Technical FAQ: Secured Domains for Landing Pages

Table of contents


Identifying Landing Page Domains in Your Instance

As of August 2019, Secured Domains will be included as a base offering for all subscriptions, to ensure our customers are set up for digital security best practices when it comes to their marketing efforts. The base offering will secure your first Landing Page domain and first Tracking Link domain - additional domains may be purchased a la carte.


New Subscriptions:

If you’re a new Marketo customer with a new subscription, one of the steps in setting up your instance is to set your CNAMES, landing pages domain name, and any domain aliases. For more information see, Customizing Your Landing Pages URL with a CNAME and Adding Additional Landing Page CNAMEs. Once this is done, you’ll be ready to count the unique domains (as described below) and initiate the Secured Domains for Landing Pages process (if purchased or included in your instance).


Established Subscriptions:

Have you had your Marketo subscription for a while and want to know how many landing page domains you’ve got setup in your instance? If you’re a Marketo Admin, you can see your landing pages domain name and domain aliases by clicking on Landing Pages in the Integration section of the Admin console:

SSL Doc 1.png


On the Landing Pages tab, you’ll see your landing pages Domain Name. The first part of the URL (info.) is your CNAME and the second part ( is the domain. Here’s an overview of the pieces that make up a full domain name:

SSL Doc 2.png


Next, you’ll also need to check the Rules tab and look for Domain Aliases. In the example below, there are two domain aliases. One has the same domain as the landing pages domain ( and the other has a different domain (

SSL Doc 3.png


For the instance in the example above, it has been set up with two unique domains ( and It’s important to note that when it comes to securing your Marketo landing pages, the Secured Domains for Landing Pages process will secure all of the domains in your instance. It’s an all-or-nothing action, meaning you cannot chose which domains to secure for HTTPS and which to leave HTTP. And don’t worry – we’ll count these up for you so we can scope your subscription correctly.


Adding Additional Secured Domains to Your Marketo Subscription

If you need to secure more than the 1 Landing Page domain and 1 Tracking Link domain included in the base Secured Domains package, contact your Marketo Customer Success Manager to add additional domains a la carte to ensure you're covered. This should be discussed/audited at each renewal to ensure you're only paying for what you use.


The Secured Domains for Landing Pages Process

If HTTPS in NOT currently enabled in your instance, the process to secure your pages includes steps that must be completed on your end before we can provision and enable HTTPS. On our side, we’ll provision your Marketo domains on Cloudflare servers and install the necessary SSL certificates to create secure server end points to serve your landing pages over HTTPS.


A summary of the steps linked above are listed below:
First, you’ll need to review, update and reapprove your landing pages:

  • Unapprove and re-approve all landing pages. This can be done in bulk in the Landing Pages section of Design Studio by selecting a group of pages for unapprove and re-approve via the “Landing Page Actions” menu.
  • Change all images, JavaScript files and other external links in landing pages to HTTPS. Pages with HTTP links may display an “Insecure Content on Secure Pages” error. You can read more about that here: What Exactly Is a Mixed Content Warning? Note: any images hosted in Marketo will be updated automatically unless you’ve explicitly referenced them as HTTP.
  • If you use Marketo Forms 1.0 on a non-Marketo webpage, you will need to update the post URL to HTTPS (Forms 2.0 does not need to be updated).
  • If you do a server-side post to a Marketo Form and use your CNAME as the Post URL, you also need to change that to HTTPS. Please note that server-side form posts are not supported and you should make a Marketo form submission in the background instead.
  • If you include a Marketo landing page on a secure website using an iframe, you will need update the HTML to load the secure version of the landing page, otherwise the end user will get a security warning.
  • If you use a Marketo Form on a non-Marketo page, you will need to update the follow-up URL to HTTPS if you’ve explicitly referenced a HTTP page.


Once you’ve completed the steps above, it’s time to coordinate the cutover to HTTPS with Marketo. You’ll need let Marketo Support know that you’re ready to initiate the cutover process. To help ensure a smooth transition, we’ll work with you to plan a time when you have few or no upcoming batch campaigns running, and also a time when your team is available, if needed, to make a few updates in your Marketo instance.


