Provider Guide

How to Set Up DMARC for HubSpot

Step-by-step guide to configuring SPF, DKIM, and DMARC for HubSpot email authentication. Improve deliverability and meet Google/Yahoo sender requirements.

Published July 17, 2025

HubSpot is a leading CRM and marketing automation platform used by businesses to send marketing emails, sales sequences, and transactional notifications. Properly authenticating your domain ensures these emails reach your recipients’ inboxes instead of spam folders.

This guide walks you through setting up SPF, DKIM, and DMARC for emails sent through HubSpot.

Before You Begin

What You’ll Need

  • Access to your HubSpot account (Settings permissions required)
  • Access to your domain’s DNS management (GoDaddy, Cloudflare, Namecheap, Route 53, etc.)
  • 30-45 minutes to complete setup and verification

What HubSpot Authentication Includes

Record TypePurposeRequired?
DKIMCryptographically signs emails to verify authenticityYes
SPFAuthorizes HubSpot servers to send email for your domainRecommended
DMARCTells receivers how to handle authentication failuresYes (for bulk senders)

Step 1: Connect Your Email Sending Domain in HubSpot

First, initiate the domain connection process in HubSpot to get your specific DNS records.

Access Domain Settings

  1. Log in to your HubSpot account
  2. Click the Settings icon (gear) in the top navigation bar
  3. In the left sidebar, navigate to ContentDomains & URLs
  4. Click the Email Sending Domains tab
  5. Click Connect a domain

Enter Your Domain

  1. Select Email Sending as the domain type
  2. Enter your email sending domain (e.g., yourdomain.com or mail.yourdomain.com)
  3. Click Next

HubSpot will now display the DNS records you need to add.

Step 2: Set Up DKIM (Required)

DKIM is the primary authentication method for HubSpot emails. You’ll add two CNAME records.

HubSpot DKIM Records

HubSpot provides two DKIM CNAME records unique to your account:

Record TypeHost/NamePoints To
CNAMEhs1-[ID]._domainkeyyourdomain-com.hs##a.dkim.hubspotemail.net
CNAMEhs2-[ID]._domainkeyyourdomain-com.hs##b.dkim.hubspotemail.net

Note: The exact values are unique to your HubSpot account. Copy them directly from your HubSpot domain settings.

Add DKIM Records to Your DNS

Cloudflare

  1. Log in to your Cloudflare dashboard
  2. Select your domain
  3. Go to DNSRecords
  4. Click Add record
  5. For each DKIM record:
    • Type: CNAME
    • Name: The host value from HubSpot (e.g., hs1-12345678._domainkey)
    • Target: The value from HubSpot (e.g., yourdomain-com.hs04a.dkim.hubspotemail.net)
    • Proxy status: DNS only (gray cloud) — Important!
    • TTL: Auto
  6. Click Save

⚠️ Critical for Cloudflare users: The proxy status MUST be set to “DNS only” (gray cloud icon). Proxied CNAME records will cause DKIM verification to fail.

Also ensure CNAME Flattening is disabled for DKIM records:

  1. Go to DNSSettings
  2. Set “CNAME Flattening” to “Flatten at root only”

GoDaddy

  1. Log in to your GoDaddy account
  2. Go to My ProductsDNS
  3. Select your domain
  4. Click Add under Records
  5. For each DKIM record:
    • Type: CNAME
    • Name: Host value from HubSpot (without your domain, e.g., hs1-12345678._domainkey)
    • Value: Target value from HubSpot
    • TTL: 1 Hour
  6. Click Save

Namecheap

  1. Log in to your Namecheap account
  2. Go to Domain ListManage for your domain
  3. Click Advanced DNS
  4. Click Add New Record
  5. For each DKIM record:
    • Type: CNAME Record
    • Host: Host value from HubSpot (e.g., hs1-12345678._domainkey)
    • Value: Target value from HubSpot
    • TTL: Automatic
  6. Click the checkmark to save

Amazon Route 53

  1. Open the Route 53 console
  2. Select your hosted zone
  3. Click Create record
  4. For each DKIM record:
    • Record name: Host value from HubSpot (e.g., hs1-12345678._domainkey)
    • Record type: CNAME
    • Value: Target value from HubSpot
    • TTL: 300
  5. Click Create records

SPF is optional for HubSpot since DKIM provides DMARC alignment, but it adds an extra layer of authentication.

