Make your form embeds happier and more productive by loading from your LP domain (not //

Update 2019-11-07: You must pair this tip with the HTML and JS hints in this other post to fully avoid accidental blocking by Tracking Protection.

Buried in a bunch of my Nation responses is this ginormously important guideline: whenever possible, use your Marketo LP domain in your form embed code instead of the default

Once per week, I'd estimate, an admin solves their “forms sometimes not showing up” problem with this tiny tweak.

That is, if the embed code in the Marketo UI is:

<script src="//"></script>
<form id="mktoForm_999"></form>
<script>MktoForms2.loadForm("//", "123-ABC-456", 999);</script>

and your primary Marketo LP Domain (or a Domain Alias) is:

then edit the embed code (after pasting on your external site) to be:

<script src="//"></script>
<form id="mktoForm_999"></form>
<script>MktoForms2.loadForm("//", "123-ABC-456", 999);</script>

The only — and I mean only — reason to avoid this change is if your external site requires SSL (https:) but your Marketo subscription does not yet include Marketo's SSL add-on[1]. (Built-in browser security won't allow forms to load if you're in this unfortunate situation.)

In all other cases, you can and should switch over. Like, yesterday. That includes (1) when your external domain and Marketo LP domain both run over SSL (best practice in 2019); (2) when neither uses SSL (eh, it works); and (3) when the external site doesn't, but the Marketo domain does use SSL (strange but possible).

What's this about?

It's about tracking protection. If someone browses your site using Firefox with TP turned on, or with Ghostery or a similar plugin, they will not be able to load forms from app-∗, because they can't load anything from domains matching ∗.marketo.∗

It makes sense that Munchkin (from would be blocked, of course. That's what anti-tracking features/plugins are designed to do. But forms can be thrown out with the bathwater, if you will.

Yes, it's not really fair — for all that matters! — because form submissions require deliberate user action, and they don't inherently “track” anything but the Filled Out Form activity itself (assuming Munchkin cookies are blocked and all existing cookies were deleted).

But it's something we have to live with: Munchkin is fairly described as a tracker, Munchkin comes from the domain marketo.something, and the major marketo.{tld} domains are of course all owned by Marketo. So, fair or not, privacy wins out… even if that means forms leave a blank space on your page for some end users.

By loading from your Marketo LP domain instead, you fully comply with the anti-tracking plugin (since you aren't dropping any new cookies or logging any more pageviews/clicks with Munchkin blocked) but also allow forms to be seen and be filled out. So do it!

Why isn't it the default?

Because of the SSL exception described above. Apparently, the Embed Code textbox in the UI and the underlying domain setup can't communicate. So the LP domain can't safely be the default, as not everyone can use it.

We're in the process of getting SSL on our Marketo LPs, but not sure if it's ready

If you have a pending order with Marketo, you can quick-check the state of affairs (for the purposes of this blog post) by loading the Forms 2.0 forms2.min.js in your browser. Here's Firefox's way of saying your custom cert isn't installed yet:



[1] You could also run your Marketo LPs through your own SSL-protected CDN. That's far cheaper than using Marketo's SSL add-on, but the add-on has come down a lot in price and is quite reasonable now.