SPF and DKIM required for reply to domain?

Alok_biswas · ‎02-21-2024

Do we need to have SPF and DKIM to be set for the reply to domain (for ex: domain.com), if it's different from sender domain (for ex: from.domain.com)?

SanfordWhiteman · ‎02-21-2024

Nope! In fact in a standard shared Marketo instance, there’s no reason to update any SPF records at all. (The header From: is not used by SPF, only the envelope MAIL FROM is used. And a standard instance doesn’t use your domain in the MAIL FROM, it uses the Marketo-controlled <nnnn>.mktomail.com.)

View solution in original post

SanfordWhiteman · ‎02-21-2024

Nope! In fact in a standard shared Marketo instance, there’s no reason to update any SPF records at all. (The header From: is not used by SPF, only the envelope MAIL FROM is used. And a standard instance doesn’t use your domain in the MAIL FROM, it uses the Marketo-controlled <nnnn>.mktomail.com.)

Alok_biswas · ‎02-22-2024

Hi @SanfordWhiteman ! we're using a dedicated IP and not a shared.

I'm bit confused about this as I know that if we are using company domain in the from address then we need set SPF and DKIM for better deliverability: "a standard instance doesn’t use your domain in the MAIL FROM, it uses the Marketo-controlled <nnnn>.mktomail.com."

Please can you elaborate the working logic here? It would be helpful. Marketo instance with shared IP doesn't need SPF and DKIM?

Current we have set SPF txt record and DKIM key for our email sending domain i.e, the sub domain of our root domain. But we want to use the root domain (where we haven't set any SPF and DKIM) for our reply to address. So just to re-confirm we don't need to set any SPF and DKIM for the reply to address? or we need to do any config at Marketo end for reply to address?

SanfordWhiteman · ‎02-22-2024

we're using a dedicated IP and not a shared.

It’s less about the dedicated IP as about your branded envelope sender domain, if you have one.

The branded envelope sender will not be example.com, it’ll be a subdomain like bounces.example.com. That domain should have an SPF record that includes the Marketo IP range.

But no matter what, your zone apex example.com does not need to be concerned about Marketo + SPF. Again, SPF is only checked for the MAIL FROM/envelope sender/return-path/reverse-path domain.

Marketo instance with shared IP doesn't need SPF and DKIM?

Correct. This is widely misunderstood.In fact, unnecessarily adding Marketo to your zone apex‘s SPF record can even be destructive, making the whole record unusable (because it goes over SPF DNS lookup limits).

So just to re-confirm we don't need to set any SPF and DKIM for the reply to address? or we need to do any config at Marketo end for reply to address?

You do not need to configure anything in DNS for the Reply-To: header.

Alok_biswas · ‎02-24-2024

Correct. This is widely misunderstood.In fact, unnecessarily adding Marketo to your zone apex‘s SPF record can even be destructive, making the whole record unusable (because it goes over SPF DNS lookup limits).

@SanfordWhiteman : This article suggest to have SPF and DKIM, so that Marketo is authorized to send email on behalf of our domain as we'll be using the same domain in the from header. Is something I'm confusing with?

SanfordWhiteman · ‎02-24-2024

The From: header domain has nothing (a.k.a. zilch, nada, etc.) to do with SPF!

SPF deals only with the MAIL FROM (envelope sender) domain. If your MAIL FROM is user@example.com, then and only then will example.com’s SPF record be looked up in DNS.

SPF and DKIM required for reply to domain?

SPF and DKIM required for reply to domain?

Re: SPF and DKIM required for reply to domain?

Re: SPF and DKIM required for reply to domain?

Re: SPF and DKIM required for reply to domain?

Re: SPF and DKIM required for reply to domain?

Re: SPF and DKIM required for reply to domain?

Re: SPF and DKIM required for reply to domain?