Good question. Maybe it just means that as long as you have setup the DKIM code on your side, it is automatic and you don't have to wait for Support.
I am not sure how it will affect the remaining domains once Marketo starts automatically signing. I believe you will need to add the generic Marketo key to your remaining domains' to prevent any issues. Last week, another user was having trouble setting up his DKIM in this thread: https://community.marketo.com/MarketoDiscussionDetail?id=90650000000PuTeAAK
Justin C from Marketo chimed in with a summary of the Old and New DKIM policies:
- The old article explained how to previously enable DKIM using a shared Marketo DKIM key. We created a key and published the public key information in that article. If you added that public key information to your DNS, your emails would then be signed with Marketo's shared key, referencing your domain. This is better than not signing emails at all, which is why it was previously recommended.
- If customers already had existing DKIM keys that they wanted to use (or didn't want to use Marketo's shared key), they would have contacted Marketo support to set that up.
- As of the August release, all outgoing Marketo emails will be signed. By default, we'll automatically sign outgoing messages with a generic Marketo key, referencing Marketo's domain.
- Some organizations prefer (or may be required) to use a custom DKIM key referencing their domain, in order to sign their messages. To enable this, we will have a new DKIM admin page where your Marketo admin will create a new DKIM key, then post the public key information to DNS. Once that information is confirmed in DNS, we'll start signing your outgoing messages with that new key. In this case, the key would be private to your subscription and would be referencing your domain (since you would have added the public details to DNS).
- This is the best practice for supporting DKIM. Marketo will create the new key on your behalf, and then you would publish the public details to your DNS, indicating that the key is legitimate. For security reasons, Marketo will never expose the private key information (even to you), as you wold always have the ability to remove your Marketo-specific DKIM DNS entry if you at any time decide Marketo should not be approved to sign email on your behalf.
- It is possible to have multiple DKIM keys per domain, so you aren't restricted to sending signed emails solely from Marketo. "
If you don't yet have DKIM setup for a domain, emails with a from address including that domain will now be signed using Marketo's keys. Nothing breaks, your emails are just signed with a generic Marketo signature.
If you've previously setup DKIM for a domain, it will continue to work and your admin will see those domains listed on the new DKIM admin page. This page would also be where you'd enable DKIM for additional domains.
If we do not have DKIM set up for a domain, the from address will now be signed by Marketo keys. Will they be able to clear the spam filters with the Marketo keys? And how would the header information look like if you can give an example.
If you don't have DKIM setup for a domain, then your email (not from address) will be signed with a Marketo DKIM signature. A DKIM signature header will be added to the email, which will reference Marketo (if you setup DKIM for your domain, it would reference your domain). Both are positive for email deliverability and will actually improve the chances of getting through spam filtering.
So, why is it better to have an email from email@example.com signed with a Marketo signature rather than having no signature? Well, think of it this way. If a message is unsigned, the recipient email service does not know anything about the email other than the IP addresses that were associated with sending the message. With a signature, the recipient email service is now able to recognize the signature (even if it doesn't match the from address) and assign a reputation score based on this information. If, over time, they determine that most emails signed with this Marketo signature are "good" messages, then it is more likely these will be trusted over unsigned messages.
The signature will be invisible to your prospects as this signature is buried in the email's headers. If you are curious what a signature looks like, view the source of any email you've received from Gmail. All outgoing emails from many services (including Gmail) are DKIM signed by default.