Should SPF records match the 'From:' address or the Return-Path domain when sending from Marketo?
Matthew Whittaker
Co-founder & CTO, Suped
Published 22 May 2025
Updated 12 Oct 2025
7 min read
When sending emails through an email service provider (ESP) like Marketo, a common point of confusion arises around which domain SPF records should apply to. Should it be the visible 'From:' address that recipients see, or the less obvious Return-Path (also known as the Mail From or Envelope From) domain?
The distinction between these two domains is crucial for proper email authentication and deliverability. Misconfiguring SPF can lead to your emails being flagged as spam or rejected outright by recipient mail servers, impacting your marketing campaigns and overall email program.
I'll clarify this common question, especially in the context of Marketo, to help ensure your emails land in the inbox reliably.
SPF (Sender Policy Framework) is an email authentication method designed to detect forging sender addresses, a common spam technique. It specifies which mail servers are authorized to send email from a particular domain. When an email server receives an incoming message, it performs an SPF check by looking up the sender's domain's SPF record in the DNS.
The critical point to understand is that SPF authentication checks the domain specified in the Return-Path (or Mail From, or Envelope From) address, not the 'From:' address (RFC 5322.From) that is visible to the recipient in their email client. The Return-Path address is part of the email's envelope, used during the SMTP transaction for bounce handling. Mail servers use this domain to verify SPF, as highlighted by Gmail and Yahoo in their requirements. Against which domain is SPF checked is a common question, and the answer lies with the Return-Path.
This means that for SPF to pass, the domain in your Return-Path address must have an SPF record that authorizes the sending IP address of your email service provider. Understanding the full form of SPF is essential for this.
Marketo's role in SPF and Return-Path
Marketo, like many other ESPs, handles the Return-Path domain. By default, Marketo uses its own domains (e.g., mktomail.com or a subdomain of mktdns.com) for the Return-Path address. This simplifies SPF setup because Marketo (or Adobe in this case) already publishes the necessary SPF records for their sending IPs on these domains. Marketo's documentation often guides you through adding their include mechanism to your SPF record.
However, for enhanced branding and DMARC alignment, many Marketo users opt for a Branded Return-Path. This means the Return-Path domain will be a subdomain of your primary domain (e.g., mk.yourdomain.com). In this scenario, you must publish an SPF record for this specific subdomain (your branded Return-Path domain) to authorize Marketo's sending IPs.
The instructions provided by Marketo typically refer to adding their SPF include mechanism to the domain used for your branded Return-Path. This ensures that when Marketo sends emails on your behalf, the SPF check passes for the Return-Path domain. This is in line with best practices for SPF record publication.
SPF Record: Marketo manages the SPF record for mktomail.com, authorizing their IPs. No action needed on your 'From:' domain for SPF.
SPF, DMARC, and alignment in Marketo
While SPF checks the Return-Path domain, DMARC (Domain-based Message Authentication, Reporting, and Conformance) requires alignment between the Return-Path domain and the 'From:' domain (or the DKIM signing domain). For SPF to align with DMARC, the Return-Path domain must match the organizational domain of the 'From:' address. A simple guide to DMARC, SPF, and DKIM can provide more context.
When using Marketo's default Return-Path (e.g., mktomail.com), SPF will pass, but SPF alignment for DMARC will fail because mktomail.com does not match your 'From:' domain. This is why a branded Return-Path is often recommended by Marketo and email deliverability experts; it enables SPF alignment with your 'From:' domain, improving DMARC compliance and overall deliverability.
It's important to note that while SPF alignment is beneficial for DMARC, it's not the only way to achieve DMARC compliance. DKIM alignment can also satisfy DMARC requirements, and often, ESPs like Marketo handle DKIM signing with your domain (or a subdomain of it), which can provide the necessary alignment even if SPF alignment is not achieved. Do SPF and DKIM records need to be aligned is a frequent query highlighting this complexity.
From: Address (RFC 5322.From)
Purpose: The email address visible to recipients in their inbox (e.g., info@yourdomain.com).
SPF Check: SPF does not directly authenticate this domain. Its primary role is for branding and recipient recognition.
DMARC Alignment: Used for DMARC alignment, requiring either the SPF-authenticated Return-Path domain or the DKIM-signed domain to match.
