Your Achievements
Level 1
0% to
Level 2
Next /
to gain points, level up, and earn exciting badges like the new Applaud 5 BadgeLearn more!
View All BadgesSign in to view all badges
Open Alert Bar
SOLVED

Using a sub-domain for SPF/DKIM/DMARC authentication - to tighten security

Go to solution
Dan_Stevens_
Level 10 - Champion Alumni
Level 10 - Champion Alumni
‎07-10-2017 12:37 PM
‎07-10-2017 12:37 PM

We were recently notified by our security team that they are not allowing any email sent by third-party providers (like Marketo) to authenticate as our primary domain (avanade.com) - to mitigate against any spoofing, phishing attempts, Marketo getting hacked, etc.  Instead, we need create a subdomain - like "marketing.avanade.com" when configuring SPF/DKIM/DMARC.  This is also in alignment with our parent company, Accenture (and Microsoft).  I just wanted to get some thoughts from the experts in the community around this topic (e.g., Sanford Whiteman​) before I give the go-ahead to proceed with this.  I guess what's most concerning is when we use tokens - like "sales owner email" to populate the FROM and REPLY-TO fields of an email.  We will constantly need to ask IT to map any new email addresses to one that has this new sub-domain.

Interested to hear what others have to say about this - especially those that use this approach today.  Anything we need to be aware of, gotchas, etc.?

8,381
Reply
1 ACCEPTED SOLUTION
SanfordWhiteman
Level 10 - Community Moderator
Level 10 - Community Moderator
‎07-10-2017 11:58 PM
‎07-10-2017 11:58 PM

Dan, as you've identified, the major pain point is procedural.

There are no technical hurdles to sending from a subdomain, as long as you don't try to use an existing subdomain (that is, don't send from your branding or landing domains, choose a new one). SPF and DKIM work perfectly well in this scenario, as does DMARC alignment. (I've argued recently that granting Marketo-generated emails an SPF Pass, if you are deeply concerned about spoofing across a multitenant platform, isn't a good move.  Better to go with SPF Unknown and concentrate on DKIM.)

But the main thing is that aliases that are unfamiliar on the receiving side, like dan.stevens@marketing.avanade.com, have to become familiar in Marketo. If you tokenize everything, that at least takes the decision out of the hands of the Marketo user, but like you said you have to make sure the alias exists (unless the entire domain is aliased). And in turn, recipients will have the opportunity to add these unfamiliar addresses to their address books and send them mail (even if you set Reply-To: user@avanade.com, you will get some incoming to user@marketing.avanade.com). So the subdomain ends up in wider circulation than just in Marketo. Comes with the territory....

View solution in original post

6,200
Reply
15 REPLIES 15
Home