×

HubSpot Email Authentication Guide

/ CRM, Hubspot / By

HubSpot Email Authentication Guide

Configuring SPF, DKIM, and DMARC correctly for HubSpot is essential if you want your sales and marketing emails to reach inboxes instead of spam folders. This guide walks you through what these records are, how they work, and how to align them with your HubSpot sending domain.

All three authentication methods work together to verify that email sent from your domain is legitimate, that it has not been tampered with, and that mailbox providers know how to handle suspicious messages that appear to come from you.

Understanding SPF, DKIM, and DMARC for HubSpot

Before you log into your DNS provider or adjust any records for HubSpot, it helps to understand the role of each authentication protocol. They combine to give providers like Gmail, Outlook, and Yahoo the confidence that your messages are trustworthy.

SPF: Sender Policy Framework basics

SPF (Sender Policy Framework) is a DNS record that lists the authorized servers allowed to send email on behalf of your domain. When you send a message using HubSpot, receiving servers check your SPF record to confirm that HubSpot is permitted to send mail from your domain.

An SPF record is stored as a TXT record in DNS. A typical SPF entry can include multiple email providers and services that send mail for your domain, such as your primary mail server, marketing platform, and help desk tool.

To keep SPF effective, you must ensure that every legitimate sending service is included, and that you do not exceed DNS lookup limits that can cause failures.

DKIM: Cryptographic signing for HubSpot emails

DKIM (DomainKeys Identified Mail) works by adding a digital signature to each email message. The signature is validated using a public key published as a TXT record in your DNS. When your HubSpot messages pass DKIM checks, providers see that mail is truly from your domain and has not been changed in transit.

HubSpot generates the DKIM selector and key pair during the email domain connection process. Once you add the generated CNAME or TXT records to your DNS, HubSpot can sign outgoing messages with your domain. This step is critical for building a consistent, authenticated sending reputation.

DMARC: Policy and reporting layer

DMARC (Domain-based Message Authentication, Reporting and Conformance) ties SPF and DKIM together. It tells receiving servers what to do when messages fail SPF and DKIM alignment checks, and it sends you reports so you can monitor abuse and misconfiguration.

A DMARC record is another TXT entry in your DNS. It typically defines:

  • The policy for failed messages (none, quarantine, or reject).
  • The percentage of traffic the policy applies to.
  • Where to send aggregate and forensic reports.

By aligning your DMARC policy with HubSpot and any other mail systems, you create a clear framework that helps prevent spoofing and phishing using your domain.

How SPF Works with HubSpot

SPF checks whether the IP address sending an email is authorized to use the envelope sender domain. In a HubSpot setup, this means your DNS record must explicitly grant HubSpot permission to send on behalf of your branded domain.

Key SPF concepts for HubSpot senders

When working with SPF for HubSpot, there are several core elements you need to understand:

  • Mechanisms such as ip4:, include:, and a define which hosts are allowed to send mail.
  • Qualifiers like +, -, ~, and ? specify how strict the rule is.
  • DNS lookup limits restrict you to ten total DNS lookups per SPF evaluation to avoid performance issues.

Most marketing and CRM platforms, including HubSpot, provide a recommended include: mechanism that you add to your existing SPF entry. This allows your domain to authorize multiple mail sources with one consolidated record.

Best practices for SPF with HubSpot

To maintain a healthy SPF configuration that works effectively with HubSpot, follow these practices:

  • Use a single SPF TXT record for your domain rather than multiple records.
  • Combine all providers into that one record using include: where appropriate.
  • Review SPF after adding or removing any email-sending service.
  • Avoid unnecessary lookups by removing legacy or unused includes.

Proper SPF configuration improves the likelihood that your HubSpot messages pass authentication checks and land in the primary inbox.

How DKIM Works with HubSpot

DKIM adds a tamper-evident seal to each email from your domain. This seal is created using a private key stored by the sending platform, such as HubSpot, and validated using a public key published in your DNS.

DKIM alignment and HubSpot domains

For DKIM to contribute to DMARC alignment, the domain in the DKIM signature must match or be a subdomain of the visible From address. This is why connecting your sending domain directly in HubSpot is so important: it ensures that messages are signed with keys tied to your own domain instead of a shared domain.

Once your DNS is configured with the provided CNAME or TXT entries, HubSpot can automatically sign new messages. Over time, successful DKIM validation helps providers trust your brand and can improve inbox placement.

