Re: Sending secure emails using Outlook Add-in/Is it possible?

Anonymous · ‎03-13-2015

Our sales team would like to use the Marketo Add-in for Outlook to send sales documents to customers, including final proposals that must be signed, etc. Per our company rules these types of communications must be sent securely.

Is this possible using the add-in?

Josh_Hill13 · ‎03-13-2015

I doubt it. Wouldn't those docs be sent via a proposal system that could?

The thing is email is NOT secure...unless you use something on both ends to encrypt the contents. This is time consuming and unlikely to happen on your customers' sides.

I suggest sending them links to secure docs online. This is what most firms do.

SanfordWhiteman · ‎03-13-2015

AFAIK the connection between the Outlook Add-In and Marketo uses HTTPS. This means that part is as secure as the connection between Outlook and Exchange. However as @Josh well points out, the subsequent connection will not be secure as Marketo is using public SMTP to send to the recipient (just as you would be if you used your Exchange server for the next hop and did not have a point-to-point secured connection with the recipient).

"Securely" is perhaps vague a term, though. What might actually be meant (I don't know what regulations/rules are in play) is a transmission which can be signed to prove the attribution of the content. The contents of a signed email are not necessarily encrypted -- they can be read by someone who happens to intercept the email. However the authorship can always be attributed, using a digital signature that is also attached to the email. The intent is to prohibit any email from being sent from your domain that cannot be proven to have been authored by you. At the server-to-server level, this is what DKIM (which Marketo does support) allows. If a recipient only considers emails that pass DKIM, with a specific DKIM record like gregl._domainkey.example.com to actually be from your domain, then no one can send out a fake proposal on your behalf.

On the flipside you can point them to documents downloadable via SSL. The download will thus be secure in transit. But if you send out an email with an https:// link, how do you stop people from intercepting the plain-text email (if that's what you were trying to combat in the first place), copying the SSL link, and just doing the download themselves? And for that matter, how do you make the final recipient authenticate that an email came from you without taking steps (like DKIM and/or PGP) to ensure that the email itself was not tampered with?

In-depth security is a larger discussion than is suitable for this community, of course, but I worry about people thinking processes are secure when they actually have these big logical gaps.

Anonymous · ‎03-16-2015

Thanks to you both. I've done some further checking with our security team and it looks like we can still take care of the security using Proofpoint. We'll be doing some further testing though to make sure things work as we need them to.

SanfordWhiteman · ‎03-16-2015

@Greg L that's interesting that it passed your internal audit (because it probably wouldn't pass ours!). Would you mind contacting me (sandy@figureone.com) and maybe we could talk for a second about your rules/regs?

Anonymous · ‎03-17-2015

After some additional discussions with our security team and testing on some generic email addresses not currently in Marketo we don't have a functional work around. No new leads or 'mktunknown' leads showed up in Marketo or Salesforce after about 18 hours.

While we can send emails securely using Proofpoint, the tracking functionality with 'Send and Track' and 'Marketo Message' will not work. Probably because Proofpoint runs outside of the system or separates out the email for protection.