When your SPF *actually* needs 'include:mktomail.com', it should also end in '‑all'

You should know (please tell me you already know!) that you don’t need Marketo in your SPF record unless you’re using a branded sender domain, and moreover you should not alter your SPF record unnecessarily because you can easily break the record entirely.

All that said, if you do use branded sender — it’s an add-on to a typical Marketo subscription, so you’ll know if you have it — then in that case, but only in that case, you should set up SPF accordingly.

But here’s the thing. Once you’re using branded sender, SPF is no longer a hopefully-harmless part of your Marketo setup. It’s integral to protecting your domain against malicious impersonation, and you should set it up as strictly as possible. There is no reason not to.

So I was very disappointed the other day to see an email from Marketo to a customer who had recently added a dedicated IP to their subscription (you’re entitled to a branded sender as part of paying for the dedicated IP).

The email says to create these DNS records, and I quote:

Configure DNS entries as follows for each subdomain:
IN A (your subdomain): 192.1.2.3
IN MX (your subdomain): your subdomain
IN TXT (your subdomain): "v=spf1 include:mktomail.com ~all"

The last line is dead wrong.

The whole idea of dedicating a subdomain of your corporate domain for Marketo emails, let’s say marketingstuff.example.com if your corporate domain is example.com, is that all legit mail with an envelope sender @ that domain will be sent via Marketo.

Any message that attempts to use that envelope sender domain but does not come from a Marketo IP address is thus an illegitimate email. Whether malicious or accidental, such attempts should be rejected by recipients.

But that’s not what the recommended SPF record does:

"v=spf1 include:mktomail.com ~all"

That record ends with the ~all (tilde-all) mechanism! So an email that doesn’t come from Marketo will not have a hard failure (SPF FAIL). It’ll have an SPF SOFTFAIL instead.

As a result, malicious attempts to impersonate your domain will not be rejected, merely lightly weighted as spammy (and can readily reach people’s inboxes).

SOFTFAIL was only intended to be used temporarily: when you aren’t 100% sure you’ve included all your sending IPs, you want the default result to be not as punitive as a FAIL until you can do more testing.

But that’s clearly not the case here. You’ve chosen a domain that is 100% known to only send mail from the IPs include:d in mktomail.com's SPF record. Therefore the SPF record should end with -all (minus-all), which means unlisted senders will get an SPF FAIL.

"v=spf1 include:mktomail.com -all"

Sadly, SPF has been used for close to 20 years and people still don’t get the basics of its operation.