Maintaining strong DKIM for HubSpot

To keep DKIM functioning correctly alongside HubSpot, you should:

  • Verify that all generated DNS records are added exactly as provided.
  • Allow sufficient time for DNS propagation before testing.
  • Avoid editing or truncating long DKIM keys in your DNS manager.
  • Periodically confirm that DKIM is still passing using email testing tools.

If DKIM fails or becomes misaligned, you may see an increase in spam filtering for your HubSpot campaigns until the issue is resolved.

How DMARC Protects Your HubSpot Emails

DMARC adds a policy layer on top of SPF and DKIM so you can tell providers how to treat messages that fail authentication. For HubSpot senders, DMARC is the mechanism that ultimately protects your domain from misuse while still allowing legitimate marketing and sales outreach.

Core DMARC policy options

When you publish a DMARC record, you specify one of three primary policies:

  1. p=none – Monitor only. Mail providers send you reports but do not change how they handle failed messages.
  2. p=quarantine – Suspicious messages are accepted but are typically sent to spam or a similar folder.
  3. p=reject – Messages that fail DMARC alignment are blocked outright.

New implementations often start with a monitoring mode policy and then gradually increase enforcement as they confirm that all legitimate sources, including HubSpot, are correctly authenticated.

DMARC alignment with HubSpot SPF and DKIM

For a message to pass DMARC, either SPF or DKIM must pass and be aligned with the domain in the visible From address. In practice, this means:

  • Your SPF record must authorize all legitimate sending services, including HubSpot, while using an appropriate return-path domain.
  • Your DKIM signatures must use a domain that matches the From address or a parent domain.

Once both SPF and DKIM are functioning properly with HubSpot, you can use a DMARC policy to block impostor messages that attempt to use your domain without permission.

Step-by-Step: Preparing Authentication for HubSpot

Implementing SPF, DKIM, and DMARC for HubSpot is most effective when you follow an ordered process. The steps below outline a practical workflow you can adapt to your own domain and DNS provider.

1. Inventory all email senders

Begin by listing every platform that sends email from your domain, not just HubSpot. This might include:

  • Your primary email server or workspace provider.
  • Marketing tools and CRM platforms.
  • Support ticketing systems.
  • Billing or transactional services.

This inventory will guide how you build a complete SPF record and ensure that your DMARC policy does not inadvertently block legitimate services.

2. Review the source guidance

For specific record formats and the latest instructions, refer to the original technical explanation of SPF, DKIM, and DMARC at this HubSpot resource. The concepts described there apply across most DNS hosts and mail providers.

3. Configure SPF with all platforms

Next, update your SPF TXT record to include all authorized senders, including any value required for HubSpot. Combine mechanisms into a single comprehensive record, test it for syntax errors, and verify that you remain under the DNS lookup limit.

4. Connect and verify your domain for HubSpot

In your account settings, follow the prompts to connect your sending domain. HubSpot will generate the necessary DNS records for SPF alignment, DKIM signing, or both, depending on how your environment is configured. Add these entries in your DNS provider, then confirm their status from within your account.

5. Publish a monitoring DMARC policy

Once SPF and DKIM are passing for your key senders, publish a DMARC TXT record with a monitoring policy. Configure aggregate report destinations so you can observe how mailbox providers see your traffic. This monitoring phase helps you verify that HubSpot and other services are correctly aligned.

6. Gradually tighten DMARC enforcement

After reviewing DMARC reports and resolving any misconfigurations, you can step up enforcement by moving from p=none to p=quarantine and eventually to p=reject. Each change should be done carefully while monitoring deliverability, especially for high-volume HubSpot campaigns.

Optimizing Deliverability Beyond HubSpot Configuration

Technical authentication is only one part of a successful email program. Even with correct SPF, DKIM, and DMARC for HubSpot, content quality, engagement, and list hygiene play major roles in whether your messages reach the inbox.

To further strengthen your deliverability, you can:

  • Remove inactive or invalid addresses from your lists.
  • Avoid spam-triggering language and misleading subject lines.
  • Send consistently instead of in sudden large spikes.
  • Segment contacts and tailor messaging to each audience.

If you need specialized support implementing or auditing your authentication and deliverability strategy around HubSpot and other platforms, consider working with an experienced consultancy such as Consultevo, which focuses on CRM and marketing technology optimization.

By combining strong SPF, DKIM, and DMARC implementations with responsible sending practices, you equip HubSpot to perform at its best while protecting your brand, your domain, and your contacts from phishing and spoofing attempts.

Need Help With Hubspot?

If you want expert help building, automating, or scaling your Hubspot , work with ConsultEvo, a team who has a decade of Hubspot experience.

Scale Hubspot

“`

Verified by MonsterInsights