If you or your organization use restrictive firewall or proxy server settings, you or your network administrator may need to allowlist certain domains and IP address ranges to ensure Adobe Marketo Engage works as expected.
Your marketing group is using Marketo to create branded campaign landing pages and emails. To ensure that those landing pages and emails work, they need a little help from IT. Please set up the following protocols, with the information that your marketing group should have sent you in email.
This article should be shared with the IT department of the company wishing to implement these protocols.
If your IT team restricts web access using an allowlist, ask them to add the following domains (including the asterisk) to allow all Marketo resources and websockets:
Tracking Link CNAMEs
Your marketing team should have sent you two requests for new CNAME records. The first is for landing page URLs, so that the landing pages appear in URLs that reflect your domain and not Marketo (the actual host). The second is for the tracking links that are included in the emails they send from Marketo.
1 Add CNAME for Landing Pages
Add the landing page CNAME they sent you to your DNS record, so that
[YourLandingPageCNAME] points to the unique Account String that is assigned to your Marketo landing pages. Log in to your domain registrar’s site and enter the landing page CNAME and Account String. Typically, this involves three fields:
[YourLandingPageCNAME](provided by marketing)
[MarketoAccountString].mktoweb.com(provided by marketing)
2 Add CNAME for Email Tracking Links
Add the email CNAME marketing sent you, so that
[YourEmailCNAME] points to [MktoTrackingLink], the default tracking link that Marketo assigned, in the format:
[YourEmailCNAME].[YourDomain].com IN CNAME
pages.abc.com IN CNAME mkto-a0244.com
3 Notify Your Marketing Team
Notify your marketing team when you’ve completed this process.
4 Contact Marketo Support to start the process of provisioning an SSL Certificate.
This process can take up to 3 business days to complete.
When your Marketing group uses Marketo to send test emails (a best practice before sending out email blasts), the test emails are sometimes blocked by anti-spam systems that rely on sender IP addresses to verify that the email is valid. To ensure that those test emails arrive, add Marketo to your allowlist.
Add these IP addresses to your corporate allowlist:
Some anti-spam systems use the email Return-Path field instead of the IP address for allowisting. In those cases, the best approach is to allowlist ‘*.mktomail.com’, as Marketo uses several mailbox subdomains. Other anti-spam systems allowlist based on the From address. In these situations, be sure to include all the sending (‘From’) domains that your Marketing group uses to communicate with people/leads.
Postini employs a unique technology and requires allowlisting IP ranges. See Allowlisting with Postini.
Your marketing team should have also sent you DKIM information to be added to your DNS resource record (also listed below). Follow the steps to successfully configure DKIM and SPF, then notify your marketing team that this has been updated.
To set up SPF, add the following line to our DNS entries:
[CompanyDomain] IN TXT v=spf1 mx ip4:
include: mktomail.com ~all
If we already have an existing SPF record in our DNS entry, simply add the following to it:
Replace CompanyDomain with the main domain of your website (ex: “
(company.com/)”) and CorpIP with the IP address of your corporate email server (ex. “255.255.255.255”). If you are going to be sending email from multiple domains through Marketo, you should have your IT staff add this line for each domain (on one line).
For DKIM, create DNS Resource Records for each domain we’d like to setup. Below are the Host Records and TXT Values for each domain we’ll be signing for:
[DKIMDomain1]: Host Record is
[HostRecord1] and the TXT Value is
[DKIMDomain2]: Host Record is
[HostRecord2] and the TXT Value is
Copy the HostRecord and TXTValue for each DKIMDomain you’ve setup after following the instructions here. Don’t forget to verify each domain in Admin > Email > DKIM after your IT staff has completed this step.
An MX record allows you to receive mail to the domain that you’re sending email from to process replies and auto-responders. If you’re sending from your corporate domain, you likely already have this configured. If not, you can usually set it up to map to your corporate domain’s MX record.
An outbound connection is one made by Marketo Engage to a server on the internet on your behalf. Some partners/vendors you work with, or your own IT organization, may use allowlists to restrict access to servers. If so, you must provide them with Marketo Engage outbound IP address blocks to add to their allowlists.
Marketo Engage Webhooks are an outbound integration mechanism. When a Call Webhook flow action is executed as part of a smart campaign, an HTTP request is made to an external web service. If the web service publisher uses an allowlist on the firewall of the network where the external web service is located, then the publisher must add the IP address blocks listed below to their allowlist.
Marketo Engage Salesforce CRM Sync and Microsoft Dynamics Sync are integration mechanisms that make outbound HTTP requests to APIs published by your CRM vendor. You must ensure that your IT organization does not block any of the IP address blocks below from accessing your CRM vendor APIs.
Marketo Engage Outbound IP Address Blocks
The following table covers all Marketo Engage servers that make outbound calls. Use this list if you are configuring any IP allowlist, server, firewall, access control list, security group, or third-party service to receive outgoing connections from Marketo Engage.
|IP Block (CIDR Notation)|