Email Domain Reporting when there are multiple SPF DKIM is verified

Are you looking to just see which domains are DKIM and SPF validated?  Do you have access to the Admin tab in Marketo?  You can go there, select Email then SPF/DKIM.  You should see a list of all domains that have had keys generated.  Clicking on the one of them and hitting Check DNS will let you know if that domain is verified or not.

To get our terms in alignment: in Marketo, “branding domain” means a click tracking domain. This is the domain used in rewritten email links. It registers a Clicked Link in Email activity before redirecting to the original destination URL. The branding domain has nothing to do with SPF in any way. It will never be validated using SPF.

The “email domains” are domains known to be used in the From: header. You must verify these domains with DKIM (i.e. set up the corresponding DKIM TXT record) in order for messages to be signed by Marketo. Signed messages are key to passing a strict DMARC policy. But while they do relate directly with DKIM, these email domains also have nothing to do with SPF. They too will never be validated using SPF.

The only Marketo domains that relate to SPF are SMTP envelope sender domains. These are the domains used in the MAIL FROM: (which is not the same as the From: header). Your envelope sender will be something.mktomail.com (by default) or, if and only if you’ve purchased and set up the branded envelope sender add-in, a subdomain of your corporate domain like bounces.example.com. This is the only domain that’s actually validated using SPF: it’s the domain whose SPF record must include:mktomail.com.  If you’re using the default something.mktomail.com as envelope sender, Marketo manages the DNS for that domain, so there’s nothing for you to configure.