I've always loaded them as trusted lists, because I knew the source. The field setting for the SFDC will determine which fields Marketo is allowed to change. If the email address is already in your database, it doesn't create a duplicate lead. However it will include all of the emails from your list in the program or list that you are importing into. If you blocked updates to your email address field, then that is likely forcing the duplicates. Block Field Updates During List Import from Untrusted Sources - Marketo Docs - Product Documentation
For me, I consider Marketo to be the "source of truth" for the email address, because the lead is entering it themselves (typically), whereas the email address in SFDC is often entered by the Reps. (My experience is that Reps do not have very good keyboarding skills.)
I agree with Blane McMichen. Another thing I've seen is formatting issues - if you have hidden characters in your CRM and when you export you remove formatting so those hidden characters are removed (or vice versa, none in CRM but pick them up through some formatting in Excel) then Marketo doesn't recognize that the email addresses are the same. I've found that to be a rare situation.