Once you’re aware of a compromise, you need to be able to repudiate any email sent by the 3rd party.
The strongest way to do this is to require strict alignment in your DKIM record. Then in the event of a compromise, remove the relevant DKIM public key, and, if applicable, remove the 3rd party from your SPF record.
Note that for shared Marketo instances — used by the vast majority of customers — SPF does not apply. The envelope sender will not be related to your domain, so your SPF record will never be consulted. Only with the branded envelope sender would your SPF record be looked up.
In my experience across a huge range of clients, all but a couple use their official corporate domain(s) instead of registering a new, Marketo-only domain. They may use a subdomain of that corporate domain for a variety of reasons, but non-repudiation isn’t one of them (you can’t disconnect your private domain suffix from its subdomains, it’s obviously still you). Nor will using a subdomain affect blocklists (which list the private domain, not each offending subdomain).
If you did opt to use a Marketo-only domain, that needs to be accompanied by only linking to a separate domain alias in your emails. Otherwise, your main domain gets blocked at the URIBL-type level anyway. For most people, this is a bridge too far, as the goal of email marketing is to drive traffic to the real domain.
.png)