7 Replies Latest reply on Aug 11, 2014 2:30 PM by 62146

    Seeking guidance with SPF and DKIM

      Greetings Marketo Community,

      I'm seeking some guidance regarding where I need to set up SPF and DKIM as none of my vendors seem to agree on what needs to be done where.

      Here are the vendors I'm currently using:
      a) our domain issuworks.com is registered with GoDaddy (redirects to our website host wix.com)
      b) our issuworks.com website host is wix.com (where we have mx records for smarsh.com)
      c) our email provider is smarsh.com
      And nobody appears to know what to do…
      ·        Support at our domain host godaddy.com says SPF and DKIM need to be set up with our email provider (Smarsh)
      ·        Support at Smarsh says SPF and DKIM need to be set up with our domain (GoDaddy) and website (Wix) providers.
      ·        Support at Wix indicates "you are asking to change your DNS settings, which is something we cannot do"
      Can anyone tell me where SPF and DKIM needs to be impolemented; GoDaddy, Wix or Smarsh?

      Once I determine where it needs to be implemented, then I can better champion get support from that vendo to do it.

      We recently sent our first small email campaign, and I suspect delivery was impeded due to this not being set up.  I'm eager to get past it.

      Any pointers are greatly appreciated.

        • Re: Seeking guidance with SPF and DKIM
          Justin Cooperman
          Hello Bri,

          Just FYI, with the August release we will be moving to a model where Marketo admins can setup DKIM from the email admin page. In the past, customers had to contact support to setup DKIM. 

          Here's a summary of what needs to be done to implement both DKIM and SPF:

          For DKIM, you (or someone on your behalf) will create a new key first. This key contains both public and private information used to correctly sign your messages. The public piece of this key needs to go in your domain's DNS record. You can edit that from GoDaddy, if that is the platform you are on. The private piece of the key must be known to the entity sending email on your behalf. In Marketo's case, we would create the key for you, and you would post the public details to your DNS record. Once published to DNS, we would start signing emails with that signature. We would never expose the private key details used to complete the signing. So to summarize, you would need to publish public key info on your DNS and then the entity doing the signing would need to the private key details.

          For SPF, the only thing that is needed is for you to add an entry in your DNS record to define which SMTP servers are authorized to send mail from your domain. The actual entity doing the sending needs to do nothing here. You would just figure out what those acceptable IPs are and publish that information to DNS. 
          • Re: Seeking guidance with SPF and DKIM
            GoDaddy.com will be who you want to approach on this. You need to update your DNS record. Here is a help article on their site that should help you get moving: http://support.godaddy.com/help/article/680/managing-dns-for-your-domain-names
            • Re: Seeking guidance with SPF and DKIM
              Edward Masson
              @Justin C
              That's going to be great to have the control on DKIM!
              • Re: Seeking guidance with SPF and DKIM
                Hello Justin and Joe, thank you for your speedy responses:

                Regarding the key for DKIM, Marketo's publicly available instructions indicate to use the key specified there.  Is that not the case?
                •           https://community.marketo.com/MarketoArticle?id=kA050000000KyrDCAS
                •           k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDFUlNZvtGDlIGDRtzyRQydM9yRInD5YMx86QpgZ3v7pT+Mx4tGbjUxY41TXbsp7UH9hTREaKKGQKNM/B3FzcFVv4zafZ09lUaXcbSdtD70iXyH0OXEGXLZI5gG0ZwjK5ptgQ18d+pUP9s8xMkJnZlubTk9MLvQnv3ZBzoL9FHFDQIDAQAB 
                Regarding where to implement, both Wix and GoDaddy's websites have instructions for how to implement SPF and DKIM and UIs to do so self-service -- but both support organizations, on the phone, indicate they are not where I need to implement it, and both self-service UIs don't match exactly the instructions Marketo gives for how to do it.  Thus, though I'd love to just go and do it on both platforms myself, I don't know what to put into the UI-defined fields.

                That and I've already tried following the instructions on GoDaddy but their step-by-step doesn't match the experience I get when I try to do it.

                :-) Technology is fun.

                I'm going to attempt to resolve this tomorrow in an Office Hours session with Marketo.  I have a case open on this as well.

                • Re: Seeking guidance with SPF and DKIM
                  Justin Cooperman

                  Feel free to shoot me an email if you are still having difficulties, I am the right person at Marketo to help you with this. I can also quickly explain what you were reading via the link you shared:

                  Old Method:
                  •           The old article explained how to previously enable DKIM using a shared Marketo DKIM key. We created a key and published the public key information in that article. If you added that public key information to your DNS, your emails would then be signed with Marketo's shared key, referencing your domain. This is better than not signing emails at all, which is why it was previously recommended.
                  •           If customers already had existing DKIM keys that they wanted to use (or didn't want to use Marketo's shared key), they would have contacted Marketo support to set that up.
                  New Method:
                  •           As of the August release, all outgoing Marketo emails will be signed. By default, we'll automatically sign outgoing messages with a generic Marketo key, referencing Marketo's domain. 
                  •           Some organizations prefer (or may be required) to use a custom DKIM key referencing their domain, in order to sign their messages. To enable this, we will have a new DKIM admin page where your Marketo admin will create a new DKIM key, then post the public key information to DNS. Once that information is confirmed in DNS, we'll start signing your outgoing messages with that new key. In this case, the key would be private to your subscription and would be referencing your domain (since you would have added the public details to DNS). 
                  •           This is the best practice for supporting DKIM. Marketo will create the new key on your behalf, and then you would publish the public details to your DNS, indicating that the key is legitimate. For security reasons, Marketo will never expose the private key information (even to you), as you wold always have the ability to remove your Marketo-specific DKIM DNS entry if you at any time decide Marketo should not be approved to sign email on your behalf. 
                  •           It is possible to have multiple DKIM keys per domain, so you aren't restricted to sending signed emails solely from Marketo. 
                  • Re: Seeking guidance with SPF and DKIM
                    Hi Justin,

                    Thank you for your offer of support.  I've reached out to you via LinkedIn.  I will very much enjoy getting this step behind us and on to tackling all the other stuff.


                    • Re: Seeking guidance with SPF and DKIM
                      Justin...if helpful I have some screen shots of my attempted SPF and DKIM implementations in Wix attached to the support case 00316507.