top of page

Warning! Do not Pass Go.Pardot.Com

Plus a bonus note on a little-used but handy way to use Pardot (MCAE*) Forms

There's already been a fair amount written about the upcoming security upgrades to Pardot that impacts how content served if you embed forms using on your website instead of a custom tracker domain (which if you don't have one set up, do this asap).

In short, starting 8/12/22, certain functions may no longer work if your forms are embedded in this way, one of the big ones being the recaptcha. Any embedded javascript won't work either.

Bottom line, if you have any iframes on your website that are embedded using, you need to replace them with your custom tracker domain. In fact, you can simply swap out the tracker domain for in the url string in the code and it will work just fine.

Elements generally not affected (although in general, you should be using your tracker domain for everything regardless) include custom redirects, form handlers, landing pages and content.

Before you say "But Bill, that's way old stuff, this doesn't affect me, we transitioned to custom tracker domains years ago," let me suggest that you take 5 minutes to check something to make sure.

On your domain management page in Pardot settings there is a new button called "Content Served Using Default Domain". Push that button.

Hopefully the result looks like this:

Which means that Salesforce didn't find anything to be concerned with. According to product managment, they did the best they could to try and find everything they could that would indicate somethign is being used with the default domain. What this report tells you is stuff that seems to be in use, but what it can't tell you is where it's being used. That, unfortunately, is going to be detective work for you.

If you do find something on this page-- make sure you check it out. Maybe it's some long-forgotten page with an embedded form that hasn't been updated but some part of your business is still using. One other place that's a possibility and is the subject of the bonus content is: Forms used like a landing page.

Did you know you can just use a Pardot form as if it's a landing page?

Since all Pardot forms have an absolute address (with both the and the tracker domain variations), they can be used as a mini landing page. Forms have above and below form content, right? You can style them and give them completion actions and post-submit behavior. So if all you really need is for someone to fill out a form, you don't have to embed it anywhere and you don't have to build a landing page, you can just send people directly to the form's URL which you can find right on the form page after you create it. So one possbility for using was people accessing the form directly using it's URL.

This is great for instances where you want to control who gets the form, who knows where it is, or not have it indexed. Here are some use-cases for the form-as-a-landing-page technique:

  • Use it for internal purposes in kiosk mode as a one-off add to Pardot data entry form, for example third party leads.

  • Use it as a signup form for an in-person event.

  • Use it for internal purposes in koisk mode as a way for a staff member that's not a Salesforce user to accomplish a specific action on an email address in Pardot (via completion actions), such as signing up people for a newsletter or setting as do not email or do not call.

  • Use it as the destination from an email as a suvey or "update missing details" form.

  • Use it as a proxy for an email preference center that allows people to "sign up" for emails and lists without giving them the ability to unsubscribe.



Apr 20, 2022

Thanks for this Bill! I wasn't aware of that audit feature. I just checked it out in one of the Pardot accounts I work in. Weird thing is, none of the content (all image and pdf files) it listed is using the Default domain ( It's using the vanity tracker domain (which also happens to start with "go" — e.g. ""). But these are very old assets it is listing. My guess is they were originally using the default domain, but then converted to the vanity tracker after the CNAME was implemented. Hopefully that won't be an issue.

Bill Fetter
Bill Fetter
Apr 20, 2022
Replying to

Images/content should be fine. It's cross-site scripting that's being restricted. Possibly the ones it's flagging still are listing as their default tracker domain? That's the only thing I can think of.

*As of April 2022, Pardot has been renamed Marketing Cloud Account Engagement, as part of Salesforce's effort to organize all the marketing products under the same platform umbrella. "MCAE" is simply the same Pardot we know and love under a new name. The product is temporarily being referred to as "Marketing Cloud Account Engagement powered by Pardot."   

Did you find this article useful?  Buy me a coffee. 🙂

Want more tips? Subscribe and be the first to know of new coffee-worthy content.

Thanks for Subscribing!

Need some help?

Consultations offered on a pay-as-you-go basis by the hour.  Buy hours below and I will schedule a session at your convenience.

bottom of page