RECOMMENDATION: After the cutover, you may notice that images are not displayed in the Marketo email editor or preview mode. Rest assured your emails will send correctly and the images will render for recipients. To see the images in Marketo, you must adjust the image URLs from HTTP to HTTPS in the editor. Again, whether you take this step or not, the images will render properly for your email recipients. In the example below, you would adjust the HTTP to HTTPS.


SSL Doc 4.png

That’s it! Once our team enables Secured Landing Pages for your instance, your landing pages will be served via HTTPS. Of course, it’s a good idea to do some validation of your pages after the cutover to be sure your pages are loading correctly, images are loading, and that you didn’t miss any hard-coded HTTP links. Moving your pages to HTTPS, you can rest assured that you’re providing critical security and data integrity for both your pages and your visitors’ personal information. Good job, you!



What exactly does Secured Domains include or cover?

As of August 2019, all NEW customer subscriptions will include 1 unit of Secured Domains for Landing Pages & Tracking Links - existing customers will have the opportunity to update to the new pricing and packaging at renewal, and secure additional domains a la carte. The base offering will secure 1 Landing Page domain and 1 Tracking Link domain per instance. This covers provisioning each domain behind our security net (WAF/CDN/DDoS protection), and  the SSL certificate.


Do I need to provide a TLS/SSL Certificate?

No. Secured Domains includes the required SSL certificates, and shifts the responsibility of managing ALL aspects of procuring and renewing the certificate to Marketo. Since the certificates also auto-renew annually, there is no need to continually provide us a new bundle/key every year. You will be updated to the new Secured Domains managed solution at either your next SSL certificate renewal, or Marketo renewal, whichever comes first.


What Certificate Authority issues the certificate(s) for the Marketo’s Secured Domains for Landing Pages product?

The certificates are authored by DigiCert.


What type of certificate is provided?

We produce a pack of two certificates; The primary certificate uses a P-256 key, is SHA-2/ECDSA signed, and will be presented to browsers that support elliptic curve cryptography (ECC). The secondary or fallback certificate uses an RSA 2048-bit key, is SHA-2/RSA signed, and will be presented to browsers that do not support ECC.


Will my domains be on a shared SSL certificate with other companies?

No. Each of your domains will get its OWN certificate. That means you will not be on a shared certificate with other companies.


What Marketo configuration is required to complete the Landing Page SSL Setup?

One or more CNAMEs for the Marketo Landing Pages must be configured in the Admin section of the application as described here: Setup Steps - Marketo Docs - Product Docs


How do I see the Landing Page domains in my instance?

Marketo Admins can see your landing pages domain name and all domain aliases by clicking on Landing Pages in the Integration section of the Admin console. On the Landing Pages tab, you will see your full Landing Page Domain Name. On the Rules tab, you will find all Domain Aliases set up for your instance. For the Secured Domains for Landing Pages you will need to count the number of domains used in your instance. When counting domains, please provide the number of unique domains – only the orange part below:

SSL Doc 2.png


If I am using Domain Aliases in my Marketo subscription, do I have to secure each of these?

Securing your Marketo landing pages requires you to secure all domains used in your instance, including your Domain Aliases.


Are Domain Aliases for different countries counted separately?

When counting domains, you might have:,, In this case, and are all counted as separate domains (in this example there are 3 unique domains that must be secured).


Can I choose which domains to secure?

No. Technically, we provision and secure domains in an all-or-nothing fashion by domain type (Landing Page or Tracking Link). This means whatever is configured in your instance will be provisioned, and you will be charged accordingly for all domains secured; if you have unused domains, please ensure you delete them so you're only charged for what you use.


What counts as a 'unique' domain? (How is this product charged?)

Reference the screenshot above that denotes CNAME + domain = full domain. For example, your top-level domain is domains, and your subdomains include (your tracking link), & (two landing pages). Commercially, this would count as 3 total domains (1 TL + 2 LP domains).


If I have a CAA record, can it affect my certificate issuance?

Yes. CAA records must be configured to allow DigiCert issuance, or we will not be able to issue a certificate for your domain. Your IT team MUST whitelist DigiCert in your DNS before we can successfully complete provisioning. Further information:


Can I provide my own SSL certificate(s) to secure my domains?

On a pre-approved exception-basis ONLY. To avoid unnecessary cost, please do NOT renew your own SSL certificate until you have spoken to Support or your CSM and received an exception. 