If You Don’t Have an Existing SPF Record

Create a new TXT record:

Type: TXT
Host: @
Value: v=spf1 include:_spf.hubspot.com ~all

If You Already Have an SPF Record

Add HubSpot’s include statement to your existing record.

Before:

v=spf1 include:_spf.google.com -all

After:

v=spf1 include:_spf.google.com include:_spf.hubspot.com -all

Important SPF rules:

  • Only one SPF record per domain
  • Keep the v=spf1 at the beginning
  • Keep -all or ~all at the end (only once)
  • Maximum 10 DNS lookups total

Verify Your SPF Record

dig +short TXT yourdomain.com | grep spf

You should see your complete SPF record including the HubSpot include.

Step 4: Set Up DMARC (Required for Bulk Senders)

DMARC tells receiving email servers what to do when SPF or DKIM fails, and provides reporting so you can monitor authentication.

Basic DMARC Record

If you don’t have a DMARC record yet, start with monitoring mode:

Type: TXT
Host: _dmarc
Value: v=DMARC1; p=none; rua=mailto:[email protected]

DMARC Record Components

TagValueMeaning
vDMARC1DMARC version (required)
pnone / quarantine / rejectPolicy for handling failures
ruamailto:addressWhere to send aggregate reports
adkimrRelaxed DKIM alignment (default)
aspfrRelaxed SPF alignment (default)

Add DMARC Record to Your DNS

Any DNS Provider

FieldValue
TypeTXT
Host/Name_dmarc
Valuev=DMARC1; p=none; rua=mailto:[email protected]
TTL3600 (or default)

Note: Replace [email protected] with an email address you control. This inbox will receive XML reports about your email authentication.

Verify Your DMARC Record

dig +short TXT _dmarc.yourdomain.com

You should see your DMARC policy.

Step 5: Verify in HubSpot

After adding DNS records, verify them in HubSpot.

Check Authentication Status

  1. Return to SettingsContentDomains & URLsEmail Sending Domains
  2. Find your domain in the list
  3. Check the status:
StatusMeaning
AuthenticatedDKIM, SPF, and DMARC all verified ✅
Partially AuthenticatedDKIM verified, SPF or DMARC pending
PendingDNS records not yet detected
Not AuthenticatedConfiguration issue
  1. If records aren’t verified, click Continue setup to see which records need attention

Verification Timeline

  • DNS records typically propagate within 10-70 minutes
  • Some providers may take up to 24-48 hours
  • HubSpot checks periodically—you can click “Verify” to check manually

Step 6: Send a Test Email

After verification, send a test email to confirm authentication is working.

Test Process

  1. In HubSpot, create a test marketing email or use an existing draft
  2. Send it to a Gmail, Yahoo, or Outlook address you control
  3. Check the email headers for authentication results

View Headers in Gmail

  1. Open the test email
  2. Click the three dots (⋮) → Show original
  3. Look for the Authentication-Results section

You should see:

dkim=pass header.d=yourdomain.com
spf=pass (or softfail if not configured)
dmarc=pass

What to Look For

ResultMeaning
dkim=pass✅ DKIM signature verified
dkim=fail❌ DKIM configuration issue
spf=pass✅ SPF authorized the sender
spf=softfail⚠️ SPF configured with ~all (acceptable)
dmarc=pass✅ DMARC alignment successful
dmarc=fail❌ Neither DKIM nor SPF aligned

DMARC Policy Progression

Don’t stay at p=none forever. Progress to enforcement:

Phase 1: Monitor (p=none)

v=DMARC1; p=none; rua=mailto:[email protected]
  • Start here to collect data
  • Review DMARC reports for 2-4 weeks
  • Identify all legitimate sending sources
  • Fix any authentication issues

