14 Replies Latest reply on Aug 30, 2017 8:18 AM by Sanford Whiteman

    Whitelisting instructions to provide to customers?

    Jasmine Jackson-Irwin

      Hi all! In an effort to combat some deliverability issues, we are trying to create a brief instructional document for our customers on how to whitelist Marketo to ensure they receive our Customer Success/Marketing communications. I have been looking around the various Marketo doc pages for instructions on this and cannot seem to find anything for this use case, only instructions for whitelisting internally (ex. for test emails from Marketo to our company domain.)

       

      Anyone have any ideas or examples they could share?

       

      Thanks!

        • Re: Whitelisting instructions to provide to customers?
          Grant Booth

          Hi Jasmine,

           

          Do you have a dedicated IP for your Marketo emails? If so, you can provide it to customers so they can ask their IT team to whitelist it. Without a dedicated IP though, you would probably have to ask them to whitelist all Marketo IPs, which their IT team is unlikely to agree to since it would guarantee delivery for emails from *any* company using Marketo.
          If there's a particular address your emails always come from (i.e. success@yourcompany.com) then you can also ask them to add that email address as a contact to improve delivery chances.

           

          Grant

          3 of 3 people found this helpful
          • Re: Whitelisting instructions to provide to customers?
            Steven Vanderberg

            If you don't have a dedicated IP, or want an additional way to give your customers to whitelist, Support can also provide you with your unique Return Path Header for your instance that can be used for whitelisting purposes.

            2 of 2 people found this helpful
              • Re: Whitelisting instructions to provide to customers?
                Jasmine Jackson-Irwin

                Hey Steven, I reached out to Support following your comment and asked about the Return Path Header. They said that some of the content is dynamic and changes with each email. Wouldn't this pose an issue with providing an individual address (e.g. your_munchkin_id.(\d+.)*\d+@em-sj-77.mktomail.com) to a customer to whitelist?

                  • Re: Whitelisting instructions to provide to customers?
                    Steven Vanderberg

                    Hi Jasmine!

                     

                    The Return Path Header is always going to be the same coming from your instance.  It's not actually an individual email address, it's a special field in your email header that identifies where the email come from.  Whoever runs the receiving server is able to configure a whitelist for it while continuing to block other Marketo instances, even sending from the same IP addresses.

                      • Re: Whitelisting instructions to provide to customers?
                        Sanford Whiteman

                        Steven, the Return-Path (SMTP envelope MAIL FROM, a.k.a. Reverse-Path in current RFCs) is an email address, and it's always unique for every email and lead so Marketo can process bounces:

                         

                         

                        The domain of the Return-Path may be constant across the lifetime of an instance (though I haven't seen that guaranteed in writing) but even that isn't unique to the instance, it's shared among instances.  So if someone is concerned about overly broad whitelisting, that isn't the way to go. Only DKIM with the M1 selector can authenticate the mail as coming from one tenant within Marketo.

                        1 of 1 people found this helpful
                          • Re: Whitelisting instructions to provide to customers?
                            Jasmine Jackson-Irwin

                            Got it. So even sending that domain won't be sufficient in whitelisting our communications? (Or at least, a customer would be less likely?)

                              • Re: Whitelisting instructions to provide to customers?
                                Sanford Whiteman

                                So even sending that domain won't be sufficient in whitelisting our communications? (Or at least, a customer would be less likely?)

                                It wouldn't whitelist only your communications. So while you could feign ignorance and say that it only applies to your instance, it would eventually be clear that it doesn't.

                                 

                                The only factor that applies to your instance exclusively is the DKIM signature on the message. If you can get someone to whitelist based on DKIM PASS for selector "M1" those emails are guaranteed to be from you, and only from you.

                                 

                                Another thing to consider is if somebody is blacklisting Marketo IPs outright, they likely won't get to the point of being able to whitelist based on other, more granular, info. That is, they might have been OK with your email if they got to see the MAIL FROM SMTP command, but in technical terms MAIL FROM comes after the initial connection and HELO/EHLO SMTP command.

                                 

                                I know this may seem overly technical, but the SMTP protocol is actually really simple, following this sequence (from the sender side) if things are good:

                                 

                                • recipient's server says, "Hello, who are you?"
                                • sender says, "I am outbound-123.mktomail.com"
                                • recipient says, "That sounds good, keep talking"
                                • sender says, "I have an email from 123-456.01.02.04@em-sj-77.mktomail.com"
                                • recipient says, "Yeah, who's it going to?"

                                 

                                If things are bad, the recipient can say "Goodbye" at any point, including at the very beginning (since it knows the sender's IP address) or after seeing "outbound-123.mktomail.com" and identifying Marketo that way.  Thus it might not get to the point of going, "Ohhhh, you're from Marketo, but you're on our special list."

