Why are Pardot and ExactTarget included in the same SPF record?

Key findings

• Single record rule: Despite using multiple Salesforce products, a domain should only have one SPF record. All authorized sending platforms, including Pardot and SFMC, must be consolidated into this single record.
• Acquisition history: Pardot and ExactTarget were separate entities acquired by Salesforce. They retained distinct (though sometimes overlapping) sending infrastructures, leading to both potentially needing SPF authorization.
• Typographical errors: Minor typos in domain names within an SPF record (e.g., exacttartget.com instead of exacttarget.com) can invalidate SPF authentication and should be corrected promptly.
• Complex setup: Managing SPF for multiple Email Service Providers (ESPs) and subdomains, particularly within large organizations, requires careful planning to avoid exceeding the 10-DNS-lookup limit.

Key considerations

• Verify current usage: Confirm with your marketing and IT teams which Salesforce platforms are actively used for sending email from your domain. This includes both current campaigns and any legacy systems.
• Consolidate includes: Ensure all legitimate sending sources for your domain are listed in a single SPF TXT record, using include mechanisms to reference external SPF records (like those for Salesforce). For guidance, see how to set up email authentication for multiple ESPs.
• Consult partners: Before making any changes to your SPF record, communicate with your marketing partners or Salesforce administrators to understand their current and historical email sending practices.
• Monitor and test: After any updates, use an SPF checker to ensure the record is valid and all necessary senders are authorized. Regularly monitor your DMARC reports for authentication failures that could indicate issues.

Key opinions

• Historical confusion: Marketers frequently deal with SPF records set up before their tenure, making it difficult to ascertain why specific entries like both Pardot and ExactTarget exist.
• Typo recognition: A common first step for marketers is to identify and correct any obvious typos in domain names within the SPF record, as this can be a simple fix for complex-looking issues.
• Risk aversion: Marketers are generally hesitant to make changes to DNS records without explicit confirmation from IT or their email service provider, fearing email delivery disruption.
• Seeking clarity: There's a strong desire to understand if one platform's sending infrastructure has superseded another's, especially post-acquisition.

Key considerations

• Internal communication: Establish clear communication channels between marketing, IT, and external partners (like agencies managing Salesforce) to ensure everyone is aware of the email sending landscape.
• Avoid hasty changes: Never remove SPF entries without confirming they are no longer in use, as this can lead to severe deliverability issues. Consult what happens when your domain is on a blocklist if misconfiguration leads to problems.
• Leverage documentation: Refer to official Salesforce documentation and guides (e.g., Salesforce Ben) for best practices on configuring SPF for Pardot and Marketing Cloud.
• Understand authentication: Familiarize yourself with the basics of SPF, DKIM, and DMARC to better understand the technical requirements for email authentication and how it impacts email deliverability.

Key opinions

• Separate acquisitions: Experts confirm that ExactTarget and Pardot were distinct companies acquired by Salesforce, maintaining separate, though integrated, functionalities and sending pathways.
• Distinct IPs: These platforms don't always share the same sending IPs, justifying their separate inclusions in SPF records if both are actively used.
• Pardot's reliance: Pardot often sends emails using Marketing Cloud (ExactTarget) IPs, meaning an SFMC SPF include may implicitly cover some Pardot sending.
• Spoofing risk: Improper SPF configuration or removal can leave a domain vulnerable to spoofing. This is particularly relevant when comparing to broader platforms like O365, which can sometimes have less stringent default SPF policies if not carefully managed.

Key considerations

• Avoid removal without verification: Never remove SPF records (or parts of them) without confirming with your marketing and Salesforce teams that the associated sending service is no longer in use. Incorrect changes can lead to emails failing authentication.
• Address typos immediately: Ensure all domains within your SPF record are spelled correctly and are legitimate. Typographical errors, such as exacttartget.com, can cause SPF validation failures.
• Monitor SPF lookups: Be mindful of the 10-DNS-lookup limit for SPF records. Too many include mechanisms can lead to SPF TempError results.
• Implement DMARC: Beyond SPF, implementing DMARC provides a comprehensive authentication strategy, allowing you to monitor email authentication results and better understand email flow and potential issues.

Key findings

• One SPF record: Standard documentation confirms that only one SPF record is permitted per domain. Multiple records will cause authentication failures.
• Consolidated authentication: For platforms like Pardot and Marketing Cloud, their SPF requirements should be combined into your single SPF record, typically by adding their include mechanisms.
• Importance of authentication: SPF, along with DKIM and DMARC, forms the backbone of email authentication, crucial for preventing spoofing and ensuring inbox placement.
• DNS lookup limits: Documentation often highlights the SPF 10-lookup limit, a critical factor when adding multiple include mechanisms.

Key considerations

• Refer to official guides: Always consult the latest authentication setup guides from Salesforce (e.g., Trailhead, Salesforce Ben) for Pardot and Marketing Cloud to ensure correct SPF syntax and included domains.
• Regular validation: After any updates to your SPF record, use an SPF validation tool to check for errors, including syntax issues and exceeding the DNS lookup limit.
• Subdomain strategy: For complex setups, consider using subdomains for different email sending purposes, as each subdomain can have its own SPF record.
• Consolidate if possible: If a platform's sending is now covered by another (e.g., Pardot using Marketing Cloud IPs), it might be possible to streamline your SPF record, but this must be confirmed by Salesforce documentation or support.