You should probably be checking "isTrusted" in postMessage listeners

window.postMessage and corresponding window.onmessage listeners enable secure communication between cross-origin windows, including IFRAMEs. The postMessage API is ubiquitous, used by popular JS widgets like media players (YouTube, Spotify)

Once you rewrite SMTP headers, you either need to re-DKIM-sign the message or stop checking DKIM

A client found a single recipient domain where every Marketo email went to Spam due to failing DKIM validation. (A bad DKIM signature should really result in the message being

If someone recommends “Request Token Encoding: None” in a webhook, always push back

A client recently asked about connecting Marketo to Clay and we were dismayed at Clay’s official docs: See how they recommend Request Token Encoding: None? That’s totally wrong,

Check if the current pageview is associated with a Marketo lead (without using the ol’ hidden KV HTML trick)

Knowing if the current pageview is associated with a known lead vs. anonymous is key to a lot of cool personalization. For example, you can build the equivalent of “If

Help! My Velocity {{my.token}} previews correctly, but I can’t approve the email

At the moment of approval, fields on the $𝚕𝚎𝚊𝚍 object are empty strings (meaning "", not 𝑛𝑢𝑙𝑙). Your code needs to deal with that gracefully.

Careful with native NodeJS fetch() in serverless setups (with any API, not just the Marketo API)

Reminder (if you needed one) that newer doesn’t mean more predictable.

How an “unintrusive” 3rd-party tracking script caused duplicate Marketo form posts

Gotta love devs who don’t know Marketo but say “Just drop it in, trust us.”

Have you no sense of DNS latency, sir, at long last?

Troubleshooting slow-loading email images reveals a classic culprit.