Scribd
Upload
59 views13 pages

Configure Protocols For Marketo Engage - Adobe Marketo Engage

Protocols

Uploaded by

mahesh.ufsemail
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
59 views13 pages

Configure Protocols For Marketo Engage - Adobe Marketo Engage

Protocols

Uploaded by

mahesh.ufsemail
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 13

12/25/24, 6:35 PM Configure Protocols for Marketo Engage | Adobe Marketo Engage

Table of contents

Documentation Marketo Engage Marketo Guide

Configure Protocols for Marketo Engage


Last update: November 26, 2024

Bookmark Copy link

TOPICS: Getting Started

If you or your organization use restrictive firewall or proxy server settings, you or your network
administrator may need to allowlist certain domains and IP address ranges to ensure Adobe
Marketo Engage works as expected.

For help implementing the protocols below, please share this article with your IT department. If they
restrict web access using an allowlist, make sure they add the following domains (including the
asterisk) to allow all Marketo Engage resources and websockets:

*.marketo.com

*.marketodesigner.com

*.mktoweb.com

*.experience.adobe.com

*.adobe.net

Step 1: Create DNS Records for Landing Pages and Email


Tracking Link CNAMEs

Your marketing team should have sent you two requests for new CNAME records. The first is for
landing page URLs, so that the landing pages appear in URLs that reflect your domain and not
Marketo Engage (the actual host). The second is for the tracking links that are included in the emails
they send from Marketo Engage.

1 Add CNAME for Landing Pages


https://experienceleague.adobe.com/en/docs/marketo/using/getting-started/initial-setup/configure-protocols-for-marketo 1/13
12/25/24, 6:35 PM Configure Protocols for Marketo Engage | Adobe Marketo Engage

Add the landing page CNAME they sent you to your DNS record, so that [YourLandingPageCNAME]
points to the unique Account String that is assigned to your Marketo Engage Landing Pages. Log in
to your domain registrar’s site and enter the landing page CNAME and Account String. Typically, this
involves three fields:

Alias: Enter [YourLandingPageCNAME] (provided by marketing)

Type: CNAME

Point to: Enter [MunchkinID].mktoweb.com (provided by marketing)

2 Add CNAME for Email Tracking Links

Add the email CNAME marketing sent you, so that [YourEmailCNAME] points to [MktoTrackingLink],
the default tracking link that Marketo Engage assigned, in the format:
[YourEmailCNAME].[YourDomain].com IN CNAME [MktoTrackingLink]

For example:

pages.abc.com IN CNAME mkto-a0244.com

NOTE

[MktoTrackingLink] must be the Default Branding Domain.

3 Notify Your Marketing Team

Notify your marketing team when you’ve completed this process.

4 Contact Adobe Support to start the process of provisioning an SSL Certificate.

This process can take up to 3 business days to complete.

Step 2: Allowlist Marketo Engage IPs


When your Marketing group uses Marketo Engage to send test emails (a best practice before
sending out email blasts), the test emails are sometimes blocked by anti-spam systems that rely on
sender IP addresses to verify that the email is valid. To ensure that those test emails arrive, add
Marketo Engage to your allowlist.

Add these IP addresses to your corporate allowlist:


https://experienceleague.adobe.com/en/docs/marketo/using/getting-started/initial-setup/configure-protocols-for-marketo 2/13
12/25/24, 6:35 PM Configure Protocols for Marketo Engage | Adobe Marketo Engage

103.237.104.0/22

130.248.172.0/24

130.248.173.0/24

130.248.244.88/29

185.28.196.0/22

192.28.144.0/20

192.28.160.0/19

199.15.212.0/22

Some anti-spam systems use the email Return-Path field instead of the IP address for allowisting. In
those cases, the best approach is to allowlist ‘*.mktomail.com’, as Marketo Engage uses several
mailbox subdomains. Other anti-spam systems allowlist based on the From address. In these
situations, be sure to include all the sending (‘From’) domains that your Marketing group uses to
communicate with people/leads.

NOTE

Postini employs a unique technology and requires allowlisting IP ranges. See Allowlisting
with Postini.

