Email Tracking URL Security Enhancement | Community
Skip to main content
Mike_Reynolds2
Mike_Reynolds2
New Participant
June 6, 2017

Email Tracking URL Security Enhancement

  • June 6, 2017
  • 23 replies
  • 3359 views

Overview

For added security, we have added functionality to validate that email tracking URL hash codes originate from the same domain in the subscription. A unique email tracking URL hash code is what is used to identify which Marketo instance the link is coming from, enabling the tracking functionality in your emails.

Example

Here’s an example of how an email tracking URL is constructed:

Enhancement being made:

This enhancement will add extra validation to the tracking URLs used in your emails.

When our tracking server receives the link, it will use the URL hash code to identify the Marketo instance. It then looks up the branding domains associated with the subscription.

If the domain presented in the URL matches a branding domain we have listed for you, the link will connect just as it should. If the domain in the URL does not match a domain in our database, it will be considered suspicious and will be stopped and a "404 error" will be displayed.

    This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.

    23 replies

    Show previous replies
    Dan_Stevens_
    Dan_Stevens_
    New Participant
    June 7, 2017

    Since it's just the tracking URL (and not the URL behind it), I suspect this would still allow us to link to third-party sites, correct?

    I also came across this - not sure if it's related:

    Vulnerability Report: Open Redirect in Jive Social Networking Platform :: From Eric H. Goldman

    A
    Anonymous
    June 7, 2017

    I've got to agree with Sanford here. This sounds like it's going to flag any third party site. Is that the case? If so, that's a huge problem. If that's not the case, you should really clarify.

    SanfordWhiteman
    SanfordWhiteman
    New Participant
    June 7, 2017

    If the domain presented in the URL matches an email domain we have listed for you...

    Mike, by "an email domain" you mean a domain in Admin » Email » SPF/DKIM?

    If so, why should/would a the domain of an email link have a relationship with those domains? Is it no longer possible to link to a third-party site without that site being registered in the Admin UI? And what level of validation is required for a domains to be considered "in our database"?

    Is this related to my comment here and the subsequent fix w/r/t Marketo Nation?

    This change requires much, much more explanation IMO.

    @Dan Stevens​

      Terms & ConditionsAccessibility statement

      Loading footer...