Deauthorize marketing vendor
How to remove Marketo (Adobe)from your domain's SPF and DKIM
Marketo (now Adobe Marketo Engage) publishes via an SPF include, per-instance DKIM selectors with names tied to your Marketo account ID, and one or more 'EAS' (Email Authentication Service) tracking subdomain CNAMEs.
When you'd want to do this
- Replaced Marketo with a different marketing-automation platform (HubSpot, Salesforce Marketing Cloud, ActiveCampaign).
- Downsized the marketing tech stack after a budget review.
- Marketo instance was migrated to a different domain (e.g. parent company acquired the subsidiary).
- Marketo was used by a discontinued business line.
What Marketo (Adobe) adds to your DNS
You need to remove every record below for the de-authorization to be complete. Removing only the SPF include: but leaving DKIM keys published is still a partial authorization - the vendor can sign mail as your domain even without SPF alignment if the recipient has a permissive DMARC policy.
| Type | Host | Look for |
|---|---|---|
| TXT | apex (example.com) | include:mktomail.com The Marketo SPF include. Some older accounts also published include:_spf.marketo.com - check for both. |
| CNAME | M1-<instance>._domainkey.example.com | mxa-<instance>.mktomail.com Marketo DKIM CNAME. The instance identifier is your Marketo subscription number. Look for any CNAME with mktomail.com in the target. |
| CNAME | M2-<instance>._domainkey.example.com | mxb-<instance>.mktomail.com Second Marketo DKIM CNAME for key rotation. |
| CNAME | email.example.com or mkto-<digits>.example.com | mkto-<digits>.com or mktoresp.com Tracking subdomain (CTA links, opens, web tracking). Remove if you also want the tracked links from old campaigns to break. |
Step-by-step
- Stop sending through Marketo (Adobe) first. Check every app, webhook, and automation that hits the vendor's API or SMTP. Pause those before touching DNS - if you flip the DNS first you'll just spend a week chasing bounces from a vendor that's still wired up on your application side.
- Remove the DKIM record(s) at the hosts listed above. Removing DKIM first means any mail still queued from Marketo (Adobe) fails alignment, which is the safer failure mode - the receiver quarantines or rejects rather than silently delivering signed-as-you mail from a vendor you no longer control.
- Remove the SPF include. Open your SPF TXT record at the apex. Look for the exact
include:entry shown above. Remove the entire token (including theinclude:prefix). Leave the rest of the record untouched. Verify the byte-count of the record is now under 450. - Remove the CNAMEs, if any. CNAMEs for tracking domains and return-paths are dead weight once the vendor is gone; some DNS UIs surface them as "orphan records" later if you forget.
- Wait for propagation. 1-4 hours for most providers. The old SPF entry stays cached at receivers for the TTL you published (often 5 min - 1 hour).
Verify it's gone
Run a vendor-consolidation report on your domain. Marketo (Adobe)should be gone from the vendor list. If it's still showing under SPF or DKIM, the DNS edit either didn't save or hasn't propagated yet - re-check in 30 minutes.
You can also do a manual spot-check with dig TXT example.com (replace with your domain). The output should no longer show the Marketo (Adobe) include.
What you'll lose
Marketo nurture programs, smart-campaign sends, and event invitations stop being able to authenticate as your domain. Recipients on strict-DMARC mailbox providers (Gmail, Yahoo, Microsoft 365) will reject or junk them.
Marketo's lead-scoring + web-tracking work continues (those are client-side scripts, not DNS), but the email delivery side of any campaign breaks.
Common gotchas
Marketo's "DKIM 2.0" rollout. In late 2023 Marketo started provisioning 2048-bit DKIM keys via different CNAME targets. Both the old and new records can co-exist during migration. Confirm you're removing both - search DNS for any CNAME under *._domainkey with mktomail in the value.
EAS (Email Authentication Service) opt-in. Marketo's default setup uses a shared sending pool; EAS is the upgrade that authenticates from your own domain. If your Marketo instance never opted into EAS, the DKIM CNAMEs above won't be in your DNS - just remove the SPF include.
Just want to rotate keys instead?
If you're keeping Marketo (Adobe) but want to rotate credentials (a stronger move than just changing the API key - it forces all old DKIM signatures invalid), do it from the vendor side first: Marketo (Adobe) console →
While you're here: audit the rest
The median domain we've analyzed has 6 vendors authorized in DNS and 3 of them can send mail as you. If you just removed one, see who else is on the list.
Run a vendor-consolidation report →