Marketo SPF, DKIM & DMARC Setup Guide

Overview

Marketo — officially Adobe Marketo Engage — is an enterprise marketing automation platform used for lead nurturing, campaign orchestration, and high-volume outbound email. Sometimes referenced as Adobe Marketo in shorter contexts, the platform is the same regardless of how the name appears. Its SPF record uses include:mktomail.com, costing 1 DNS lookup. Marketo is almost always deployed alongside Salesforce (CRM) and a primary email platform like Microsoft 365, meaning at least three SPF includes are in play before adding any other senders.

DKIM Configuration

DKIM in Marketo uses a custom selector name chosen by the administrator during setup — it is not auto-generated. Both 1024-bit and 2048-bit RSA key sizes are supported. Setup requires generating the key pair in Marketo Admin, publishing the corresponding TXT record in DNS, and then activating the key inside Marketo. The activation step is frequently missed — publishing the DNS record alone does not enable DKIM signing.

DMARC Alignment Strategy

By default, Marketo signs messages with its own shared DKIM domain. Without configuring a custom DKIM signature for your domain, DMARC alignment fails on every message. DMARC compliance for Marketo should rely on DKIM alignment, not SPF. Because Marketo uses shared sending infrastructure across its customer base, the envelope sender domain is controlled by Marketo, making SPF alignment unreliable for DMARC purposes. This is a critical distinction — even if your SPF record includes mktomail.com and SPF checks pass, the SPF domain will not align with your From header domain under DMARC evaluation.

Additional Setup Notes

Enterprise SPF Lookup Budget

Enterprise stacks running Marketo + Salesforce + Microsoft 365 consume at least 3 DNS lookups before adding transactional senders, support desks, or email security gateways. Add a transactional provider like SendGrid or Postmark, a helpdesk like Zendesk, and an email security gateway like Mimecast, and you're at 6 lookups minimum — often more once nested includes are resolved. These stacks frequently approach or exceed the 10-lookup SPF limit. Managed SPF can flatten nested includes into direct IP references, freeing up lookup budget.

The Three-Step DKIM Process

Marketo's three-step DKIM process (generate → publish → activate) is the most common source of authentication failures. The steps must be completed in order:

1. Generate — In Marketo Admin, navigate to Email > SPF/DKIM and generate a key pair. Choose your selector name and key size (2048-bit recommended).
2. Publish — Copy the TXT record value and publish it at yourselector._domainkey.yourdomain.com in your DNS.
3. Activate — After DNS propagation, return to Marketo Admin and activate the key. This is the step most administrators miss.

If migrating from a legacy Marketo instance, confirm the DKIM key was re-generated for the current domain — old keys tied to previous sending domains will not produce valid signatures.

Troubleshooting

DKIM Not Signing Despite Published DNS Record

The most common Marketo authentication failure: the DKIM TXT record is published and resolves correctly, but messages are still signed with Marketo's shared domain. This happens when the key is not activated in Marketo Admin. Navigate to Admin > Email > SPF/DKIM, find your domain, and check whether the key status shows "Active" or "Pending." If it shows "Pending," click to activate. If it shows no key at all, the key was never generated for this domain.

DMARC Reports Show 0% SPF Alignment

This is expected behavior with Marketo. Because Marketo controls the envelope sender (MAIL FROM) domain, SPF alignment against your From header domain will fail in DMARC evaluation. Your DMARC compliance must come from DKIM alignment. If your DMARC reports also show 0% DKIM alignment, you have not configured custom DKIM signing — follow the three-step process above.

SPF PermError in Enterprise Stacks

Enterprise environments with Marketo + Salesforce + Microsoft 365 + additional senders commonly exceed the 10-lookup SPF limit. Symptoms include SPF PermError in DMARC aggregate reports, delivery failures to strict receivers, and inconsistent SPF results across different receiving mail servers. Run an SPF check against your domain to see the total lookup count. If you're at or above 10, Managed SPF can flatten the nested lookups. Alternatively, audit your SPF record for includes from services you no longer use.

Custom DKIM Selector Name Conflicts

Because Marketo lets you choose your own DKIM selector name, there's a risk of collision if you pick a name already in use by another provider or a previous Marketo configuration. Before generating a key, query yourselector._domainkey.yourdomain.com to confirm nothing exists at that hostname. If a record already exists, choose a different selector name to avoid overwriting another provider's DKIM key.

Edge Cases and Gotchas

Marketo Shared IPs and SPF

Marketo's shared sending infrastructure means that the IPs behind include:mktomail.com are used by many Marketo customers simultaneously. Adding include:mktomail.com to your SPF record authorizes all of Marketo's shared sending IPs to send on behalf of your domain. This is standard for cloud email providers but worth understanding — it means your SPF record implicitly trusts the sending behavior of every other Marketo customer on the shared pool. This is another reason DKIM alignment is the recommended DMARC strategy for Marketo.

Branded Envelope Sender (Return-Path)

Marketo supports branded return-path configuration for select accounts (typically enterprise tier). If available, configuring a branded return-path enables SPF alignment in addition to DKIM alignment, giving you dual DMARC compliance. Check with your Marketo account representative to see if this feature is available for your account. When enabled, you'll add a CNAME record pointing a subdomain (like mkto.yourdomain.com) to Marketo's bounce handling infrastructure.

Subdomain Isolation

Large organizations often send Marketo campaigns from a subdomain (e.g., marketing.yourdomain.com) to isolate marketing email reputation from transactional and corporate email. If using a subdomain, all DNS records — SPF, DKIM, and DMARC — must be configured on the subdomain. The parent domain's records do not automatically apply. The subdomain must also be verified independently in Marketo Admin.

Multiple Marketo Instances

Organizations with multiple Marketo instances (e.g., separate instances for different business units or regions) can use the same sending domain across instances, but each instance must have its own DKIM key. Use different selector names for each instance to avoid conflicts. SPF only needs the single include:mktomail.com regardless of how many instances you run.

Migration Notes

Migrating to Marketo

Add include:mktomail.com to your SPF record and complete the three-step DKIM process before routing any campaign traffic through Marketo. Verify that test messages show DKIM alignment in DMARC evaluation. If you're running a phased migration (e.g., moving one campaign type at a time), keep the old provider's DNS records in place until all traffic has moved.

Migrating Away from Marketo

Remove include:mktomail.com from your SPF record and delete the DKIM TXT record at yourselector._domainkey.yourdomain.com. If you configured a branded return-path CNAME, remove that as well. Monitor DMARC aggregate reports for at least one full reporting cycle to confirm no email is still routing through Marketo's infrastructure. Be aware that Marketo may queue messages for retry — check Marketo's email activity logs to confirm all sends have completed before deleting DNS records.

Migrating Between Marketo Instances

If moving from one Adobe Marketo Engage instance to another (e.g., during an acquisition or organizational restructuring), generate a new DKIM key in the new instance with a different selector name. Publish the new TXT record alongside the old one. Activate the new key in the new instance, then deactivate the old key in the old instance. Only after confirming all traffic flows through the new instance should you remove the old DKIM record from DNS.