Pardot Knowledge Base

Adding SPF and DomainKeys to Your DNS

Last Updated: Oct 05, 2016 | Print this Article
Whoa there, partner! This is an advanced topic. It's a good idea to get your IT department involved in setting up your email authentication.

Pardot allows you to send emails from your actual domain by authenticating through the two most commonly accepted standards: Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM). The major ISPs and many corporate spam filters check for one or more of these types of authentication when determining whether or not to allow emails to a recipient’s inbox.

Note: If you change your sending domain make sure you update the domain in your user email addresses -- otherwise you won't be able to send emails from assigned users.

Navigate to Admin > User Management > Users  > Edit each user > change the email domain and/or email address > Save. Users will need to log in with the new email address.  

Email Authentication Checking by ISP

AOL Available Available Available
Gmail Available Available Available
Hotmail/MSN Available Available Available
Yahoo! Available Available Available

Pardot support will require any clients that report issues with email delivery to set up SPF and DomainKeys if they have not done so.


Implementing an SPF record on your domain is easy. Create a TXT record in your domain’s DNS provider. Note that the SPF statement must be a TXT record type -- the SPF record type is obsolete.

If you do not have an existing SPF record

Add the following SPF record to your domain’s DNS provider:
v=spf1 ~all

If you have an existing SPF statement in your DNS records

Add the following to your existing SPF statement and move ~all to the end:
Note: The SPF protocol allows a maximum of 10 DNS lookups total in an SPF statement, and our include statement uses 3.

Sample Screen Shot
Sample SPF Record


DomainKeys is an email authentication system designed to verify the DNS domain of an email sender and the message integrity. This protocol is largely backed by Yahoo. To implement DomainKeys, add two new TXT records to your DNS. The first record tells mailservers what the general DomainKeys settings are and the second record is your actual key. Each record should be on one line. The first will be the following: TXT "t=y; o=~;"
Note: should be replaced with your domain name. The second will look like one of the following examples: TXT
k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDGoQCNwAQdJBy23MrShs1EuHqK/dtDC33QrTqgWd9CJmtM3CK2ZiTYugkhcxnkEtGbzg+IJqcDRNkZHyoRezTf6QbinBB2dbyANEuwKI5DVRBFowQOj9zvM3IvxAEboMlb0szUjAoML94HOkKuGuCkdZ1gbVEi3GcVwrIQphal1QIDAQAB;
Sample Screen Shot

Sample DKIM

Generating and Verifying Your SPF and DomainKey Records

If you are a Pardot Administrator, you can generate your DomainKeys within Pardot and verify your SPF and Domainkeys records once you have added them to your DNS.

Generating DomainKeys

  1. Navigate to Admin > Overview.
  2. Click +Add New Domain.
  3. Enter the domain name that you will be sending emails from (what appears after the @ in your email address). For example, if your email is, enter
  4. Click Create domain.
  5. To view the DomainKeys, click the Expected DNS Entries link.
6. If you will be sending emails through Pardot for more than one domain, you will want to repeat the steps above for each one.

Verifying your SPF and DomainKeys

  1. Navigate to Admin > Overview.
  2. Scroll down to Email Sending Domains.
  3. Click Check DNS Entries link.
Check DNS

If your SPF and DomainKeys records were added correctly, you will receive a success message and a green checkmark for each entry. If there is a problem with one or more of your records (or if they are not present), you will see an error message and you can then click on the red X for each record to view the expected and actual entries.

DomainKeys FAQ

What is the difference between DomainKeys and DKIM? What if my company uses DKIM?

DomainKeys and DKIM are similar -- DKIM evolved from DomainKeys. DKIM is a more advanced form of DomainKeys with additional security features. Pardot uses the majority of the features of DKIM because it is a secure enough authentication schema for email delivery in almost all situations and provides maximum backwards compatibility.

SPF record FAQs

Can I have more than one v=spf1 statement for my domain?

There can only be one v=spf1 record for a given domain, so it would need to be combined from, for example:
v=spf1 ~all
v=spf1 ~all
v=spf1 ~all

Can I have more than 10 DNS lookups in my SPF record? Why does Pardot limit this?

DNS lookups are limited to 10 as part of the framework of the Internet, to reduce load on DNS servers, so this is actually not a Pardot-specific requirement. Anything after the first 10 lookups will be ignored, so it's imperative that your SPF statement has 10 or fewer DNS lookups. Any IPs listed beyond 10 will not be read. If you are using one of the ip addresses that the recipient’s mail server was not able to see, then it will fail the SPF check, and the mail server will either drop the email, mark it as spam, put it in the junk folder, etc.

Will implementing SPF records affect my corporate delivery?

If this is implemented correctly, then it won’t affect your corporate email delivery.  The most common mistakes that will affect corporate email delivery are forgetting to incorporate corporate mail services in your SPF statement – this includes your corporate mail server, or domain used for corporate mail, and any other outgoing mail services your company uses.  Otherwise, messages sent from these servers could bounce or be otherwise quarantined on a client server.

Not what you're looking for? Check out these other articles:
Email Authentication Overview
Sending Emails from More than One Domain
Email Terms Glossary

Need more? Start a conversation with other Pardot users in our Success Community