SOLVED

DKIM Pending Verification

Go to solution
jace_brendle
Level 3

DKIM Pending Verification

We've been working to get our DKIM verified with Marketo but with no luck. I've confirmed the SPF record is set up correctly, and the DKIM can be verified as accurate through MXToolbox or other DKIM/Dmarc checker sites. However Marketo is still pending setup

Marketo support has given instructions that all our servers need to have the DKIM key on them, but we have several internal servers that our IT/Security team has issues adding publicly accessible keys too. So my question...

 

If external checker sites confirm that our DKIM record is set up correctly, does Marketo's verification matter at all? Or are we able to just leave this as 'pending verification' forever?

1 ACCEPTED SOLUTION

Accepted Solutions
jace_brendle
Level 3

Re: DKIM Pending Verification

Just to put a bow on this, we worked with our deliverability contact at Marketo and found out that because we have multiple secured subdomains we needed multiple dedicated ip addresses. Marketo support was able to set everything up correctly on their side, but our instance will always say "Pending Verification". However, I've confirmed - multiple times - that our settings are accurate and DKIM is verified with Marketo.  

View solution in original post

5 REPLIES 5
SanfordWhiteman
Level 10 - Community Moderator

Re: DKIM Pending Verification

Kind of hard to assist with this if you won’t reveal your domain(s).

 


I've confirmed the SPF record is set up correctly,

Do you have the Marketo branded envelope sender add-on? If not, adding mktomail.com to your SPF record is meaningless and may end up breaking the record (this is true for about 1/3 of Marketo instances by my measure). Note “breaking“ in this case means it’s as if you don’t have an SPF record at all, not that mail will be rejected... but this means your corporate mail is no longer protected by SPF.

 


If external checker sites confirm that our DKIM record is set up correctly, does Marketo's verification matter at all? Or are we able to just leave this as 'pending verification' forever?

An external checker cannot verify that you have the correct DKIM public key. It can see if you have a syntactically valid DKIM record. at the selector “M1”. But that’s not the same thing as it being the right record for Marketo.

jace_brendle
Level 3

Re: DKIM Pending Verification

Our domains are rsmus.com and rsmcanada.com

We should have the correct Marketo branded sender capabilities. 

 

SanfordWhiteman
Level 10 - Community Moderator

Re: DKIM Pending Verification

OK, also need to see the intended DKIM public records in the Marketo UI as well to compare.

What's your branded envelope sender domain? Surely it's a subdomain of one of your private domains, not the zone apex itself.
SanfordWhiteman
Level 10 - Community Moderator

Re: DKIM Pending Verification


If external checker sites confirm that our DKIM record is set up correctly, does Marketo's verification matter at all? Or are we able to just leave this as 'pending verification' forever?

Something else I didn’t mention above: if Marketo does not verify your domain, it won’t sign your mail with your domain‘s private key. So it’s not an error you can simply ignore.

 

I do think you may be right that your 4-5 inaccessible nameservers (they don’t accept any connections from outside, period) are causing the error.

 

Whether Marketo is overly aggressive in this case is debatable:

  • On the one hand, right now none of those blocked nameservers could provide the public key and validate signatures. So it doesn’t matter right now if they have the correct DKIM TXT record.
  • On the other, if one of those nameservers becomes unblocked, and at that time doesn’t have the same copy of the zone as the other nameservers, then it will return bad data and you will have sporadic rejected email, which will be very hard to troubleshoot (imagine if 1 out of every 8 DNS requests for your TXT record failed, worldwide).
jace_brendle
Level 3

Re: DKIM Pending Verification

Just to put a bow on this, we worked with our deliverability contact at Marketo and found out that because we have multiple secured subdomains we needed multiple dedicated ip addresses. Marketo support was able to set everything up correctly on their side, but our instance will always say "Pending Verification". However, I've confirmed - multiple times - that our settings are accurate and DKIM is verified with Marketo.