Step 3: Set up SPF and DKIM


Your marketing team should have also sent you DKIM (Domain Keys Identified Mail) information to
be added to your DNS resource record (also listed below). Follow the steps to successfully configure
DKIM and SPF (Sender Policy Framework), then notify your marketing team that this has been
updated.

1. To set up SPF, add the following line to our DNS entries:

[CompanyDomain] IN TXT v=spf1 mx ip4:[CorpIP]


include: mktomail.com ~all

If we already have an existing SPF record in our DNS entry, simply add the following to it:
include: mktomail.com

https://experienceleague.adobe.com/en/docs/marketo/using/getting-started/initial-setup/configure-protocols-for-marketo 3/13
12/25/24, 6:35 PM Configure Protocols for Marketo Engage | Adobe Marketo Engage

Replace CompanyDomain with the main domain of your website (ex: “(company.com/)”) and
CorpIP with the IP address of your corporate email server (ex. “255.255.255.255”). If you are
going to be sending email from multiple domains through Marketo Engage, you should have
your IT staff add this line for each domain (on one line).

2. For DKIM, create DNS Resource Records for each domain we’d like to set up. Below are the Host
Records and TXT Values for each domain we’ll be signing for:

[DKIMDomain1]: Host Record is [HostRecord1] and the TXT Value is [TXTValue1].

[DKIMDomain2]: Host Record is [HostRecord2] and the TXT Value is [TXTValue2].

Copy the HostRecord and TXTValue for each DKIMDomain you’ve set up after following the
instructions here. Don’t forget to verify each domain in Admin > Email > DKIM after your IT staff
has completed this step.

Step 4: Set up DMARC


DMARC (Domain-based Message Authentication, Reporting & Conformance) is an authentication
protocol used to help organizations protect their domain from unauthorized use. DMARC extends
the existing authentication protocols, such as SPF and DKIM, to inform recipient servers on what
actions they should take if a failure in authentication occurs on their domain. Although DMARC is
currently optional, it is strongly recommended as it will better protect your organization’s brand and
reputation. Major providers such as Google and Yahoo will require the use of DMARC for bulk
senders beginning February 2024.

For DMARC to function, you must have at least one of the following DNS TXT records:

A Valid SPF

A Valid DKIM Record for your FROM: Domain (recommended for Marketo Engage)

In addition, you must have a DMARC-specific DNS TXT record for your FROM: Domain. Optionally,
an email address of your choosing can be defined to indicate where DMARC reports should go
within your organization, so you can monitor reports.

As a best practice, it’s recommended to slowly roll out DMARC implementation by escalating your
DMARC policy from p=none, to p=quarantine, to p=reject as you gain understanding of DMARC’s
potential impact, and set your DMARC policy to relaxed alignment on SPF and DKIM.

https://experienceleague.adobe.com/en/docs/marketo/using/getting-started/initial-setup/configure-protocols-for-marketo 4/13
12/25/24, 6:35 PM Configure Protocols for Marketo Engage | Adobe Marketo Engage

DMARC Example Workflow


1. If you’re configured to receive DMARC reports, you should do the following…

I. Analyze the feedback and reports you receive and use (p=none), which tells the receiver to
perform no actions against messages that fail authentication, but still send email reports to the
sender.

II. Review and fix issues with SPF/DKIM if legitimate messages are failing authentication.

III. Determine if SPF or DKIM are aligned and passing authentication for all legitimate email.

IV. Review reports to ensure the results are what you expect based on your SPF/DKIM policies.

2. Proceed to adjust the policy to (p=quarantine), which tells the receiving email server to
quarantine email that fails authentication (this typically means placing those messages in the
spam folder).

I. Review reports to ensure that the results are what you expect.

3. If you’re satisfied with the behavior of messages at the p=quarantine level, you can adjust policy
to (p=reject). The p=reject policy tells the receiver to completely deny (bounce) any email for
the domain that fails authentication. With this policy enabled, only email that’s verified as 100%
authenticated by your domain will even have a chance at inbox placement.

CAUTION

Use this policy with caution and determine if it’s appropriate for your organization.

DMARC Reporting
DMARC offers the ability to receive reports regarding emails that fail SPF/DKIM. There are two
different reports generated by ISP servicers as part of the authentication process that senders can
receive through the RUA/RUF tags in their DMARC policy.

