This content has been marked as final. Show 7 replies
Just FYI, with the August release we will be moving to a model where Marketo admins can setup DKIM from the email admin page. In the past, customers had to contact support to setup DKIM.
Here's a summary of what needs to be done to implement both DKIM and SPF:
For DKIM, you (or someone on your behalf) will create a new key first. This key contains both public and private information used to correctly sign your messages. The public piece of this key needs to go in your domain's DNS record. You can edit that from GoDaddy, if that is the platform you are on. The private piece of the key must be known to the entity sending email on your behalf. In Marketo's case, we would create the key for you, and you would post the public details to your DNS record. Once published to DNS, we would start signing emails with that signature. We would never expose the private key details used to complete the signing. So to summarize, you would need to publish public key info on your DNS and then the entity doing the signing would need to the private key details.
For SPF, the only thing that is needed is for you to add an entry in your DNS record to define which SMTP servers are authorized to send mail from your domain. The actual entity doing the sending needs to do nothing here. You would just figure out what those acceptable IPs are and publish that information to DNS.
GoDaddy.com will be who you want to approach on this. You need to update your DNS record. Here is a help article on their site that should help you get moving: http://support.godaddy.com/help/article/680/managing-dns-for-your-domain-names
That's going to be great to have the control on DKIM!
Hello Justin and Joe, thank you for your speedy responses:
Regarding the key for DKIM, Marketo's publicly available instructions indicate to use the key specified there. Is that not the case?
- k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDFUlNZvtGDlIGDRtzyRQydM9yRInD5YMx86QpgZ3v7pT+Mx4tGbjUxY41TXbsp7UH9hTREaKKGQKNM/B3FzcFVv4zafZ09lUaXcbSdtD70iXyH0OXEGXLZI5gG0ZwjK5ptgQ18d+pUP9s8xMkJnZlubTk9MLvQnv3ZBzoL9FHFDQIDAQAB
That and I've already tried following the instructions on GoDaddy but their step-by-step doesn't match the experience I get when I try to do it.
:-) Technology is fun.
I'm going to attempt to resolve this tomorrow in an Office Hours session with Marketo. I have a case open on this as well.
Feel free to shoot me an email if you are still having difficulties, I am the right person at Marketo to help you with this. I can also quickly explain what you were reading via the link you shared:
- The old article explained how to previously enable DKIM using a shared Marketo DKIM key. We created a key and published the public key information in that article. If you added that public key information to your DNS, your emails would then be signed with Marketo's shared key, referencing your domain. This is better than not signing emails at all, which is why it was previously recommended.
- If customers already had existing DKIM keys that they wanted to use (or didn't want to use Marketo's shared key), they would have contacted Marketo support to set that up.
- As of the August release, all outgoing Marketo emails will be signed. By default, we'll automatically sign outgoing messages with a generic Marketo key, referencing Marketo's domain.
- Some organizations prefer (or may be required) to use a custom DKIM key referencing their domain, in order to sign their messages. To enable this, we will have a new DKIM admin page where your Marketo admin will create a new DKIM key, then post the public key information to DNS. Once that information is confirmed in DNS, we'll start signing your outgoing messages with that new key. In this case, the key would be private to your subscription and would be referencing your domain (since you would have added the public details to DNS).
- This is the best practice for supporting DKIM. Marketo will create the new key on your behalf, and then you would publish the public details to your DNS, indicating that the key is legitimate. For security reasons, Marketo will never expose the private key information (even to you), as you wold always have the ability to remove your Marketo-specific DKIM DNS entry if you at any time decide Marketo should not be approved to sign email on your behalf.
- It is possible to have multiple DKIM keys per domain, so you aren't restricted to sending signed emails solely from Marketo.
Thank you for your offer of support. I've reached out to you via LinkedIn. I will very much enjoy getting this step behind us and on to tackling all the other stuff.
Justin...if helpful I have some screen shots of my attempted SPF and DKIM implementations in Wix attached to the support case 00316507.