Phase 2: Quarantine (p=quarantine)

v=DMARC1; p=quarantine; pct=10; rua=mailto:[email protected]
  • Start with pct=10 (10% of failing emails quarantined)
  • Monitor for false positives
  • Gradually increase: 25% → 50% → 100%

Phase 3: Reject (p=reject)

v=DMARC1; p=reject; rua=mailto:[email protected]
  • Full enforcement—unauthorized emails are rejected
  • This is the goal for maximum protection

Troubleshooting Common Issues

”DKIM record not found”

Check:

  1. Record name matches exactly what HubSpot provided
  2. No extra spaces in the record value
  3. For Cloudflare: Proxy is disabled (DNS only mode)
  4. DNS has propagated (wait up to 48 hours)

Verify with:

dig +short CNAME hs1-12345678._domainkey.yourdomain.com

“Domain showing as Partially Authenticated”

This usually means DKIM is working but DMARC isn’t detected.

Check:

  1. DMARC record exists at _dmarc.yourdomain.com
  2. Record starts with v=DMARC1
  3. No typos in the record

Verify with:

dig +short TXT _dmarc.yourdomain.com

“SPF PermError: Too many DNS lookups”

SPF has a 10 DNS lookup limit. HubSpot’s include adds lookups.

Solutions:

  1. Remove unused includes from your SPF record
  2. Use SPF flattening tools to convert includes to IP addresses
  3. Consider using subdomains for different email streams

”DKIM passes but DMARC fails”

This is usually an alignment issue. Check that:

  1. Your “From” address uses the same domain you authenticated
  2. HubSpot is signing with your domain (not hubspotemail.net)
  3. DKIM selector matches what HubSpot is using

”Authentication works in Gmail but not Outlook”

Different providers may cache DNS differently.

Try:

  1. Wait 24-48 hours for full propagation
  2. Verify records using multiple DNS checkers
  3. Check for regional DNS inconsistencies

Cloudflare-Specific Issues

HubSpot DKIM frequently fails with Cloudflare due to proxy settings.

Fix:

  1. Ensure DKIM CNAME records show the gray cloud (DNS only)
  2. Disable CNAME Flattening for these records
  3. Ensure Universal SSL isn’t interfering

Using Subdomains for Marketing Email

Some organizations prefer using a subdomain (e.g., mail.yourdomain.com or marketing.yourdomain.com) for HubSpot emails.

Benefits of Subdomains

  • Separates marketing email reputation from transactional
  • Allows different authentication configurations
  • Easier to troubleshoot issues

Setting Up a Subdomain

  1. In HubSpot, connect marketing.yourdomain.com instead of your root domain
  2. Add DKIM CNAME records for the subdomain
  3. DMARC at the root domain covers subdomains automatically

Note: If you have a DMARC record on your root domain, it applies to all subdomains via policy inheritance.

What’s Next

Monitor Your DMARC Reports

DMARC reports arrive as XML files. They show:

  • Who’s sending email as your domain
  • Authentication pass/fail rates
  • Sources you may not have known about

Use a DMARC monitoring tool to parse and visualize these reports.

Authenticate Other Sending Sources

HubSpot is likely one of several services sending as your domain. Also authenticate:

  • Your email provider (Google Workspace, Microsoft 365)
  • Transactional email services (SendGrid, Postmark)
  • CRM tools (Salesforce, Zendesk)
  • Any other platforms sending as your domain

Progress to DMARC Enforcement

Don’t stay at p=none. The goal is p=reject:

  1. Collect 2-4 weeks of DMARC data
  2. Ensure all legitimate sources are authenticated
  3. Move to p=quarantine with low percentage
  4. Gradually increase to 100%
  5. Move to p=reject

Monitor Your HubSpot Authentication

Verkh monitors your DMARC reports and alerts you when HubSpot or any other source fails authentication. See your pass rates, identify issues, and get copy-paste DNS records to fix problems.

Start Free →

Last updated: December 2025

Ready to implement this?

Verkh helps you monitor DMARC, identify issues, and reach enforcement. Start free.

Start Free