Aggregate Reports (RUA): Does not contain any PII (Personally Identifiable Information) that
would be GDPR (General Data Protection Regulation) sensitive.

Forensic Reports (RUF): Contains email addresses which are GDPR sensitive. Before utilizing, it’s
best to check internally how to deal with information that needs to be GDPR compliant.

https://experienceleague.adobe.com/en/docs/marketo/using/getting-started/initial-setup/configure-protocols-for-marketo 5/13
12/25/24, 6:35 PM Configure Protocols for Marketo Engage | Adobe Marketo Engage

The main use of these reports is to receive an overview of emails that are attempted spoofing. These
are highly technical reports that are best digested through a third-party tool.

Example DMARC Records

Bare Minimum Record: v=DMARC1; p=none

Record directing to an email address to receive reports: v=DMARC1; p=none;


rua=mailto:[email protected]; ruf=mailto:[email protected]

DMARC Tags and What They Do


DMARC records have multiple components called DMARC tags. Each tag has a value that specifies a
certain aspect of DMARC.

Tag Name Required/Opti Function Example Default value


onal

v Required This DMARC tag V=DMARC1 DMARC1


specifies the DMARC1
version. There is
only one
version as of
now, so this will
have a fixed
value of
v=DMARC1

https://experienceleague.adobe.com/en/docs/marketo/using/getting-started/initial-setup/configure-protocols-for-marketo 6/13
12/25/24, 6:35 PM Configure Protocols for Marketo Engage | Adobe Marketo Engage

Tag Name Required/Opti Function Example Default value


onal

p Required Shows the p=none, -


DMARC policy quarantine, or
selected and reject
directs the
receiver to
report,
quarantine, or
reject mail that
fails
authentication
checks.

fo Optional Allows the 0: Generate 1


domain owner report if (recommended
to specify everything fails for DMARC
reporting 1: Generate reports)
options. report if
anything fails
d: Generate
report if DKIM
fails
s: Generate
report if SPF
fails

pct Optional Tells the pct=20 100


percentage of
messages
subjected to
filtering.

rua Optional Identifies where rua=mailto:aggr -


(recommended aggregate [email protected]
) reports will be m
delivered.

https://experienceleague.adobe.com/en/docs/marketo/using/getting-started/initial-setup/configure-protocols-for-marketo 7/13
12/25/24, 6:35 PM Configure Protocols for Marketo Engage | Adobe Marketo Engage

Tag Name Required/Opti Function Example Default value


onal

ruf Optional Identifies where ruf=mailto:auth -


(recommended forensic reports [email protected]
) will be om
delivered.

sp Optional Specifies sp=reject -


DMARC policy
for subdomains
of the parent
domain.

adkim Optional Can either be adkim=r r


Strict (s) or
Relaxed ®.
Relaxed
alignment
means the
domain used in
the DKIM
signature can
be a subdomain
of the "From"
address. Strict
alignment
means the
domain used in
the DKIM
signature must
be an exact
match of the
domain used in
the From
address.

https://experienceleague.adobe.com/en/docs/marketo/using/getting-started/initial-setup/configure-protocols-for-marketo 8/13
12/25/24, 6:35 PM Configure Protocols for Marketo Engage | Adobe Marketo Engage

Tag Name Required/Opti Function Example Default value


onal

aspf Optional Can either be aspf=r r


Strict (s) or
Relaxed ®.
Relaxed
alignment
means that the
ReturnPath
Domain can be
a subdomain of
the From
Address. Strict
alignment
means the
Return-Path
domain must
be an exact
match with the
From address.

For full details around DMARC and all its options, please visit https://dmarc.org/.

DMARC and Marketo Engage


There are two types of alignment for DMARC—DKIM alignment and SPF alignment.

NOTE

It’s recommended to do DMARC alignment on DKIM vs SPF for Marketo Engage.

DKIM-aligned DMARC—To set up DKIM aligned DMARC you must:

Set up DKIM for the FROM: Domain of your message. Use the instructions in this article.

