Hi all! In an effort to combat some deliverability issues, we are trying to create a brief instructional document for our customers on how to whitelist Marketo to ensure they receive our Customer Success/Marketing communications. I have been looking around the various Marketo doc pages for instructions on this and cannot seem to find anything for this use case, only instructions for whitelisting internally (ex. for test emails from Marketo to our company domain.)
Anyone have any ideas or examples they could share?
Thanks!
Hi Jasmine,
Do you have a dedicated IP for your Marketo emails? If so, you can provide it to customers so they can ask their IT team to whitelist it. Without a dedicated IP though, you would probably have to ask them to whitelist all Marketo IPs, which their IT team is unlikely to agree to since it would guarantee delivery for emails from *any* company using Marketo.
If there's a particular address your emails always come from (i.e. success@yourcompany.com) then you can also ask them to add that email address as a contact to improve delivery chances.
Grant
Thanks, Grant. Good feedback. I'm not certain about the dedicated IP - I'd have to check. Unfortunately we send our emails from a variety of folks (just depends on the communication), so seems like it would be hard to ask them to add multiple folks as a contact. Food for thought, though.
If you don't have a dedicated IP, or want an additional way to give your customers to whitelist, Support can also provide you with your unique Return Path Header for your instance that can be used for whitelisting purposes.
Hey Steven, I reached out to Support following your comment and asked about the Return Path Header. They said that some of the content is dynamic and changes with each email. Wouldn't this pose an issue with providing an individual address (e.g. your_munchkin_id.(\d+.)*\d+@em-sj-77.mktomail.com) to a customer to whitelist?
Hi Jasmine!
The Return Path Header is always going to be the same coming from your instance. It's not actually an individual email address, it's a special field in your email header that identifies where the email come from. Whoever runs the receiving server is able to configure a whitelist for it while continuing to block other Marketo instances, even sending from the same IP addresses.
Steven, the Return-Path (SMTP envelope MAIL FROM, a.k.a. Reverse-Path in current RFCs) is an email address, and it's always unique for every email and lead so Marketo can process bounces:
The domain of the Return-Path may be constant across the lifetime of an instance (though I haven't seen that guaranteed in writing) but even that isn't unique to the instance, it's shared among instances. So if someone is concerned about overly broad whitelisting, that isn't the way to go. Only DKIM with the M1 selector can authenticate the mail as coming from one tenant within Marketo.
Got it. So even sending that domain won't be sufficient in whitelisting our communications? (Or at least, a customer would be less likely?)
So even sending that domain won't be sufficient in whitelisting our communications? (Or at least, a customer would be less likely?)
It wouldn't whitelist only your communications. So while you could feign ignorance and say that it only applies to your instance, it would eventually be clear that it doesn't.
The only factor that applies to your instance exclusively is the DKIM signature on the message. If you can get someone to whitelist based on DKIM PASS for selector "M1" those emails are guaranteed to be from you, and only from you.
Another thing to consider is if somebody is blacklisting Marketo IPs outright, they likely won't get to the point of being able to whitelist based on other, more granular, info. That is, they might have been OK with your email if they got to see the MAIL FROM SMTP command, but in technical terms MAIL FROM comes after the initial connection and HELO/EHLO SMTP command.
I know this may seem overly technical, but the SMTP protocol is actually really simple, following this sequence (from the sender side) if things are good:
If things are bad, the recipient can say "Goodbye" at any point, including at the very beginning (since it knows the sender's IP address) or after seeing "outbound-123.mktomail.com" and identifying Marketo that way. Thus it might not get to the point of going, "Ohhhh, you're from Marketo, but you're on our special list."
Similarly, even though whitelisting based on DKIM would be awesome and secure, they won't see the DKIM signature until the message has been transmitted (which is a few steps later in the sequence above).
Super thorough response - thank you! So if I'm understanding it correctly, the best bet is to take the DKIM signature on the message (which is static ...?) but even that isn't guaranteed.
So basically, Marketo has made it impossible for us to get our single instance approved by a recipient - well at least now I know.