same step number, this will allow you to move the record in a lateral movement which, in a sense, is somewhat like a backward progression but it really isn't. With the example screen capture, I can do a change in progression status of “Invited” to “Attended Show” and vice-versa because the step is with an identical number. If I wanted to change in progression status of “Invited” to “Engaged” and back, it will not work because the step value is not identical. You can reference more information about this in the Create a Program Channel article.

Overview SSO Authentication Updating SSO Credentials Tips SSO Only Login Wait to disable the existing certificate Overview Marketo’s Single Sign On (SSO) feature allows your company to use your own company’s SSO service to authenticate your login into your Marketo instance. Your initial setup of the SSO is covered in the documentation here. You may need to change your SSO authentication settings after the initial setup. This document will show you the process on how to do so. SSO Authentication The Identity Provider (IdP) you use will provide you with your SSO authentication credentials and security certificate. Marketo uses this information to validate your login from your IdP, so these credentials come from your IdP. Updating SSO Credentials Once you have retrieved the new security certificate, you can enter it into Marketo. 1. Under Admin click on Single Sign-On. 2. Select Edit in the SAML Settings 3. Enter your Issuer ID, Entity ID, select the User ID Location and click Browse. 4. Select your Identity Provider Certificate file. 5. Click Save. Tips There are a couple things to watch out for when changing your SSO certificate. Here’s a couple tips to avoid trouble along the way. SSO Only Login If your company uses SSO for login, you’ll have an optional setting to restrict login access to your Marketo instance to SSO logins only. This prevents users from logging in directly, forcing the use of SSO. You can check for this setting under Admin > Login Settings These settings do allow the creation of a special User Role that can bypass the SSO restriction. However, sometimes as people come and go within the company, the users enabled with that User Role could no longer be available. TIP: Before changing your SSO certificate, create a new user utilizing this User Role that bypasses the SSO requirement. If something goes wrong while setting up the new certificate, you’ll be glad you have a back door into the Marketo instance! Wait to disable the existing certificate Your IdP will issue a new certificate, but what if something goes wrong while entering the new information into Marketo? TIP: Get the new certificate and set it up in Marketo before you fully disable the existing certificate within your IdP on their side. If something happens to the new certificate, you’ll be glad you have the do-over available and can switch back to the existing certificate that still works!

Issue Issue Description After several failed login attempts you are locked out of your Account. You get the message "Account locked due to too many failed login attempts. Reset password and login again." This is a article attached image Solution Issue Resolution Marketo Locks a user automatically after 5 failed login attempts. You can either reset the password or have Marketo Support unlock your user from the backend if you know your password.

Issue Authorized support admin unable to find a contact to add as authorized support contact. Solution The contact will need to have logged in to the community (nation.marketo.com) at least once for their profile to be created and recognized in the system. "In order to appear on the list of available contacts, the user must have clicked Community (while logged into Marketo) at least once." docs.marketo.com/display/public/DOCS/Manage+Authorized+Contacts+in+the+Community Once the contact has logged in to the community, the authorized support admin should be able to see the contact to be added as an authorized support contact.

Issue The URL for the landing page shows as "https" even though you do not have SSL set up on your Marketo instance, causing the browser to display a "Not Secure" warning. Solution This can happen if the primary domain and DNS are SSL secure, but Marketo is not. For instance, if your primary domain is "mycompany.com" (SSL secure) then the DNS, which is also SSL secure, will push down the "https" transfer protocol down to all the CNAMEs on that DNS. This will force the Marketo landing page using the CNAME to use "https" in the URL, even though it is not secure. There are two ways to resolve this: Work with your IT department to see if there is a non-SSL option for your DNS Purchase SSL for your Marketo instance so that both your primary domain and your Marketo pages are SSL secure. If you would like to add SSL to your Marketo instance, please contact your Account Manager to see about adding that to your subscription.

