DKIM/SPF set for email address on subdomain? | Community
Skip to main content
A
Anonymous
February 23, 2017
Solved

DKIM/SPF set for email address on subdomain?

  • February 23, 2017
  • 1 reply
  • 13342 views

Hi team. We have a client who has their support email set up on a subdomain - support@nz.domain.com. Just wondering if DKIM/SPF needs to be set up on nz.domain.com or domain.com?

Do let me know if you need more clarity on this.

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
Best answer by SanfordWhiteman

Set up DKIM at the subdomain level. This provides the highest of accountability/non-repudiation. (While DMARC w/DKIM has the ability to "walk the tree" to the parent domain, it will never grant the same level of trust that way.)

SPF, too, should be at the subdomain, but SPF in general is meaningless unless you're paying extra to Marketo​ -- and adding the mktomail.com record and can hurt deliverability for non-Marketo mail if you don't manage your SPF entries correctly.

1 reply

SanfordWhiteman
SanfordWhitemanAccepted solution
Level 10
February 23, 2017

Set up DKIM at the subdomain level. This provides the highest of accountability/non-repudiation. (While DMARC w/DKIM has the ability to "walk the tree" to the parent domain, it will never grant the same level of trust that way.)

SPF, too, should be at the subdomain, but SPF in general is meaningless unless you're paying extra to Marketo​ -- and adding the mktomail.com record and can hurt deliverability for non-Marketo mail if you don't manage your SPF entries correctly.

A
Anonymous
February 24, 2017

Thanks @Sanford Whiteman​! This definitely helps. I've read through a few different feeds around managing multiple domains within a single instance and have been seeing your responses on most of them - I now have more questions than I have answers! 

We're looking into creating an additional email tracking CNAME for said client within our instance (separate Workspace), would we be adding the CNAME record within our own DNS or the client's DNS?

Not quite sure if we are needing to follow the Setup Steps (using the client's details) outlined within the Marketo documentation if we wanted to run campaigns for a client within our instance.

Really appreciate your thoughts or anyone else who has been through a similar experience. Again, let me know if more clarity is needed.

SanfordWhiteman
SanfordWhiteman
Level 10
February 24, 2017

Hi Keilia,

Yep, you'll see my responses a lot on these topics since I have a background as a mail + DNS admin (still do a bit of it).

If you're going to be running http:​//click.client.com on your Marketo instance, then the client's DNS team needs to add the CNAME in their DNS zone pointing to <your_instance_name>.mktoweb.com.

Similarly, if you'll be sending mail from user@client.com​, then the client needs to add the DKIM entry in the DNS zone for M1._domainkey.client.com. You'll be providing them with the value from the required Marketo UI.

Again, I'd skip SPF. It's at best overkill and at worst... much worse. Only if you have a line item on your Marketo subscription for "branded sender" should you get into SPF.

Terms & ConditionsAccessibility statement

Loading footer...