A third of Marketo users have a broken SPF record. How's yours? (Part I)

After leaving some critical comments on this Marketo technote (in which I noted some unfortunate truths about Marketo's own SPF record) I decided to survey 48 Marketo instances I found via my Firefox cookies.

1/3 of those domains — exactly 16 — have broken SPF. That sucks quite a bit.

You could argue that those domains weren't randomly chosen, as they're all domains whose admins posted questions in the Marketo Community. (Chrome is my default browser, but I use FF to access the Nation, so every time I follow an offsite link I get a Munchkin cookie.) But it represents a broad sampling of industries and instance sizes, and there's no reason to believe that folks who don't participate in discussions are doing any better. (And these guys weren't asking questions about SPF!)

Breaking down the errors

Of the 16 broken domains:

  • 12 suffer from the exact issue I pointed out in my comments on the post above: they exceed the max of 10 DNS queries. Again, those comments are here and I strongly recommend you read them now!
  • 1 has a self-referencing include.
  • 1 has a broken include.
  • 1 has the "too many SPF records" problem I got into in this post.
  • 1 has an interesting "void lookup limit" error.

Bottom line: none of these domains has working SPF. They think they do, because they have an SPF record and it passed Marketo's lightweight validation when they added it. But it either was changed later or was broken from the get. Either way, like an old bottle of Coppertone, they're getting no SPF protection at all. Instead, servers that check inbound emails against their SPF record always return an SPF error (note it's not a failure but an error, so they will be treated in most cases as if they didn't set up SPF). It's impossible for recipients to tell whether mail is forged, so senders lose all of SPF's positive effects on deliverability.

It's not really about Marketo

Remember, for Marketo emails SPF probably doesn't matter. But your SPF record is also intended to protect your company's person-to-person emails from impersonation. If your Exchange server isn't getting credited for SPF:

  • your sales emails, accounting emails, etc. are more likely to be routed to spam folders or quarantines (true, the presumptive spamminess of your emails wouldn't always have been offset by an SPF PASS result, but you'll never get a chance to know)
  • anyone can forge email from your domain, and recipients have lost their best way of detecting such impersonation

Coming up

In Part II I explore "max DNS queries," the issue that affects the largest number of users in the survey.