We're in the process of cleaning up our SPF record (too many entries) and it let me down the rabbit hole that is SPF/DKIM. I felt like I understood it until I tried sending some test emails out of curiosity. Our SPF is currently on our main domain (and I think our branded domain as well). Out of curiosity, I sent my personal email an email from one of our competitors and it showed up and wasn't marked as spam! (though it did have a "via mktdns.com" after the sender email). Why am I able to do that without the message being marked as spam? Shouldn't gmail (my personal email) see that our Marketo instance isn't authorized to send from that domain and the email be marked as spam?
SPF is only checked for the envelope sender domain. On regular Marketo instances this is {something}.marketo.com. On your instance, if you're paying for branded envelope sender, it's your special envelope subdomain. Changing the From: header doesn't change the SMTP envelope.
So shouldn't the fact that we obviously don't have DKIM setup for our competitors domain prevent us from sending emails as them? I'm still confused why those emails didn't go to spam when Gmail looked at the from address and compared it to our envelope.
So shouldn't the fact that we obviously don't have DKIM setup for our competitors domain prevent us from sending emails as them?
Not at all. DKIM is a non-repudiation mechanism: a signed message with a valid signature is guaranteed to have been authorized (at some level) by the domain owner -- or, more precisely, the domain owner cannot claim it was forged by outside forces.
A signed message with a broken/invalid signature can be assumed to be malicious, and thus should be rejected.
An unsigned message is simply repudiatable, like any standard message. That doesn't get it blocked except by servers with ultra-strict DMARC enforcement (and if the domain has a DMARC policy to match).