Can I have multiple SPF records for my domain?

No, a domain should only have one SPF record. If multiple SPF records are found, receiving mail servers will often treat them as invalid, which can cause SPF authentication to fail and lead to emails being marked as spam. All authorized sending services should be included within a single SPF TXT record.

What is the SPF 10-lookup limit?

The SPF 10-lookup limit restricts the number of DNS lookups an SPF record can perform during validation. Each include , a , mx , and ptr mechanism that requires a DNS query counts towards this limit. Exceeding it results in a PermError , effectively failing SPF.

Should I remove an SPF entry if I no longer use the service?

Yes, if a sending service like Pardot or ExactTarget is no longer actively used to send emails from your domain, you should remove its corresponding include statement from your SPF record. This helps to reduce the number of DNS lookups and keeps your SPF record concise and accurate, improving security and maintainability.

How do Pardot and Salesforce Marketing Cloud relate in terms of email sending?

Pardot (now Salesforce Account Engagement) and Salesforce Marketing Cloud (formerly ExactTarget) are both Salesforce products, but they historically used different sending infrastructures. In modern setups, especially with Sender Authentication Packages, Pardot email sending might be routed through Marketing Cloud's IP addresses, meaning that the Marketing Cloud SPF include can cover both.

Why are Pardot and ExactTarget included in the same SPF record? - Technical - Email deliverability - Knowledge base

It is not uncommon for organizations using Salesforce's various marketing platforms to find both Pardot and ExactTarget (now known as Salesforce Marketing Cloud, or SFMC) referenced in their domain's Sender Policy Framework (SPF) record. This situation often leads to confusion, especially if current marketing efforts primarily use one platform. Understanding the historical context and technical nuances behind this configuration is crucial for maintaining optimal email deliverability and avoiding common pitfalls.

The presence of both entities in a single SPF record usually stems from Salesforce's acquisition strategy and the distinct functionalities these platforms offer. Even though they are now part of the same parent company, their underlying email sending infrastructures can be quite different. This guide will clarify why you might see both, and what steps you can take to ensure your SPF record is correctly configured and doesn't hinder your email authentication.

Suped DMARC monitoring

Free forever, no credit card required

Learn more

Trusted by teams securing millions of inboxes

Understanding the relationship between Pardot and ExactTarget

Salesforce acquired ExactTarget in 2013 and Pardot in 2013 as well. While both are powerful marketing automation platforms, they were developed independently and served different primary purposes prior to their acquisition. ExactTarget, rebranded as Salesforce Marketing Cloud, generally focuses on large-scale B2C email campaigns, SMS, and journey orchestration. Pardot, now Salesforce Account Engagement, is more geared towards B2B marketing automation, lead nurturing, and sales alignment.

Due to their separate origins and distinct uses, their initial email sending infrastructures were also separate. When a company uses both platforms (perhaps Pardot for B2B lead nurturing and Marketing Cloud for broader customer communications), it was historically necessary to include both SPF mechanisms in the domain's SPF record to authorize both sending services. Over time, while integrations have improved, the underlying sending mechanisms often retained their distinct identities in terms of SPF requirements.

Pardot (Salesforce Account Engagement)

Focus: B2B marketing automation, lead nurturing, and sales integration.
Sending mechanism: Historically used its own SPF records, though modern configurations often route through Marketing Cloud IPs.

ExactTarget (Salesforce Marketing Cloud)

Focus: Large-scale B2C email marketing, journey builder, and cross-channel campaigns.
Sending mechanism: Uses its own set of SPF records, often including a standard Salesforce include like include:spf.protection.outlook.com or include:cust-spf.exacttarget.com.

How SPF records work and the 10-lookup limit

An SPF record is a DNS TXT record that specifies which mail servers are authorized to send email on behalf of your domain. It is a critical component of email authentication, helping to prevent email spoofing and improve deliverability. Receiving mail servers check this record to verify that incoming mail from your domain originates from an authorized server. If the sending server's IP address isn't listed or included, the email might be marked as spam or rejected.

A fundamental rule of SPF is that a domain should have only one SPF record. Multiple SPF records for the same domain will invalidate all of them, leading to SPF authentication failures. Furthermore, SPF records are subject to a DNS lookup limit. An SPF check can involve a maximum of 10 DNS lookups to evaluate all mechanisms and modifiers, excluding a, mx, ptr, and exists mechanisms. Each include statement counts as one lookup. Exceeding this limit results in a PermError or TempError, causing authentication failures and affecting your email deliverability. This is why it is so important to optimize your SPF record.

Example SPF record with multiple includesDNS

v=spf1 include:_spf.example.com include:spf.exacttarget.com include:pardot.com -all

Beware the 10-lookup limit

Each include statement in your SPF record counts towards the 10 DNS lookup limit. Overlooking this can lead to SPF failures, impacting your sender reputation and increasing the likelihood of emails landing in the spam folder. Regularly check your SPF record for compliance with this limit.

