Lindsey, I don't know if you saw this recent discussion but there are effective workarounds that apply equally to email (I suppose you mean if you are sending from outside Marketo).
Was this ever resolved by the Marketo team? We're about to run a direct mail campaign and want to try this exact same scenario. It seems if they are not cookied there is no point running the campaign.
One way around this I have found (which is slightly manual and not Marketo related) is to mass generate short URLs using a bit.ly API. You can export the results from bit.ly to see how many times a link has been "clicked". Pivoting the results in Excel will show you which URLs were actioned upon but these results cannot be added into Marketo.
This is one idea for Marketo perhaps? To obtain the data on which anonymous leads accessed the link, it can track which link was clicked and track that individual? I'm sure it's more complex than that but it seems like a foundation to start from perhaps. It would just be crucial to ensure the wrong links don't get clicked by the incorrect individual.
Marketo has not fixed this - I'm not even sure they consider this a bug. We too scrapped all PURL-based DM campaigns in Marketo. If we can't offer a personalized experience when the user arrives to a Marketo landing page, there's no sense in using PURLs to begin with.
There's no security issue. It's simply an incomplete -- or, from a generous angle, minimalist -- implementation compared to marketers' expectations. (If you test, Dan's summary is not quite accurate, though there are equivalent major frustrations involved.)
Fixes and workarounds exist, but unlike other areas, you need to use a developer to get the basic expected functionality (as opposed to advanced functionality).
I'm looking into this and doing an assessment of the various scenarios. There is actually a security risk...I'll explain. We know, a lead has to be known in order for the PURL to be generated (therefore the PURL has that person's information associated to it.) Referring to #3 above, in an ideal case, if a user has not been cooked and is anonymous, when they enter their own PURL they should see their information on that page pulled from the known lead record in Marketo. This will include any pre-filled out form fields (possible PII)
Say you have a malicious user who is not cookied and is anonymous. If they get ahold of your PURL, or guess the format and hack into other's, that person will see the PII of the lead associated to the PURL. Hence the risk. So it does depend on what you will have on the LP.
Now, it might not be a big risk if you don't have a lot of personal info (or nothing you'd consider PII) but wanted to call that out. Please let me know if you have other comments about this. I will follow-up once I have more information from my side. At this time I'm trying to understand the effort involved into making PURL a usable feature.
There's no more security risk here than on any LP with prefilled fields. If you don't want people peeking at others' PII, don't include that information on a page that only requires an email for "authentication." If I want somebody's PII and I know their email, I'm not going to try to guess their Marketo unique code, since I can already impersonate them.
Has anyone have an update on this? We are facing the same issue. Asked Marketo today and they confirmed pre-population does not work on PURLs.
I read on here that we could use tokens within the forms as default values.Has anyone tried it? Here is the thread: https://nation.marketo.com/message/95599#comment-95599