How are you handling 3rd party services sending email "as" the corporate domain, to internal and external recipients, from a cosmetic perspective (from address / reply-to address) and from an email transport integrity perspective (e.g., DMARC Reject configuration), in order to maintain trust with the recipients while minimizing risk to the organization in the event the 3rd party is compromised?
Are you using alternative domains (edwardslifesciences.com), or are they using subdomains (qualtrics.edwards.com) for a domain like Edwards.com.
We are mooking to minimizing risk to our organization in the event the 3rd party is compromised.
Once you’re aware of a compromise, you need to be able to repudiate any email sent by the 3rd party.
The strongest way to do this is to require strict alignment in your DKIM record. Then in the event of a compromise, remove the relevant DKIM public key, and, if applicable, remove the 3rd party from your SPF record.
Note that for shared Marketo instances — used by the vast majority of customers — SPF does not apply. The envelope sender will not be related to your domain, so your SPF record will never be consulted. Only with the branded envelope sender would your SPF record be looked up.
In my experience across a huge range of clients, all but a couple use their official corporate domain(s) instead of registering a new, Marketo-only domain. They may use a subdomain of that corporate domain for a variety of reasons, but non-repudiation isn’t one of them (you can’t disconnect your private domain suffix from its subdomains, it’s obviously still you). Nor will using a subdomain affect blocklists (which list the private domain, not each offending subdomain).
If you did opt to use a Marketo-only domain, that needs to be accompanied by only linking to a separate domain alias in your emails. Otherwise, your main domain gets blocked at the URIBL-type level anyway. For most people, this is a bridge too far, as the goal of email marketing is to drive traffic to the real domain.