Congratulations on being the Support Admin for your company. It's a very important role for your organization and with the new Marketing Nation, the support admin role is expanding even more. Let's go over some of key things you can do as the Support Admin. You can submit support cases to Marketo Support This is one of your key abilities. Submit cases on behalf of your company to our Marketo Support Team for assistance. Manage your list of authorized contacts You have the ability to add and remove contacts from your list of authorized support contacts. This becomes important if people leave your company or if teams switch out your main Marketo users. If someone needs the ability to contact Marketo Support, you're the one to make that happen for them. Invite people to your account space (NEW) That's right,. You own the guest list to your Account space. You get to invite people from your company to this space. You can remove them from this space and you can also ban them from ever entering this space if you wanted to. This is a newly added feature within the Marketing Nation. Manage your Company Space (NEW) You're not just the Support Admin, you are the admin of this space. Adjust this space as you need it, If there are different types of content widgets or text boxes you want to add to this space, you can do it. This is a space for your company's use and benefit, so do with it as you need it. Our team is on hand to assist you with any questions you have to manage this space. You can contact us by sending an email to supportfeedback@marketo.com. Is this article helpful ? YesNo

Issue How do you delete the data in Marketo Custom Object records, or in specific fields on the custom object if the the custom objects have already been created and approved? Solution Marketo Custom Objects are not accessible via the User-Interface. API calls must be utilized in order to delete this record data. You can delete the records via the 'Delete Custom Objects' call Delete Custom Objects If you are interested in extracting any of the existing data, you can use the following GET call. You will need to make a 'Get Custom Objects' call Edit Custom Objects Here is an additional resource that may be useful and relevant List Custom Objects

Summary This method can be used when moving a CNAME from an old instance to a new instance. Often at times, when changing to a new instance, this question can come around, and ones would wonder how to do it or a solution on how to do it. This steps will show you the two phases which I will explain below. (Note: This would need to be done before the old instance deactivated) Issue A CNAME needs to be moved from an old instance to a new instance Solution NOTE: You cannot have the same CNAME in two different instances (Pointing to two instances, e.g. cname1.company.com pointing to instance1.mktoweb.com and instance2.mktoweb.com) Key terms: CNAME 1 = Initial cname in the old instance CNAME 2 = Additional cname created in the old instance INSTANCE1 = Old instance (Instance Name) INSTANCE2 = New instance (Instance Name) Phase 1: --------------- 1. Create an additional CNAME (a replacement CNAME) which you would want to swap as the default in the second step. CNAME 1 > INSTANCE1 (Default) <Existing CNAME in the Marketo Admin > Landing Pages section> CNAME 2 > INSTANCE1 This would be the additional CNAME created for the replacement. 2. Swap the default with the replacement CNAME you just created in step 1 and set this CNAME1 as a domain alias in the old instance. CNAME 1 > INSTANCE1 A domain alias in the old instance. CNAME 2 > INSTANCE1 (Default) ————————————————————————————————————————————————————————————————— Phase 2: --------------- ** Transition might not be smooth during the cutover. 🙂 (The Landing page links might get some interruption during the cutover) During the Cutover (Before the old instance deactivated) : 1. [Your Action] - To remove the CNAME1 which is a domain alias in the old instance (INSTANCE1) 2. [Your Action (IT Team)] - To create CNAME1 as a domain alias in the new instance (INSTANCE2). (During this time the link to old landing pages will be broken) 3. [You need to raise a support ticket to enable SSL for CNAME1 for the new instance (INSTANCE2). If you have any questions, please contact Marketo Engage Support at https://support.marketo.com. Environment Production/Sandbox

Issue A recent Smart Campaign or Email Program sent Person records in Marketo more emails than should be allowed based on settings in Communication Limit Settings in the Admin area of Marketo. Solution This is commonly caused by one of three things: The emails that sent after the communication limit was hit were Operational. To verify if this is the case, select the email asset from the menu tree on the left and review the summary of the asset in the canvas where you will see if the email is Operational or not. The Block non-operational emails checkbox is not checked in Edit Communication Limit Settings. Setting values the "Per Day" and "Per 7 Days" dropdown menus does not enforce the communication limit. In order for this limit to be enforced, the "Block non-operational emails" checkbox must be checked. Enable Communication Limits The Email Program or Smart Campaign are not set up to follow Communication Limits. Apply Communication Limits to Smart Campaign Enable/Disable Communication Limits in an Email Program

