Pardot Security Update: Content Using

By Lucy Mazalon

Effective April 22 2022, Pardot (AKA. Marketing Cloud Account Engagement) will be rolling out a security enhancement to protect customer data. Certain types of forms have the potential to stop functioning– emphasis added for a reason.

The roll-out will impact Pardot (Marketing Cloud Account Engagement) customers who are using the default domain for their marketing assets. The alternative (now imperative) method is to set up a custom tracker domain (if I’ve lost you here, don’t worry, I’ll iron this concept out!).

The likelihood is that it will affect a minor segment of Pardot accounts– but everyone should run through the recommended steps to check their own unique account. You may find that some rogue forms could be jeopardized.

Who’s Affected?

Only a segment of Pardot (Marketing Cloud Account Engagement) accounts will be affected. Although you could appear to be affected at first glance, some investigation will put your mind at ease (more details later in this guide).

There will be a third group, however, who need to make updates. Before you panic, you should pay attention to what happens if you don’t make changes (more details later in this guide).

These questions are to help you figure out the likelihood that you’re affected; depending on your answers, you will need to take different actions (indicated below).

1. Do you have a custom tracker domain set up?Yes - go to qu. 2 → No - read about how to check your tracker domains and the setup steps. Then go to qu. 2 →
2. Is your custom tracker domain set as primary?Yes - go to qu. 3 → No - read about how to set a tracker domain as primary. Then go to qu. 3 →
3. Do you embed Pardot forms in iframes?
Yes -
increases your chances of being affected.
No - Continue reading this guide. You still may be affected.

Let’s be real, these questions are not foolproof– you could have the custom domain set up but still find marketing assets in your account that are using the default domain.

Common Reasons You’d be Affected

  • You embed Pardot forms or other content in iframes (standalone forms are also be affected) – the difference is explained later in this guide).
    JavaScript is included that’s served over the default domain.
  • You are a long-time Pardot customer and/or haven’t had someone audit the “Domain Management” section of your account.
  • Your account contains older assets that haven’t been checked/updated to not use the default domain.
  • You have many different people creating marketing assets in your account, which means human error could be at play.
  • (An extreme use case) Your Pardot account supports multiple business lines, following an acquisition/s. For example, one organization could end up overseeing X number of legacy websites, yet only have one custom domain set up (for the company doing the acquiring), so the acquired companies would veer towards using


When viewed over the default domain…Are they impacted?
Forms viewed via iframe
Forms viewed as standalone
Forms viewed in a Pardot landing pageX

New Pardot Built-in Scanner

To help get to the bottom of this, Pardot has provided a built-in tool that will “scan” your assets and surface information about them in a list.

Look in your account, a button has appeared on the “Domain Management” settings page called Content Served Using Default Domain.

  • Navigate to: Pardot Settings → Domain Management → Content Served Using Default Domain (you’ll see the button at the top-right of the screen).


It’s designed to identify a) which domain the content is using to be “served” to your audience, and b) which (potentially) problematic assets are using the default domain.

Clicking this will generate a list of marketing assets (forms, landing pages, files, images) and:

  • Accessed at: When the asset was last accessed (ie. a prospect engaging with it). This will help you to prioritize your updates on the assets actually being used (the report started tracking this data for forms from March 14th, 2022, and March 29th, 2022 for all other content. You won’t see dates previous to then.)
  • Referrer URL: the link where this content is publicly available (“served up”).
  • Sec-Fetch-Dest: how the content is accessed, in an “iframe” as “style” (a CSS file), “image,” or “document.”
  • Uses iframe.

Note: this list displays each unique referring URL– one asset could be served in multiple locations, which would mean the asset name appears more than once. This is important as it will help you understand the actions you need to take later.

“Serving” Content: Tracker Domains, Referrer URLs, and iframes

Custom tracker domains enable any landing pages, forms, and files hosted in Pardot (that you create there) to have links that appear as your own brand– without compromising on the prospect activity tracking that Pardot-hosted assets provide.

The referrer URL is where this content is publicly available (“served up”), and is arguably the most important column in the report. Like in a restaurant, food can be “served” in different ways.

In a restaurant…In Pardot…
Content "served" using the default domain: go.pardot.comIn a restaurant, the waiter will serve the food to the recipient. He's wearing a shirt with the restaurant's logo on it.Pardot will serve your content with in the domain (the recipient will know that it is served by Pardot).
Content "served" using a custom tracker domain: go.yourcompany.comWorking for a catering company, the waiter will serve the food without the recipient knowing the company they work for.Pardot will serve your content with the recipient seeing that your company created it (without the recipient knowing that it is served by Pardot).