Return-Path Domain (RFC 5321.MailFrom)
Purpose: The technical sender address, used for bounce messages and SPF authentication. Often managed by the ESP (e.g., bounces.mk.yourdomain.com).
SPF Check: This is the domain against which the SPF record is checked. Its SPF record must authorize the sending IPs.
DMARC Alignment: For SPF alignment to pass DMARC, this domain needs to match your 'From:' domain (organizational level).
Configuring SPF for Marketo sending
For Marketo, the instructions to update your DNS are almost always for the Return-Path domain. If you are using a branded Return-Path, you will typically create a CNAME record that points your chosen subdomain (e.g., mk.yourdomain.com) to a Marketo-controlled domain. Marketo then manages the SPF record for this CNAME alias. Alternatively, for some configurations, you might explicitly add Marketo's SPF include mechanism to your Return-Path domain's SPF record.
Example SPF Record for Marketo's Default Return-PathDNS
v=spf1 include:mktomail.com ~all
If you are sending from multiple brands (and thus multiple 'From:' domains) but using the same dedicated IPs within Marketo, the SPF record setup generally applies to the Return-Path domain that Marketo assigns or you brand. If each brand has its own branded Return-Path subdomain (e.g., mk.brand1.com and mk.brand2.com), then each of those subdomains will need its own SPF record configured to authorize Marketo.
Always refer to Marketo's most current documentation on configuring email authentication protocols, as these configurations can sometimes evolve. Marketo provides detailed guidance on this setup. If you're unsure, consulting with an email deliverability expert or Marketo support is advisable. You can also review how to validate your SPF setup in Marketo.
Final considerations
The SPF record should be published for the Return-Path domain, whether it's Marketo's default domain or your branded Return-Path subdomain. While a valid SPF record for the 'From:' domain is not strictly required for SPF authentication to pass, having SPF pass for the Return-Path is essential.
For DMARC alignment, a branded Return-Path ensures that SPF passes and aligns, leading to better deliverability and trust with inbox providers. Even if your 'From:' address and Return-Path domains are different, as is common with ESPs, the SPF check still occurs on the Return-Path. Should the Return-Path domain be different is a question with a clear answer in these cases.
Views from the trenches
Best practices
Always configure SPF on your Return-Path domain for Marketo email sending.
Utilize Marketo's branded Return-Path feature for DMARC SPF alignment.
Regularly check your DMARC reports to monitor SPF and DKIM alignment.
Common pitfalls
Attempting to add Marketo's SPF include to your primary 'From:' domain's SPF record if it's not the Return-Path.
Ignoring DMARC alignment, which can lead to emails landing in spam or being rejected.
Not configuring a branded Return-Path when strict DMARC enforcement is desired.
Expert tips
If sending from multiple brands on a shared Marketo IP, ensure each brand's Return-Path subdomain has its own SPF record.
Remember that the visible 'From:' address domain does not require an SPF record for authentication, but it is necessary for DMARC alignment via SPF.
DKIM alignment is an equally valid path to DMARC compliance if SPF alignment proves challenging.
Expert view
Expert from Email Geeks says the SPF record should be for the domain used in the Return-Path, and it likely does not need to include your corporate IP unless that IP is sending mail using the Return-Path string.
2020-04-24 - Email Geeks
Expert view
Expert from Email Geeks says the Return-Path is the address used during the SMTP transaction and is the one SPF authenticates.
2020-04-24 - Email Geeks
Key takeaways for Marketo SPF
For Marketo users, the key takeaway is that SPF records should be configured for the Return-Path domain, not necessarily the 'From:' address that recipients see. Marketo provides the necessary mechanisms, either through its default Return-Path or by allowing you to brand it with a subdomain of your own.
Ensuring proper SPF setup for the Return-Path domain is foundational for email deliverability. Combined with DKIM and DMARC, it forms a robust email authentication framework that helps your messages reach their intended recipients and protects your domain reputation.
Should SPF records match the 'From:' address or the Return-Path domain when sending from Marketo? - Technical - Email deliverability - Knowledge base - Suped
Adobe in this case) already publishes the necessary SPF records for their sending IPs on these domains. Marketo's documentation often guides you through adding their include mechanism to your SPF record.
