Questions? Ask Support!
Securing your Adobe Marketo Engage Landing Pages
By default, Marketo Engage serves domains as HTTP, and historically we’ve given our customers the choice of whether or not to secure their Marketo Engage domains (HTTPS); however, in 2018, browsers enforced new security measures to better protect their users - one of which was to flag all non-secure (HTTP) web pages with a visible "Not Secure" warning (the unlocked pad lock icon in the address bar). This effectively shifted the choice of using secured (HTTPS) domains from a best practice to a requirement. Marketo Engage's Secured Domains solution secures any and all domains defined in your instance so they will be served via HTTPS. For a full explanation of the benefits Secured Domains provides, in contrast with a basic SSL certificate, please see this Nation Post.
NOTE: As of late 2019, Marketo Engage changed it's pricing/packaging to now automatically include a base Secured Domains package with ALL subscriptions. This base offering secures the first landing page domain and first tracking link domain to provide all of our customers with the basic necessities of digital marketing. Should you use more than these two domains, they may be purchased a la carte, so customers only pay for what they need. Contact your Marketo Engage Customer Success Manager to purchase additional Secured Domains or discuss further.
Identifying Landing Page Domains in Your Instance
Please note the below only covers securing your Landing Page domains. For steps on how to secure your Tracking Link domains, please visit this Nation Post.
New Subscriptions:
If you’re a new Marketo Engage customer with a new subscription, one of the steps in setting up your instance is to set your CNAMES, landing pages domain name, and any domain aliases. For more information see, Customizing Your Landing Pages URL with a CNAME and Adding Additional Landing Page CNAMEs. Once this is done, you’ll be ready to count the unique domains (as described below) and initiate the Secured Domains provisioning process through Support.
Established Subscriptions:
Have you had your Marketo Engage subscription for a while and want to know how many landing page domains you have configured in your instance? If you’re a Marketo Engage Admin, you can see your landing pages domain name and domain aliases by navigating to:
Admin console > Integration > Landing Pages
On the Landing Pages tab, you’ll see your landing pages Domain Name. In the example www.info.mycompany.com, the first part of the URL (info.) is your CNAME and the second part (mycompany.com) is the top-level domain (TLD). Marketo charges per unique top-level domain - i.e. only the orange part.
Next, you’ll also need to check the Rules tab and look for Domain Aliases.
It’s important to note that when it comes to securing your Marketo Engage landing pages, the Secured Domains for Landing Pages process will secure all of the domains in your instance. It’s an all-or-nothing action, meaning you cannot chose which domains to secure for HTTPS and which to leave HTTP. And don’t worry – we’ll count these up for you so we can scope your subscription correctly.
The Secured Domains Provisioning Process
The process to secure your landing page domains includes steps that must be completed on Marketo Engage’s side as well as steps that you’ll need to complete in your instance prior to us enabling HTTPS.
First, you'll need to configure your domains, choose a CNAME, and point it to your unique Marketo domain (i.e. prefix.mktoweb.com). These first-time-setup instructions can be found here.
Then, you'll need to contact Marketo Support to complete the process.
NOTE: Domains are NOT automatically secured once they're configured in your instance - you MUST contact Support for any domain changes!
On our side, we’ll first provision your prefix.mktoweb.com domain on Cloudflare servers, then complete the secure handshake validation between DigiCert and Cloudflare to provision the necessary SSL certificates to serve your landing pages over HTTPS.
On your side, to ready your instance for the conversion to HTTPS, you’ll need to review, update and re-approve your landing pages:
Change all images, JavaScript files and other external links in landing pages to HTTPS. Pages with HTTP links may display an “Insecure Content on Secure Pages” error. You can read more about that here: What Exactly Is a Mixed Content Warning?
If you include a Marketo Engage landing page on a secure website using an iframe, you will need update the HTML to load the secure version of the landing page, otherwise the end user will get a security warning.
If you use a Marketo Engage Form on a non-Marketo Engage page, you will need to update the follow-up URL to HTTPS if you’ve explicitly referenced a HTTP page.
Once you’ve completed the steps above, it’s time to coordinate the cut-over to HTTPS with Marketo. You’ll need let Marketo Engage Support know that you’re ready to initiate the cut-over process.