An iframe acts like a window– your Pardot form sits in the window, and website visitors can see and interact with it (acting independently from the rest of the site, to an extent). To think of it like a restaurant, we can involve a delivery driver:

In a restaurant…In Pardot…
Content "served" using an iframeIn a restaurant, the waiter will pass the food to a delivery driver (through a window). Once the food is gone, no changes can be applied from the restaurant, unless the waiter tracks down the delivery driver! Using an iframe to serve your content means that further configuration in Pardot (eg. updating the tracker domain) won't automatically apply to the content. Instead, we have to track down where it is delivered (the iframe) and make a change there.
Content "served" as a standalone form.You collect takeout food from the restaurant. Once the food is gone, no changes can be applied from the restaurant, but the food is “in your hands”.You can serve forms using the URL that Pardot generates when the form is created (i.e. prospects go directly to the form URL of the form to view it).

How to Investigate – Actions to Take

To make sense of the “Content Served Using Default Domain” report (and results potentially in the hundreds), follow these steps:

  1. Filter the report: Type = forms, and all other filters leave as “Show all”.

Why leave the other filters as “Show all”, including the “Uses iframe” filter? Forms are impacted if they are iframed and if they are viewed standalone (i.e. prospects go directly to the form URL of the form to view it). The emphasis has been on iframed forms until now because it’s a much more common use case (versus standalone form).

In short – you need to see a list of forms that are both iframed, and not.

You could end up with a list that looks like this:

Image courtesy of Triana Jarman.

The example above shows the same form (“Standard Form”) with two different referring URLs– the same form, served in two different locations.

2. (Recommended, but optional – step #3 is more important to prioritize) You can check out any forms that are using the (default) domain. On the form’s page, you will be able to check which tracker domain is being used:

If the form is using, you can update it to another (custom) tracker domain.

3. Remember how iframes work– it’s like you’ve given your content to a delivery driver, and they’ve sped off! Embedding forms in iframes puts some distance between the form and its record in Pardot. Therefore, updating the tracker domain on a specific asset won’t fix your problems– you need to go and update everywhere it’s used.

When embedding Pardot forms using iframe, you generate a snippet of code (using the “View HTML Code” action). The snippet starts with <iframe src= (which can be useful for searching your website’s code) and also contains the selected tracker domain.

Wherever this iframe is located on your website, you also need to go to that location to update the domain being used in the snippet.

Repeat steps 1-3 above using the filters: type = “other content”, and Uses iframe = “Yes”. Custom redirects and Images are not affected, so you can ignore those.

Make this part of your routine!

Remember that the built-in tool started tracking the “accessed at” date (ie. a prospect engaging with it) for forms from March 14th, 2022, and March 29th, 2022 for all other content.

If a prospect accesses content (that hadn’t been accessed since March 14th/29th) then the current date would be recorded. That means new entries could appear, which means you should check the report periodically as part of your admin tasks.

What happens if I don’t make changes?

For a full description, take a look at the “what happens if I don’t make this change section” on the Salesforce FAQ. Here are some examples:

  • The resubscribe alert on-form message will not display.
  • Recaptcha will prevent the form from being submitted.

Someone made a good point that there are various stages of “not working” depending on how much and what kinds of JavaScript you’re using. The form may be functional, but not fully functional.

In short, a simple contact form will likely still work even after the change is made.

Pardot User Training Tips

You’ve stuck with it– and don’t worry, we’re almost at the end. When it comes to guiding your team on best practice going forward, clear communication will be required. will remain the default domain (the domain still works for this purpose) and people might get notice that still appears. The message to your users will be “Yes, it’s there– but don’t use it.”

Documentation, templating forms (so users only have to copy them) are ways to snub out human error.

Get Support

The security enhancement will be effective April 22 2022, when forms of a certain type of JavaScript have the potential to stop functioning.

If you need support with this transition, my recommendation is for you to reach out to Triana Jarman and her team at Modern Marketing. They have already checked their clients’ orgs, and made any changes so that everyone gets the “all clear” signal. You can see her in action here.

The Author

Lucy Mazalon

Lucy is the Operations Director at Salesforce Ben. She is a 10x certified Marketing Champion and founder of The DRIP.


    Adam Vitek
    July 12, 2022 8:05 pm
    Do Pardot Form Handlers need to be updated as well? We use iframes.
    Lucy Mazalon
    September 15, 2022 4:54 pm
    Form handlers are hosted by an external service (not Pardot), so you should be good to go.
    Melinda Moyle
    July 19, 2023 2:47 am
    Is the content above still fairly current? We do not see a button called Content Served Using Default Domain only the button Edit tracking opt in preferences

Leave a Reply