Hi team. We have a client who has their support email set up on a subdomain - support@nz.domain.com. Just wondering if DKIM/SPF needs to be set up on nz.domain.com or domain.com?
Do let me know if you need more clarity on this.
Solved! Go to Solution.
Set up DKIM at the subdomain level. This provides the highest of accountability/non-repudiation. (While DMARC w/DKIM has the ability to "walk the tree" to the parent domain, it will never grant the same level of trust that way.)
SPF, too, should be at the subdomain, but SPF in general is meaningless unless you're paying extra to Marketo -- and adding the mktomail.com record and can hurt deliverability for non-Marketo mail if you don't manage your SPF entries correctly.
Set up DKIM at the subdomain level. This provides the highest of accountability/non-repudiation. (While DMARC w/DKIM has the ability to "walk the tree" to the parent domain, it will never grant the same level of trust that way.)
SPF, too, should be at the subdomain, but SPF in general is meaningless unless you're paying extra to Marketo -- and adding the mktomail.com record and can hurt deliverability for non-Marketo mail if you don't manage your SPF entries correctly.
Thanks Sanford Whiteman! This definitely helps. I've read through a few different feeds around managing multiple domains within a single instance and have been seeing your responses on most of them - I now have more questions than I have answers!
We're looking into creating an additional email tracking CNAME for said client within our instance (separate Workspace), would we be adding the CNAME record within our own DNS or the client's DNS?
Not quite sure if we are needing to follow the Setup Steps (using the client's details) outlined within the Marketo documentation if we wanted to run campaigns for a client within our instance.
Really appreciate your thoughts or anyone else who has been through a similar experience. Again, let me know if more clarity is needed.
Hi Keilia,
Yep, you'll see my responses a lot on these topics since I have a background as a mail + DNS admin (still do a bit of it).
If you're going to be running http://click.client.com on your Marketo instance, then the client's DNS team needs to add the CNAME in their DNS zone pointing to <your_instance_name>.mktoweb.com.
Similarly, if you'll be sending mail from user@client.com, then the client needs to add the DKIM entry in the DNS zone for M1._domainkey.client.com. You'll be providing them with the value from the required Marketo UI.
Again, I'd skip SPF. It's at best overkill and at worst... much worse. Only if you have a line item on your Marketo subscription for "branded sender" should you get into SPF.
Thanks Sanford Whiteman!
Would it make a difference if we set up a CNAME under domain.co.nz (this is what the email links go through to, we also want to set up a branding domain under this - e.g. email.domain.co.nz) and the DKIM set up under the subdomain (support@nz.domain.com)?
Are you asking if the branding (click tracking) domain can be email.example.co.nz while your From/Reply to is @nz.example.com?
If so, sure.
Awesome. We'll look at enabling this. Thanks so much for your quick responses!