Update, March 10, 2016: For newer customers, Marketo generates a unique keypair and distributes a non-shared public key. However, this post is relevant for the majority of Marketo users. I checked 60 Marketo instances, and 44 of the 58 using DKIM (76%) were using the old shared key — no surprise, since no one told them to stop! Those customers should use Marketo to gen a new key or upload their own as recommended below.
One of the most questionable practices when setting up Marketo is enabling DKIM using the same keypair as every other Marketo user.
This is like everyone in a small town knowing how to forge anybody else's signature: it'll be fine until people get to feudin'. For a security-conscious enterprise, you have to assume everyone else in a multi-tenant system like Marketo is already actively malicious, and sharing a DKIM key with them is downright foolish.
Luckily, Marketo has no problem using your own private keypair, and there's no charge to upload it (unlike some other security measures which add big $ to your subscription). Let me see if I can scare you enough about the risks of a shared DKIM key.
Understand that DKIM does something no other technology can do: it establishes that someone who controls the example.com
domain approved the contents of a message From: user@example.com
. This is a boon for reputation management in both directions. It means you're willing to take responsibility for marketing email at the corporate level, so the email is legitimately from your company. It also means that if you send spam that's DKIM-signed, you can't act like someone did it without your knowledge.
So I highly, highly encourage you to use DKIM. But everyone who takes the easy route and uses Marketo's shared DKIM key can sign mail for anyone else using that key. Imagine if you have a competitor using Marketo (with Marketo being best-in-class software, this is likely already true). Now imagine someone goes rogue at the competitor and decides to send mail from @yourdomain.com to all their leads. They won't be implicated in the blowback, but you sure will. And because the email was DKIM-signed with "your" key, you will have a really hard time saying it wasn't you who sent the mail. (Marketo will have internal logs showing which pod + instance actually wrote the mail, sure, but once you're subpoenaing Marketo you're already in a world of hurt.)
OK, maybe this sounds like something from the movies. I roll my eyes at corporate-assassin trash, too. But from a risk perspective, we know competitors play dirty when they can. This would be a nasty, likely criminal move, but it's not implausible that it could be done by someone sufficiently sociopathic (maybe one who got the idea from this very blog post, ha-ha!).
Here's another problem, one that doesn't require a malicious Marketo subscriber: the private key from the shared keypair must be present on many servers around the globe, since it's used to sign all emails, all the time. If just one of those servers were hacked, the keypair could be used by hackers to wreak havoc on thousands of companies (and Marketo would be in an insane scramble to contain the damage). In contrast, if you use your own keypair, it will only reside on your pod, so the attack surface is comparatively tiny.
So: scared or nah?