                                 

                                Similarly, even though whitelisting based on DKIM would be awesome and secure, they won't see the DKIM signature until the message has been transmitted (which is a few steps later in the sequence above).

                                3 of 3 people found this helpful
                                  • Re: Whitelisting instructions to provide to customers?
                                    Jasmine Jackson-Irwin

                                    Super thorough response - thank you! So if I'm understanding it correctly, the best bet is to take the DKIM signature on the message (which is static ...?) but even that isn't guaranteed.

                                     

                                    So basically, Marketo has made it impossible for us to get our single instance approved by a recipient - well at least now I know.

                                      • Re: Whitelisting instructions to provide to customers?
                                        Sanford Whiteman

                                        In fairness, Marketo operates from a distinct set of IP addresses (as does everyone except malicious botnets!). Those IP ranges are published for the purposes of whitelisting, so the flipside is they can be used for blacklisting as well, if companies are intent on not receiving communications of a not-entirely-existing-business nature. (And even if you have an IP dedicated to your instance that is for some reason not deliberately published, that Marketo operates the server can still be identified.)

                                         

                                        The thing is, it isn't enough for recipients to want your communications, there has to be someone at the IT level who is interested in making this happen. Many of us have dealt with full-on business partners, with billions in shared revenue, being unable to receive Marketo emails!

                                         

                                        If a company has built a flexible enough IT infrastructure, they can whitelist based on DKIM signature regardless of source IP, and have total trust that they're only affecting your emails. Or if they have an inflexible infrastructure but aren't really thorough, they'd whitelist the unique sender domain like @em-sj-77.mktomail.com and not be concerned about the collateral damage from other instances using that same domain (and the fact that domains can be forged by people not even using Marketo). Similarly, if their setup is inflexible but they're willing to whitelist a dedicated IP even though it's in an otherwise "dangerous" range (and, it should be noted, can be reassigned to another instance if you stop using Marketo), that will clearly work.

                                         

                                        But if their technical setup is inflexible and the IT staff is also inflexible (and/or knowledgeable about the way SMTP works) you're going to be stopped. To allow only Marketo emails that are traceable to one specific domain, you must use DKIM. Only DKIM guarantees that the operator of a domain authorized the email to be sent (by making a change to their DNS zone). Anything else can be forged. (Note that SPF, though irrelevant for most Marketo users anyway, does not prevent message-level forgery/misuse: it can only imply that a server has been approved for general use by a domain owner, not that all individual emails that come out of that server were approved.)

                                         

                                        What we've done for special cases (not for the faint of technical ability) is set up an on-premises relay server for specific recipient domains. Since Marketo sends to those recipients via an intermediate stop on a non-Marketo server, the source IP is no longer at Marketo, which usually gets over the principal hurdle.  Of course then you must be sure you are not sending spam to your partner domain, because if you do, they may block your corporate IP range so previously okay person-to-person emails won't go through anymore.

                                        1 of 1 people found this helpful
                                  • Re: Whitelisting instructions to provide to customers?
                                    Steven Vanderberg

                                    Hi Sanford,

                                    That is why the regex is provided after the munchkin ID, to account for how that can change.  But the Munchkin ID is always going to be unique and constant for any one specific instance.  Using our return path regex is not going to be overly broad unless you're omitting the Munchkin ID from it.

                                      • Re: Whitelisting instructions to provide to customers?
                                        Sanford Whiteman

                                        Yep, you can create a regex that would match R-Ps (each of which is an email address -- that was the original thing I was clearing up) that are legitimately emitted by a single Marketo instance. But (a) the recipient would have to support regexen and (b) the regex would have to have a position in the recipient's ruleset that allows it to override private and public blacklists and (c) the recipient would have to trust in the R-P as a overriding filtering mechanism (something I personally never do).


                                        Given that any R-P can be used for outbound connections from a box -- I know Marketo doesn't give tenants control over this, but there's no barrier in a generalized multitenant system, which is all the recipient has to go on -- R-P is forgeable by someone other than the person making the whitelisting request. So if someone is draconian enough to say "I block emails from this MA platform because it sends spam" asking them to whitelist based on something that can be forged by any tenant isn't going to fly.

                                         

                                        As a former (and still occasional) enterprise mail admin I don't think anybody should be asking for Marketo-specific whitelisting except for DKIM M1. (Obviously, I don't think Marketo should be blacklisted! Just that dealing with blacklisting should be done at a sophisticated level.)

                              • Re: Whitelisting instructions to provide to customers?
                                Tom Kerlin

                                Hi Jasmine,

                                 

                                This has come up for us before as well - It would be great if Marketo provided some sort of documentation for clients to send to unmailable recipients.

                                 

                                Here's an eBook Marketo sent me that explains email deliverability in more detail: https://info.dh.com/rs/450-PSA-364/images/eBook-Marketo-Email-Deliverability.pdf

                                1 of 1 people found this helpful