Hi Sanford,
Sorry, sure thing the domain is @fil.com / @marketo.fil.com
Thanks,
John.
OK, checking your auth results and also hand-checking your DKIM and SPF, everything is as in-order as possible.
Your Marketo-emitted email passes SPF, DKIM, and your DMARC relaxed alignment requirement. (If your DMARC record required strict alignment, they would fail, but you have set up DMARC to match your real-world characteristics.)
In essence, what these clients are requiring is DMARC strict alignment. To be fair, this is a good way to discourage mail from MA platforms, since even with well-managed dedicated IPs and a branded envelope sender domain, that sender domain isn't expected to be the same as your corporate domain (or else OOB bounce messages can't be processed by Marketo). You could of course start setting your visible From: address to user@marketo.example.com, or perhaps only for these super-strict domains (use a segmentation or a Velocity script to switch the From: dynamically). Of course then you need to have the MX records for marketo.example.com point to somewhere other than Marketo so you can get responses.
It's not an easy problem to solve. Truth is some places really don't want email sent from platforms like Marketo, even when you have an ongoing business relationship. I've had to do some insane things (gatewaying some Marketo emails through our own server, and then to the destination, with all the rewriting that suggests) because financial companies refused to budge in blocking Marketo's IP range, although many millions of dollars were changing hands between the companies in question.