Issue You create a new field on the Lead and Contact objects in SFDC and two fields are created in Marketo, one mapped to Lead and the other mapped to Contact. Solution You will see this behavior if the an SFDC field is created on two objects across more than one sync cycle, one before a sync cycle starts and the other one during or after the sync cycle completes. To ensure both the lead and contact show up mapped to the same custom field Marketo, do the following Disable the global sync in Marketo. (Admin > Salesforce) Create the field on your desired objects in SFDC. Make sure they both have the same API name. Re-enable the global sync in Marketo, allowing the field in both objects to sync down to Marketo at the same time. If you find yourself with multiple fields in Marketo after the sync, contact Marketo Support to have the fields merged or remapped as necessary.

Summary Creating many-to-many relationships with Marketo custom objects requires an intermediary object with one link to a Lead or Company and another link to a secondary custom object. Here's how to solve the problem of the secondary custom object not showing up to be selected as the linked object. Issue Creating a many-to-many or N:N custom object structure such that a lead or company can be associated with multiple custom objects and a custom object can be associated with multiple leads or companies at the same time. When adding a link to the secondary custom object, that secondary object is not list as an available linked object. Solution If you find that the custom object you'd like to link to is not list in the "Link Object" list, there are two things two check: The secondary CO must be approved. The secondary CO must not have any link type fields. Since it's not possible to change a link field once a custom object is approved, if you already have link fields, the only solution is discard the secondary custom object and create a new one. Recreate the custom object without link fields. Then, in the intermediary object, the target object will show up as an available link object. More detail can be found at: Understanding Marketo Custom Objects Add Marketo Custom Object Link Fields - Create a Link Field for a Many-to-Many Structure Root Cause The secondary custom object type is not approved. - or - The secondary custom object type is approved type and has link fields. Environment Marketo Custom Objects Many to Many Relationship - N:N Link Fields

Issue Per our developer page: https://developers.marketo.com/rest-api/assets/programs/#update, it is possible to update tags on your existing program When updating a program tag within an existing program, you may encounter an error below given the tag and its values are correct. {"code": "709","message": "Required tags are mandatory"}]} Environment Any API clients when performing the Web Service API Solution The workaround is to have the tag updated via the UI. Root Cause "Updating tags is a destructive operation." Any attempt to update the tags of a program must include valid values for all of the required tags for a program. Unless the 'specific' tag type you are working on is the only required tag type in the instance, then that is possible to update it using the API. Otherwise, you'll encounter the error above as it is a system behaviour.

Issue After updating the Unsubscribe HTML and Text in Admin>Email, newly added tokens may not render as expected. Solution To resolve the behavior, you'll need to do the following after updating the Unsubscribe settings in Admin: 1) Navigate to the various emails within the instance and un-approve them. May require removing references to the email first. 2) Re-approve the emails. 3) Add back any references to the email asset. Why this needs to be done: When the email asset is approved it goes through a validation process for all the tokens that are used and this includes the global unsubscribe settings. When editing in Admin >Email > Unsubscribe the validity of tokens is not checked upon saving those changes. If a invalid token is added, something like {{lead.nonExistingField}}, no errors are thrown and it'll return that string value. The verification is done when the "approve" email functionality is used on email assets. This steps retrieves valid tokens list used in the email and adds/updates them in a backend table for use/reference. The update to the global unsubscribe settings doesn't cause the stored information to reference the newly changed settings in Admin. To cause that validation process to go through successfully and update the information on the back end, you'll need to un-approve and re-approve the various emails within the instance to use the new global settings.

