2 Replies Latest reply on Oct 30, 2017 5:38 PM by Dan Stevens.

    If you're not receiving specific Marketo emails, this may be why (failed SPF)

    Dan Stevens.

      For the past couple of weeks, all notifications/emails from the community, support and other Marketo sources weren't being delivered into my inbox.  This was very odd as I receive many each day.  After checking with out deliverability team, they informed my of the following - and therefore, these emails were sent to quarantine.  Per our deliverability team:


      "Marketo was blocked by the following Transport Rule: Due to recent hacking attempt on Avanade using very sophisticated email technique, we had to block all domains which don’t provide SPF properly and comes up as “Temp Error”. We put rules in place and that blocked these emails because client has SPF record issue. For now, we have whitelisted Marketo but someone should work with Marketo and ask them to maintain their SPF record properly."


      So if anyone from Marketo is reading this, please pass this info on to your deliverability team.  I will also open a Support case with this information.

        • Re: If you're not receiving specific Marketo emails, this may be why (failed SPF)
          Sanford Whiteman

          But the real problem is that your IT has decided to transform a TempError into a Fail, which is not respecting the meaning of SPF result codes.


          If they don't trust a TempError, they should reject or deliver the message, not quarantine it. This recommendation is explicit in RFC 7208 Sections 8.6 and G.4, since quarantining a message informs neither the sender nor the receiver that there's a problem.


          It also isn't clear that there's a real problem outside of Avanade, since it's a DNS timeout (timeout is always a receiver-side setting, and if set unrealistically low, perhaps to deal with other attacks, it will have collateral damage). And from the looks of it, the problem would apply to anyone with protection.outlook.com in their SPF record, not just Marketo.


          Of course, IT can roll out whatever policies they want, but they shouldn't be surprised at the consequences -- like saying, "I'm going block any web pages that take more than 2 seconds to load because they might be trying to hang up TCP connections."

          3 of 3 people found this helpful