Because of this, all our emails are going to spam when we try to email from domain2.com because of a domain mismatch.
You should not make that assumption. The idea that you can’t have a different From: (header) domain and MAIL FROM: (envelope sender) domain has always been FUD.
See, standard shared Marketo instances always have that so-called “mismatch”, because you use your corporate domain in the From: while Marketo uses their own domain in the MAIL FROM:. This setup doesn’t cause widespread inboxing issues on its own; if it did, neither Marketo nor its competitors would have any customers.
Your case is somewhat more complex because it sounds like you set up a branded envelope sender. This means you’re using a customer-controlled domain in the MAIL FROM:, like bounces.example.com. You’re correct that you needed to work directly with support to set this up.
When you have a branded envelope sender (and only when — it’s not necessary with the default setup!) you need to ensure SPF for bounces.example.com includes Marketo’s SPF record. Sometimes people forget/mess up this step and also have a DMARC record that requires strict alignment, while also not signing email properly. There are a number of other ways you can mess up signatures and DMARC records, whether or not you use a branded envelope sender.
Ultimately, we need to know your actual domains, and we need actual snippets of the received email headers. I can also DM you a test email address to send samples to that allows for deeper troubleshooting.