Configure DMARC for the FROM:/DKIM Domain that was configured earlier

https://experienceleague.adobe.com/en/docs/marketo/using/getting-started/initial-setup/configure-protocols-for-marketo 9/13
12/25/24, 6:35 PM Configure Protocols for Marketo Engage | Adobe Marketo Engage

DMARC-aligned SPF—To set up DMARC aligned SPF via branded return-path, you must:

Set up Branded Return-Path Domain

Configure the appropriate SPF record

Change the MX record to point back to the default MX for the datacenter your mail will
be sent out of

Configure DMARC for the Branded Return-Path Domain

If you’re sending mail from Marketo Engage through a dedicated IP and have not already
implemented branded return-path, or aren’t sure if you have, please open a ticket with Adobe
Support.

If you’re sending mail from Marketo Engage through a shared pool of IPs, you can see if you
qualify for Trusted IPs by applying here. Branded return-path is offered for free to those sending
from Marketo Engage Trusted IPs. If approved for this program, reach out to Adobe Support to
set up branded return-path.

Trusted IPs: A shared pool of IPs reserved for lower volume users sending <75K/month who
do not qualify for a dedicated IP. These users must also meet best practice requirements as
well.

If you’re sending mail from Marketo Engage through shared IPs and you do not qualify for
Trusted IPs and send more than 100,000 messages per month, you’ll need to contact the Adobe
Account Team (your account manager) to purchase a dedicated IP.

Strict SPF alignment is not supported nor recommended within Marketo Engage.

Step 5: Set up MX Records for Your Domain


An MX record allows you to receive mail to the domain that you’re sending email from to process
replies and auto-responders. If you’re sending from your corporate domain, you likely already have
this configured. If not, you can usually set it up to map to your corporate domain’s MX record.

Outbound IP Addresses

https://experienceleague.adobe.com/en/docs/marketo/using/getting-started/initial-setup/configure-protocols-for-marketo 10/13
12/25/24, 6:35 PM Configure Protocols for Marketo Engage | Adobe Marketo Engage

An outbound connection is one made by Marketo Engage to a server on the internet on your behalf.
Some partners/vendors you work with, or your own IT organization, may use allowlists to restrict
access to servers. If so, you must provide them with Marketo Engage outbound IP address blocks to
add to their allowlists.

Webhooks

Marketo Engage Webhooks are an outbound integration mechanism. When a Call Webhook flow
action is executed as part of a smart campaign, an HTTP request is made to an external web service.
If the web service publisher uses an allowlist on the firewall of the network where the external web
service is located, then the publisher must add the IP address blocks listed below to their allowlist.

CRM Sync

Marketo Engage Salesforce CRM Sync and Microsoft Dynamics Sync are integration mechanisms
that make outbound HTTP requests to APIs published by your CRM vendor. You must ensure that
your IT organization does not block any of the IP address blocks below from accessing your CRM
vendor APIs.

Marketo Engage Outbound IP Address Blocks

The following tables cover all Marketo Engage servers that make outbound calls. Use the lists below
if you’re configuring any IP allowlist, server, firewall, access control list, security group, or third-party
service to receive outgoing connections from Marketo Engage.

IP Block (CIDR Notation)

103.237.104.0/22

130.248.172.0/24

130.248.173.0/24

130.248.244.88/29

185.28.196.0/22

https://experienceleague.adobe.com/en/docs/marketo/using/getting-started/initial-setup/configure-protocols-for-marketo 11/13
12/25/24, 6:35 PM Configure Protocols for Marketo Engage | Adobe Marketo Engage

IP Block (CIDR Notation)

192.28.144.0/20

192.28.160.0/19

199.15.212.0/22

Individual IP address

13.237.155.207

13.55.192.247

18.200.201.81

34.247.24.245

35.165.244.220

44.235.171.179

52.20.211.99

52.64.109.86

54.160.246.246

54.212.167.17

54.220.138.65

https://experienceleague.adobe.com/en/docs/marketo/using/getting-started/initial-setup/configure-protocols-for-marketo 12/13
12/25/24, 6:35 PM Configure Protocols for Marketo Engage | Adobe Marketo Engage

Individual IP address

54.237.141.197

124.47.174.193

130.248.168.16

130.248.168.17

199.15.213.245

199.15.215.245

Previous page Next page

SETUP STEPS USER SETUP

https://experienceleague.adobe.com/en/docs/marketo/using/getting-started/initial-setup/configure-protocols-for-marketo 13/13

You might also like