NOTE: To help ensure a smooth transition, please confirm with your IT team that they have NOT placed a CAA against DigiCert on your top-level domain (this grants permission to only specific vendors to issue SSL certificates to your domain). We’ll work with you to plan a time when you have few or no upcoming batch campaigns running, and also a time when your team is available, if needed, to make a few updates in your Marketo instance.
RECOMMENDATION: After the cut-over, you may notice that images are not displayed in the Marketo Engage email editor or preview mode. Rest assured your emails will send correctly and the images will render for recipients. To see the images in Marketo Engage, you must adjust the image URLs from HTTP to HTTPS in the editor. Again, whether you take this step or not, the images will render properly for your email recipients.
That’s it! Once our team enables Secured Landing Pages for your instance, your landing pages will be served via HTTPS. Of course, it’s a good idea to do some validation of your pages after the cut-over to be sure your pages are loading correctly, images are loading, and that you didn’t miss any hard-coded HTTP links. Moving your pages to HTTPS, you can rest assured that you’re providing critical security and data integrity for both your pages and your visitors’ personal information. Good job, you!
OTHER HELPFUL FAQs
Cloudflare has blocked my domain from being secured by Marketo Engage. What does this mean and how do I resolve it?
Cloudflare takes security steps on their SSL for SaaS v2 platform used by Adobe Marketo Engage to ensure domains belonging to the internet's most popular brands and websites are not issued SSL certificates without explicit permission from it's owner. Cloudflare pulls from the list of the top 1 million domains on the internet from Tranco to determine which domains it will block from securing without consent.
Adobe does not control the content of this list and cannot make changes to add or remove your domain. If your domain is on this list, Customer Support may report that your domain is unable to be secured without taking extra steps. Your business may either:
Request a certificate from LetsEncrypt instead of Digicert. LetsEncrypt offered certificates do not have the same restrictions.
Submit a Letter of Authorization with your request to Customer Support. This must be a signed letter on company letterhead confirming that your company authorizes Adobe Marketo Engage to secure your requested subdomains.
Do I need to provide a TLS/SSL Certificate?
No, in fact, to avoid the unnecessary hassle, risk and fire drills caused by expired certificates, Marketo Engage now only accepts customer-provided certificates on an exception-only basis. The certificates included with Secured Domains auto-renew annually without any human interaction on either side.
What Certificate Authority (CA) issues the certificates for the Marketo Engage’s Secured Domains?
The certificates are authored by DigiCert.
What type of certificate is provided?
We produce a pack of two certificates; The primary certificate uses a P-256 key, is SHA-2/ECDSA signed, and will be presented to browsers that support elliptic curve cryptography (ECC). The secondary or fallback certificate uses an RSA 2048-bit key, is SHA-2/RSA signed, and will be presented to browsers that do not support ECC.
Will my domains be on a shared SSL certificate with other companies?
Absolutely NOT! That's like sharing the same car lock with other people - avoid dealing with vendors who offer this service. Each of your domains will get its own certificate, meaning you will not be on a shared certificate with other companies.
Will all the subdomains be covered?
Marketo Engage defines a subdomain interchangeably with CNAME for billing purposes. As an example, with your company.com domains, the subdomains go.company.com, info.company.com, help.company.com etc. would could as 3 unique subdomains. Please keep in mind that company.com, company.com.uk, company.com.ca are separate top-level domains.
Can I choose which domains/subdomains to secure?
Securing your domains is all-or-nothing, meaning the process automatically secures all domains/subdomains you've set up in your instance. If you do not use or need old domains lingering in your instance, be sure to delete them so you're not charged.
If I have a CAA record, can it affect my certificate issuance?
Yes, CAA records MUST be configured to allow DigiCert issuance, or else we will be restricted from issuing one. Please check with your IT team to ensure this is not a blocker. Further information: https://www.digicert.com/dns-caa-rr-check.htm
Can I provide my own SSL certificate to secure my domains?
Not unless they are the Extended Validation (EV) certificate type. If not, but your IT team has instructed you they must manage them, please reach out to your CSM with the business use case and any details to request an exception. Please note this only causes additional risk, hassle, time, and effort on all parties.
We require an Extended Validation (EV) certificate. Can the Secured Domains for Landing Pages product accommodate this?