A major time- & stress-saving benefit of Secured Domains is that Marketo fully manages and auto-renews your SSL certificates each year. While we temporarily accepted 3rd party certificates for an interim period of almost two years, we will no longer be accepting customer-provided certificates unless you have a business/industry requirement (e.g. an EV certificate).

IMPORTANT: Another reason to use the certificates included with Secured Domains - Apple (Safari browser) announced in Feb. 2020 it will no longer accept SSL certificates valid for greater than 13 months. We expect Chrome and Firefox to follow suit. This means customer-provided certificates must be manually renewed and sent to Marketo each year - an unnecessary cost, risk, and hassle. 
If you do qualify for an exception, you will be 100% responsible for renewing your own certificate AND sending us the bundle/key well in advance of it's expiration date (we recommend AT LEAST 10 business days) to ensure it doesn't expire - expired certificate Support cases will only be categorized as P3 priority. Please ensure they are valid for only one year to comply with browser policies.


We require an Extended Validation (EV) certificate. Can Secured Domains accommodate this?

Serving Extended Validation (EV) certificates is an example of a business requirement where you WILL need to procure the EV certificate/private key and provide this to Marketo. Secured Domains must be added to your subscription to host any SSL certificate as we now provision all Marketo domains behind Cloudflare protections. The SSL certificate included with Secured Domains is not an EV certificate, and is therefore absolutely an allowed exception.


Will URLs to the existing non-secure (HTTP) Marketo Landing Pages continue to work?

Your existing HTTP URLs will continue to work and will automatically be redirected to the secure (HTTPS) pages. There are only few situations where you may have to manually update the URL, specifically when you include a Marketo landing page on a secure website using an iframe. In this case, you will need to load the secure version of the landing page, otherwise the end user will get a security warning.


Does securing my Marketo landing pages also secure my corporate website?

No. Marketo Secured Domains for Landing Pages only affects the landing pages served by Marketo. It does not affect any pages on your corporate (non-Marketo) website.


If I don’t use Marketo Landing Pages, do I need Secured Domains?

You may if you are embedding Marketo Forms on secured non-Marketo webpages. The default form code snippet that Marketo provides uses // which is a Marketo domain that can be served securely on a HTTPs parent page (the // indicates the request will use whatever protocol the parent uses). With this, your Marketo form will take on the security level of the page it’s embedded on regardless of whether you’re using our Secured Domains for Landing Pages product. However, if you prefer not to have any reference to “marketo” on your corporate website, you may choose to change this code snippet from // to //<MY_LP_CNAME> to serve the form. In this case, you would need the Secured Domains for Landing Pages product since the LP CNAME will need a security certificate associated with it to serve securely.


Ultimately, Secured Domains is required EXCEPT if you:

Do NOT use Marketo landing pages (including unsubscribe page)

DO NOT use view as webpage

DO NOT use forward to a friend

DO NOT store anything in images and files

DO NOT load embedded forms using their landing page domain


Will the Munchkin JavaScript API also be encrypted via SSL?

Calls to the Munchkin JavaScript API automatically switch to SSL if the page on which the calls are made is SSL encrypted.


Can I add additional Domains to my instance and secure these too?

Once you’ve secured your landing page domains with the Secured Domains for Landing Pages process, you will need to contact Marketo when adding additional domains/domain aliases. Please contact your Marketo Customer Success Manager. Additional domains are charged a la carte, cost is dependent on the number of domains you are adding.


If I previously secured my Marketo Landing Pages with the SSL for Landing Pages Service, do I need to switch to Secured Domains for Landing Pages?

Yes. We have discontinued the one-time fee "SSL for Landing Pages" product and process, so you will need to switch. Your Customer Success Manager will work with you to add Secured Domains for Landing Pages at your next SSL certificate renewal or at your subscription renewal, whichever comes first.


Do I need to secure my tracking links as well?

You should, per best practices. This is why we've included 1 tracking link domain as a base offering for all Marketo subscriptions. Links formatted as HTTPS will also aid in deliverability as more email clients are starting to 'dock' emails with unsecured links. If your domain enforces a strict HSTS policy on all subdomains you will NEED to secure them for the redirect to your landing page to work properly. For more information on HSTS and Marketo subdomains, please see the following documentation SSL: The HSTS policy and your Marketo subdomains


Is this article helpful ?