In order to ensure that our subdomains are set up correctly for upcoming changes Gmail is making for inboxing, we have been reviewing all our emails / set up. We noticed in a few cases that the mailed-by (Return-path) and signed-by match and other cases where they don't match. We were told by Marketo support these should NOT match.
All of these subdomains are set up in our admin area the same way. How does Marketo delineate which one should NOT be used as a sender if it was set up for signed-by? Since we do have some emails where these two items match - what issue is it causing? I understand these aren’t suppose to match. However, based on what we found – in some cases they do.
Your question is perhaps misdirected. A partial match between the SMTP MAIL FROM domain (envelope sender domain,
a.k.a. return-path or reverse-path) and the DKIM signing domain is to be expected with a standard shared Marketo instance.
But the MAIL FROM domain will be nnnn.mktomail.com in this case, so the fact that (one of) the signatures on the email will be from mktomail.com has no impact on your ability to pass DMARC. DMARC only takes into account the SMTP From: header domain, not the envelope sender domain.
If your emails are From: user@example.com you will also have a signature from example.com (if configured in Admin and DNS); if your emails are From: user@sub.example.com, you will have a signature from sub.example.com (if configured); and so on.
If you have a branded envelope sender, that changes the stakes.
It’s best if you give specific domains for each area (envelope MAIL FROM, header From:, DKIM sig) so we don’t get bogged down in generalities.