Reasons for combined SPF entries

One primary reason for seeing both Pardot and ExactTarget includes in your SPF record is the historical context of your organization's email sending. If your company used ExactTarget (SFMC) for certain types of campaigns and Pardot for others, both include mechanisms would have been necessary. This is a common scenario for larger enterprises with diverse marketing needs.

Another factor is that some Pardot instances, especially newer ones or those configured with a Sender Authentication Package (SAP) in Marketing Cloud, may route their emails through Marketing Cloud's IP addresses. In these cases, the Marketing Cloud SPF include (e.g., cust-spf.exacttarget.com) would effectively cover Pardot's sending, rendering a separate Pardot include redundant, although it might still be present from a legacy setup. It is important to know that a specific domain, like exacttartget.com, is often a typo for exacttarget.com, which could lead to unnecessary or incorrect entries.

Salesforce Product	Common SPF include	Notes
Salesforce Marketing Cloud	include:cust-spf.exacttarget.com	Used for most Marketing Cloud sending. May vary based on SAP configuration.
Pardot (Account Engagement)	include:pardot.com	Legacy Pardot sending. Modern setups might be covered by Marketing Cloud include.
Sales Cloud / Service Cloud	include:spf.salesforce.com	For emails sent directly from Sales Cloud or Service Cloud.

It is also possible that the multiple entries reflect a transition period where your organization was migrating from one platform to another, or consolidating email sending. During such a phase, both inclusions might have been added to ensure uninterrupted email flow. Once the transition is complete, reviewing and simplifying your SPF record becomes critical to prevent the 10-lookup limit from being exceeded and to maintain optimal email deliverability rates.

Managing your SPF for Salesforce sending

To correctly manage your SPF record when using Salesforce products, the first step is to communicate with your marketing team or partner. They can confirm which Salesforce platform(s) are actively sending emails on behalf of your domain. If one of the entries is for a service no longer in use, it should be removed. This proactive step helps to avoid DNS lookup limit issues and simplifies your authentication setup. When looking to set up SPF records for multiple services, careful planning is essential.

Always ensure your SPF record includes all legitimate sending services. If you are actively using both Pardot and Marketing Cloud for different email streams, and their email bounces are handled by different return-path domains, then having both includes in your SPF record is usually correct. However, if Pardot sending is being routed through Marketing Cloud, or if one service has been deprecated, the extra entry can be problematic for SPF validation.

Regularly reviewing your DNS records, including SPF, DKIM, and DMARC, is a best practice. This helps you maintain control over your email sending infrastructure and quickly identify any misconfigurations or unnecessary entries. Misconfigurations can lead to emails landing in spam folders or even being rejected outright. Ensuring that your SPF and DKIM records align with your DMARC policy is essential for robust email authentication. For more details on Salesforce's email authentication, refer to Salesforce's official documentation.

Best practice: consult your marketing team

Before making any changes to your SPF record, always consult with your marketing department or email service provider. They can confirm which platforms are actively being used for email sending and provide the most accurate SPF details for your current setup. This ensures you avoid disrupting email flow or inadvertently invalidating your authentication records.

Views from the trenches

Best practices

Maintain one SPF record per domain to avoid invalidation.

Confirm active sending services with your marketing team before SPF modifications.

Regularly monitor your SPF record to ensure compliance with the 10-lookup limit.

Common pitfalls

Having multiple SPF records for the same domain, which invalidates them all.

Exceeding the 10 DNS lookup limit in your SPF record, leading to authentication failures.

Not removing SPF entries for services no longer in use, creating unnecessary lookups.

Expert tips

Implement a DMARC policy to receive reports on your email authentication results, which will highlight any SPF failures.

For complex setups, consider using a subdomain for marketing emails to isolate SPF records and manage reputation.

Educate your IT and marketing teams on SPF basics to ensure collaborative and correct DNS management.

Marketer view

Marketer from Email Geeks says that finding both Pardot and ExactTarget in an SPF record is a common historical artifact from Salesforce acquisitions. They advise checking for typos in domain names like 'exacttartget.com' as that specific domain often indicates a mistake in the record.

2019-08-29 - Email Geeks

Marketer view

Marketer from Email Geeks says that ExactTarget and Pardot are distinct Salesforce products with different functionalities and sending IPs. It is crucial to verify with your marketing partners which systems are actively sending emails on your behalf before making any changes.

2019-08-29 - Email Geeks

Ensuring robust email authentication

The presence of both Pardot and ExactTarget (Salesforce Marketing Cloud) includes in your SPF record is often a result of historical usage, platform migrations, or the way Salesforce integrates its various sending services. While it may seem redundant, it's essential to investigate the reason before making any changes. Incorrectly modifying your SPF record can lead to severe email deliverability issues, including emails being sent to spam or outright rejection by recipient mail servers.

Maintaining a clean and optimized SPF record is vital for email authentication and domain reputation. Always consult with your marketing team and review your current email sending practices to ensure your SPF record accurately reflects all authorized senders and adheres to the 10-lookup limit. Proactive management of your DNS records, including SPF and DMARC, is a cornerstone of successful email marketing and security.