Since the certificate provided with Secured Domains is not an Extended Validation (EV) type, Marketo Engage absolutely allows customers who require this (typically healthcare, finance, government) to procure the EV certificate/private key and provide this to Marketo Engage Support; however, please note you will then be 100% liable for managing/renewing/sending Marketo Engage the new certificate with ample time to install it to avoid expiration. Expired certificates will not be categorized as a P1.
What Marketo Engage configuration is required to complete the Secured Domains setup?
One or more CNAMEs for the Marketo Landing Pages must be configured in the Admin section of the application as described here: Setup Steps - Marketo Docs - Product Docs
How many domains can I secure?
Technically, as many as you like. However, please note there is an additional cost associated with secured multiple domains beyond the first two covered by the base offering.
If I am using Domain Aliases in my Marketo Engage subscription, do I have to secure each of these?
Securing your Marketo Engage landing pages requires you to secure all domains used in your instance including your Domain Aliases.
How do I see the Landing Page domains in my instance?
Marketo Engage Admins can see your landing pages domain name and all domain aliases by clicking on Landing Pages in the Integration section of the Admin console. On the Landing Pages tab, you will see your full Landing Page Domain Name. On the Rules tab, you will find all Domain Aliases set up for your instance. For the Secured Domains for Landing Pages you will need to count the number of domains used in your instance. When counting domains, please provide the number of unique top-level domains – only the orange part here: www.info.mycompany.com
Are Domain Aliases for different countries counted separately?
When counting domains, you might have the same CNAME but unique top-level domains: info.mydomain.com, info.mydomain.au, info.mydomain.de. Even though the CNAME is the same, the top-level domains (mydomain.com, mydomain.au and mydomain.de) are unique and thus counted as such (3 total domains). Vice-versa, unique CNAMEs (info., go., pages.) with the same top-level domain (mycompany.com) are considered subdomains of a single top-level domain.
Will URLs to the existing non-secure (HTTP) Marketo Engage Landing Pages continue to work?
Your existing HTTP URLs will continue to work and will automatically be redirected to the secure (HTTPS) pages. There are only few situations where you may have to manually update the URL, specifically when you include a Marketo Engage landing page on a secure website using an iframe. In this case, you will need to load the secure version of the landing page, otherwise the end user will get a security warning.
Does securing my Marketo Engage landing pages also secure my corporate website?
No. Marketo Engage Secured Domains only affects the landing pages served by Marketo, because the underlying domain is technically a Marketo Engage domain (i.e. your CNAME 'points' to prefix.mktoweb.com). It does not affect any pages on your corporate (non-Marketo) website.
If I don’t use Marketo Engage Landing Pages, do I need Secured Domains for Landing Pages?
Most likely, as there are many aspects of Marketo Engage that rely on your domains being secured, such as assets and images. Further, if you are embedding Marketo Forms on secured non-Marketo Engage webpages, the default form code snippet that Marketo provides uses //[munchkinID].mktoweb.com which is a Marketo domain that can be served securely on a HTTPs parent page (the // indicates the request will use whatever protocol the parent uses). With this, your Marketo Engage form will take on the security level of the page it’s embedded on regardless of whether you’re using our Secured Domains for Landing Pages product.
Will the Munchkin JavaScript API also be encrypted via SSL?
Calls to the Munchkin JavaScript API automatically switch to SSL if the page on which the calls are made is SSL encrypted.
Can I add additional Domains to my instance and secure these too?
Once you’ve secured your landing page domains with the Secured Domains for Landing Pages process, you will need to contact Marketo Engage when adding additional domains/domain aliases. Please contact your Marketo Engage Customer Success Manager. There is an additional a la carte charge depending on the number of domains you are adding.
Do I need to secure my tracking links as well?
If your company enforces HSTS (a web directive that denies any redirects from HTTP links), you WILL need to also secure your Tracking Links for your recipients' email->landing page functions correctly. For more information on HSTS and Marketo subdomains, please see the following documentation SSL: The HSTS Policy and Your Marketo Subdomains
If not, Marketo still recommends using secured links as a best practice, as it can help with deliverability and avoid spam traps; plus, it looks far more professional to have secured links, and can foster brand confidence when your recipients know their email->web page redirect is fully secure.
For additional questions on anything technical, just ask the Marketo Support team!
If it's a pricing or commercial question, please reach out to your Customer Success Manager.
View full article