Email Authentication for Pardot, Salesforce, and Marketing Cloud

Share this article...

Email authentication enables your organization to send emails safely. It helps recipient email servers identify if an email sent from a real account and sender is authentic and not spoofed in any way.

If you are going to send emails from Pardot, Marketing Cloud, or Salesforce on behalf of your organization’s domain, then you need to have SPF, DKIM, and DMARC configurations completed. In this article, we will review each authentication method, and provide a step-by-step guide to implementing SPF and DKIM policies across the three platforms: Pardot, Salesforce, and Marketing Cloud.

Email Authentication Definitions

  • Protocols: Email authentication protocols were developed as a way to strengthen the security of SMTP (Simple Mail Transfer Protocol) and combat the rise of spam, as SMTP itself doesn’t include authentication mechanisms. The following protocols have their own configuration and need to be implemented carefully and verified prior to sending emails from each platform.
  • SPF (Sender Policy Framework): An email authentication technique used to prevent spammers from sending messages on behalf of your domain. As a sender, you will be required to add SPF records in your DNS to allow Pardot or Salesforce to send emails from your organization’s domain.
  • DKIM (DomainKeys Identified Mail): A protocol that allows an organization to take responsibility for transmitting a message by signing it in a way that mailbox providers can verify. Similar to the SPF configuration, DKIM requires you to publish a public key in your DNS and the recipient email server will use this information to accept emails by corresponding private key.
  • DMARC (Domain-based Message Authentication, Reporting, and Conformance): An email authentication protocol designed to allow email domain owners to protect their domain from unauthorized use (often referred to as email spoofing). This protocol advises the recipient email servers on how to handle emails that are coming from your organization’s domain. (This topic is not covered in this article, as it applies to all mail servers sending emails on your behalf. Learn more about DMARC configuration).

How Does Email Authentication Work?

While SPF verifies that the email is sent from an authorized sender (the sender can be Pardot, Marketing Cloud, or Salesforce), DKIM authenticates the email by comparing and validating public and private keys.

This can be compared to gaining access to a nightclub. The club’s policy is that you must provide a photo ID on entry to prevent other people from trying to enter using your name (on the guest list).

READ MORE: Deliverability vs. Mailability – Nightclub Guide for Salesforce and Pardot Marketers

Why Implement Authentication Protocols?

There are multiple reasons to implement these protocols:

  1. Successfully implemented SPF, DKIM, and DMART can protect your business’s brand image, customers, and potential prospects.
  2. These email authentication methods prevent spoofing attempts, and mail servers can stop delivering emails that are not directly generated by your organization.
  3. They also impact your email deliverability. If you do not configure the email authentication protocols properly, the likelihood of missing client inboxes and your email ending up in the spam folder is high.

Preparing for SPF/DKIM Setup

Before starting the SPF and DKIM configuration process, you need to talk to your organization’s IT department – find a list of domains available to use in the new platform to learn about the process of making changes in DNS.

Make sure to align on timelines and let them know about your implementation deadline. Depending on your IT policy, this can take anywhere from 2-4 weeks.

How to Set Up SPF and DKIM in Pardot (MCAE)

  1. Navigate to Pardot Settings and the Domain Management tab, then click Add New Domain.
  1. Enter the domain name and click Create domain.
  2. Once set up, click Expected DNS Entries and copy the SPF, DomainKey_Policy, and DomainKey Domain and Entry values. You’ll send these to IT in Step 6 below.
  1. Optional: While you are configuring SPF and DKIM settings, you can also create a tracker domain and send your request in a single ticket to your ID department. Scroll down to the Tracker Domains section on the Domain Management page and click Add Tracker Domain.
  1. On the same page, take note of the validation key. You’ll send this to IT in Step 6 below.
  2. Update the red text below with corresponding information from your instance and send it to your IT team.

Hello [name],

I’m working with the marketing team to implement Pardot, our new marketing automation platform. We will be using Pardot to send communication to our customers and prospects from @yourdomain.com. To guarantee great email deliverability and personalized URLs, we need to make the following changes:

We need to set up SPF, DKIM, and CNAME so Pardot is authorized to send emails on our behalf.

  • To set up SPF, please add the following to DNS entries:
    • Type: TXT
    • Entry: v=spf1 include:aspmx.pardot.com ~all
      • If there is already an existing SPF record in the DNS entry, simply add the following to it: include:aspmx.pardot.com
  • To set up DKIM, please create DNS entries for DomainKey_Policy and DomainKey
    • DomainKey_Policy
      • Domain: _domainkey.yourdomain.com
      • Type: TXT
      • Entry: t=y; o=~;
    • DomainKey
      • Domain: [insert host record here]._domainkey.yourdomain.com
      • Type: TXT
      • Entry: [insert host record here]
  • To set up the tracker domain, please create the CNAME and TXT records for go.yourdomain.com
    • CNAME
    • TXT
      • Domain: @
      • Entry: [insert validation key here]

Please let me know when these steps are completed so that we can complete the setup process within Pardot. Feel free to reach out with any questions.

