Do you know if it's possible for Marketo to implement a content security policy, etc on email subdomains?
Don't believe so. Some of the security headers are, in practice, irrelevant for such a single-purpose webserver. Remember, the click tracking domain only ever serves the same piece of JS with a different URL value. That's all it ever does.
HSTS (Strict-Transport-Security) would be nice to have, although the chance of someone navigating to the tracking domain over plain http: should be tiny. Your emails should be the only advertised way to get there, and they'll always use https:. Of course, one can manually stay on http: by typing "click.example.com" in the location bar (that's the case that HSTS is meant to protect). But deliberately typing your tracking domain, rather than your corporate domain, is not a typical end-user activity. Also, if you have HSTS on your parent domain (https://example.com ) with includeSubdomains you're protected after their first visit.
Note the value of Referrer-Policy would have to at least allow the origin to be sent, in order to support current behavior (i.e. you can read the referrer on the target page to know someone got to your site by clicking an email, otherwise it would appear direct).
X-Iframe-Options could block the tracking domain from being embedded in an IFRAME without causing any problems that I can think of, but it also wouldn't secure you against anything I can thing of, again because the tracking domain is so purpose-built to do only one thing: (log and) redirect.
... View more