Issue Issue Description Not receiving device authorization email when attempting to login from a new device or from a new location the system. Solution Issue Resolution The main reason that this can happen is due to a typo in the email address that communication is sent to for your login. If you are not receiving the device authorization email, reach out to Marketo support by emailing support@marketo.com and we can manually authorize your device or location. To prevent this behavior from continuing to take place we recommend you do the following: After you've gained entry into the Marketo instance, we recommend you visit Admin > Users & Roles and confirm that the email address listed is spelled correctly. Validate with your IT team to ensure that Marketo is whitelisted using these IP addresses: Whitelist Marketo IPs

Issue Executing a GET API call to retrieve a list of available activity types in the target instance using the '/rest/v1/activities/types.json' endpoint, resolves with an unexpected attribute name for a field with the display name ID in the context of Marketo Custom Objects. An example of that may be a Marketo Custom Object with the following name: '3 to be', as can be shown in the image below: One of the '3 to be' Marketo custom object fields name is 'ID'. (highlighted in red). When performing a GET API call using the '/rest/v1/activities/types.json' endpoint, you will be getting a list of available activity types in the target instance, along with associated metadata of each type, however for a Marketo custom object with an ID field name, you may see it returns back with a slightly different name, in this case, it would be returning the following output for my test Marketo Custom Object activity: { "id": 100019, "name": "Add to 3 to be", "primaryAttribute": { "name": "3 to be ObjRef", "dataType": "integer" }, "attributes": [ { "name": "3 To Be Person Id", "dataType": "integer" }, { "name": "ID (3)", "dataType": "string" }, { "name": "Linkfield4", "dataType": "string" } ] } ], Here's an image of what it may look like when making the call using POSTMAN: In fact, the character in the brackets next to the ID field represents the very first character of your Marketo Custom Object name. Environment Customers who have Marketo Custom Objects where one of the custom object fields is named 'ID'. Solution If this is interrupting your business, you may want to select a different name for the ID field under your Marketo Custom Object. (ie. ID number, Transaction ID etc.) Root Cause This behavior is expected and is a result of the 'ID' field being a unique field in the context of Marketo custom objects world and while it may be possible to create a Marketo Custom Object field with the name 'ID', it may be better to give it a distinct name that will be better describing what kind of ID field it is.

Issue When adding new IP Address to the IP Restrictions list on Admin > Login Settings > IP Restrictions, you receive this error message: "Your current IP address (XXX.XXX.XXX.XXX) cannot be blocked." Environment Admin IP Restrictions Login Solution Ensure that you have Admin Access to the Marketo instance and that you have logged into the Marketo instance via one of the IP Addresses listed on the IP Restrictions list. Root Cause User logging into the instance with an IP Address not on the IP Restrictions list.

Issue What type of HTTP Redirect Rules does Marketo use when you setup a redirect rule in Admin > Landing Pages? Solution Internal Pages such as landing pages hosted on Marketo will use a HTTP 301 Redirect External pages & non landing page URL's (when using "non-Marketo landing page") used in the redirect rule will utilize a HTTP 302 Redirect: Branding links do not use an HTTP Redirect and use a script-based redirect on the Branded links page. Example: Email branding link - go.mybranddomain.com/ABCDEFIlB0ETg0X063WLL1 is a Marketo hosted page that utilizes a script to redirect & point to thetargeturlinanemail.com

Knowledgebase

Maintaining a Directory of Leads Bouncing Emails

Top Blocklists - What You Need to Know

Changing Landing Page and Tracking Link Domain

How to Export Salesforce Mapped Fields

Backward Progression Status

Changing your Single Sign On Certificate

User Locked Out after Failed Login Attempts

Unable to Add Authorized Support Contact

Browser Displays Not Secure Warning When Viewing Marketo Landing Pages

Being a Support Admin, a Duty and a Privilege

Deleting Marketo Custom Object Record Data

Moving A CNAME From An Old Instance To A New Instance

Email Sent to Leads Who Have Exceeded Their Communication Limit

Creating a New Field in SFDC Creates Two Fields in Marketo

How to Change the Display Name of Your Marketo Instance

I can't add a link from one custom object to another.

API Error 709 When Updating Tags of an Existing Marketo Program

Tokens not resolving properly after editing Unsubscribe in Admin

Not Receiving Device Authorization Emails

Get Activity Types via API returns a character wrapped in brackets for a Marketo Custom Object field named ID

Restrict Marketo Logins Based on IP Error

How Do Marketo Redirect Rules Work?