DNS configuration tips and tricks for Account Engagement

EMAIL SENDING DOMAIN:

The email addresses of your users will determine which domain is used when sending emails. In other words, if you send an Account Engagement email and choose susan@examplecompany.com as the sender, examplecompany.com is the domain that would be used. That is the domain that will need to be configured in Account Engagement and where the DNS entries will need to be placed. If your users have different domains, each one that will be used will need to be configured.

The Email Sending Domain involves 3 separate DNS entries:
 

1. SPF (Sender Policy Framework):

SPF is checked against the originating sender of the email, which is Account Engagement. As such, Account Engagement emails will automatically pass SPF, and the domain management page in Account Engagement will reflect the same. No specific SPF configuration is necessary on your end for Account Engagement emails. Work with your IT team to configure the necessary SPF for your business needs. 

For additional assurance, we recommend running a test to confirm full SPF and DKIM passes. There are a number of third party tools that can assist with troubleshooting email delivery issues. While email testing tools (such as mail-tester.com, mailgenius.com, etc.) can assist with troubleshooting email deliverability, these tools are unaffiliated with Salesforce. Customers can choose to use such email testing tools or not at their sole discretion. We encourage you to review any email testing platform’s privacy policy to fully understand how your information will be treated and make an informed decision accordingly.

2. Validation Key:

This will be a TXT entry in the DNS. This value is unique to your domain and will be used to prove ownership. The entry will need to exist on your email sending domain(or a parent domain) and contain the value found in Account Engagement's Domain Management page. To obtain the value, you can browse to Account Engagement Settings (Admin in Classic) > Domain Management and click the Expected DNS Entries link next to your email sending domain.

3. DomainKey:

As with the other 2, this will also be a TXT entry. The value will be a key set for your Account Engagement account's DKIM signature. To obtain the value, you can browse to Account Engagement Settings (Admin in Classic) > Domain Management and click the Expected DNS Entries link next to your email sending domain.

This entry will need to reside in a subdomain:
200608._domainkey.yourdomain.com

Note:
Some DNS systems (such as GoDaddy) will automatically append your domain to the host name specified. For example, if the host is _domainkey.yourdomain.com it may propagate as _domainkey.yourdomain.com.yourdomain.com - the doubling of the domain would be problematic. In these situations, you'd want the host to be simply _domainkey

NOTE: By default, the key will be 1024-bit. If you have a dedicated Sending IP and a requirement for 2048-bit DKIM key, please log a support case to submit this request. A dedicated IP is *highly* recommended for a 2048-bit key. If a dedicated IP is not something your account could maintain, but you are required to obtain a 2048-bit key, then reach out to support to discuss the risks.

For additional details, see this video: How to Configure Your Account Engagement Email Sending Domain | Account Engagement.

TRACKER DOMAIN:

The Tracker Domain (aka CNAME) is essentially a mask that you place over your Account Engagement assets so they are branded with your company name instead of Account Engagement. Tracker Domains must be unique across all Business Units. More general information can be found here: Tracker Domains

A fully validated Tracker Domain will consist of 2 parts:

1. The CNAME record in your DNS. Unlike the Email Sending Domain configuration, this will not be a TXT entry, but rather a CNAME entry. In this entry, you'll want the host (or domain) be whatever subdomain you choose as your Tracker Domain. Popular options include go.yourdomain.com, www2.yourdomain.com, or marketing.yourdomain.com. This will need to point to go.pardot.com for Account Engagement Production Orgs and go.demo.pardot.com for Account Engagement Sandboxes.

Once configured, you can test that it is working properly by browsing to the tracker domain URL (eg marketing.yourdomain.com) - this should redirect to your website, as set in the Account Engagement account settings. 

Note: DNS systems can have different configurations for internal traffic vs external. If you are unable to reach your Account Engagement assets on your company's internal network, but they load fine otherwise, ensure the CNAME entry exists in the internal routing as well - an A record alone will not suffice. 

2. The validation entry. This can be achieved through one of 2 ways:

• A TXT entry in the DNS for the root domain. If, for example, you are using marketing.yourdomain.com as the tracker domain, the validation entry will need to be in yourdomain.com. Like the DomainKey, this will be a unique value which can be obtained via the Domain Management page in Account Engagement. The key will be located under the "Not validated" message for the tracker domain. 

-or-

• You can download the validation file from Account Engagement, which is a simple text file containing the key. On the Domain Management page, click the "Tools" button and choose "Download validation file." You'll then want to upload that file to the root directory of the parent domain. The file should be accessible at www.yourdomain.com/pardot_XXXXXX.txt (where the Xs will be your Account Engagement account ID).

Once both entries are in place:

1. Click the Validate link on the Domain Management page to complete the process.
2. After the domain is validated, you can click on the gear icon and choose Set as Primary. 

This will automatically re-write the URLs of all your Account Engagement assets to use this domain. Note that only one domain can be primary at a time.