Best,
Marketing Operations


  1. Once you hear back from the IT team that the DNS entries are added, follow these steps to validate and confirm the changes.
  • Navigate to Pardot Settings and the Domain Management tab, then click Check DNS Entries under the Email Sending Domains section. If the correct DNS entries are added, you should see the following screen.
  • To validate the Tracker domain, click validate under the Tracker Domain section. If CNAME is configured properly, you should see the following screen.
  1. If the validation fails for some reason, you can use platforms like mxtoolbox.com to compare the entry values you provided to your IT team versus what they added to DNS. Enter your domain name in the following pages, and you will see the existing entry values in DNS.
  • To review the SPF records, visit https://mxtoolbox.com/spf.aYou can follow similar steps to check DKIM and DMARC records.spx. If the SPF is successfully configured, you should see v=spf1 include:aspmx.pardot.com ~all instead of v=spf1 -all
  • You can follow similar steps to check DKIM and DMARC records.
  • Alternatively, you can ask for a screenshot of published DNS records from your IT team and check the published records. The screenshot from the DNS interface may look like the following.

Note: Entries in the Value column will be unique to your Pardot (MCAM) instance.

This is one piece of advice for getting your Pardot account in tip-top condition – check out the guide on The DRIP below for more items to add to your checklist.

READ MORE: 22 Points on Pardot Deliverability, Data, and Compliance

How to Set Up SPF and DKIM in Salesforce

There is a full guide available on Salesforce Ben that covers this process in depth, including the background context. We’ll give you an overview of the process here:

  1. Access Setup and search for “DKIM”, navigate to DKIM Keys under Email, and then click Generate New Key.
  1. Enter Selector, Alternate Selector, and Domain for the required field. Select the preferred Domain Match policy.
  1. Once published you should see the following message “Salesforce has published the TXT records for this DKIM key to DNS. Before activating this key, add the CNAME and Alternate CNAME records in the DNS for your domain.” Copy the CNAME and Alternate CNAME record values. You’ll send these to IT in step 4 below.
  1. Update the red text below with corresponding information from your org and send it to your IT team.

Hello [name],

I’m working with the Salesforce team to enable Salesforce to send emails from @yourdomain.com. To guarantee great email deliverability, we need to make the following changes.

We need to set up SPF and DKIM so Salesforce is authorized to send emails on our behalf.

  • To set up SPF, please add the following to DNS entries:
    • Type: TXT
    • Entry: v=spf1 mx include:_spf.salesforce.com ~all
      • If there is already an existing SPF record in the DNS entry, simply add the following to it: _spf.salesforce.com
  • To set up DKIM, please create two CNAME entries
    • CNAME Record
      • Domain: [insert host record here]._domainkey.yourdomain.com
      • Type: CNAME
      • Entry: [insert host value here]
  • Alternate CNAME Record
    • Domain: [insert alternate host record here]._domainkey.yourdomain.com
    • Type: CNAME
    • Entry: [insert host value here]

Please let me know when these steps are completed so that we can complete the setup process within Pardot. Feel free to reach out with any questions.

Best,
Marketing Operations


  • Once you hear back from the IT team that the CNAME entries are added, navigate back to the DKIM Keys page. It may take 72 hours until DNS changes are propagated. If Salesforce finds relevant CNAME entries in DNS, then the Activate button will be clickable. Click Activate and you can now start sending out emails from Salesforce.
  • If the Activate button is still grayed out after the IT team confirms the configuration and 72 hours has passed, you can use the DKIM Record Lookup tool to validate these records. You can also review the published DNS record via a DNS interface. This view will be accessible only by your IT team and you can ask to get a screenshot of it.

Note: Entries in the Value column will be unique to your Marketing Cloud instance.

How to Set Up SPF and DKIM in Marketing Cloud

The email authentication process is different in Marketing Cloud, compared to Pardot and Salesforce.

Your organization needs to purchase a Sender Authentication Package (SAP) from Salesforce to send authenticated emails from Salesforce. SAP requires you to decide on a domain or subdomain to be assigned for use by the SAP team. Both SPF and DKIM authentication will be configured by Salesforce as a part of the SAP package. You need to reach out to your Account Executive to learn about SAP options for your Marketing Cloud instance.

You can read about the full end-to-end process on The DRIP below, including the troubleshooting you may need to carry out.

READ MORE: The Art of Marketing Cloud Email Deliverability: Set up, Troubleshooting and Prevention

Final Thoughts

Email authentication is an essential part of communicating safely with recipients. If you are still struggling to validate your SPF or DKIM records in Salesforce, Pardot, or Marketing Cloud, please send us a quick message, and we’d be happy to help you troubleshoot.

Add Comment