HubSpot CRM platform with built-in marketing email capabilities. This guide covers the complete email authentication stack for HubSpot: SPF, DKIM, and DMARC. Each section gives you the exact DNS records, step-by-step instructions, common pitfalls, and how to verify your setup.
Authorize HubSpot to send marketing and transactional email on behalf of your domain by adding the correct SPF include.
TXT
@
v=spf1 include:_spf.hubspot.com ~all
If HubSpot uses a transactional email partner (e.g., SendGrid), you may need their include as well.
Go to app.hubspot.com and sign in to your account.
Go to Settings > Website > Domains & URLs > Email Sending Domains. Click "Connect a domain".
Enter the domain you send email from. HubSpot will generate the DNS records you need.
Add include:_spf.hubspot.com to your existing SPF record.
v=spf1 include:_spf.hubspot.com ~allClick "Verify" in HubSpot. The platform will check your DNS records.
v=spf1 include:_spf.google.com ~allv=spf1 include:_spf.google.com include:_spf.hubspot.com ~allAdd include:_spf.hubspot.com to your SPF record. For example: v=spf1 include:_spf.hubspot.com ~all.
Yes. If your DNS provider supports Domain Connect (e.g., GoDaddy), HubSpot can configure DNS records automatically.
Check your HubSpot account settings. HubSpot may use different infrastructure for transactional email, which could require an additional SPF include.
Enable DKIM signing in HubSpot by publishing the CNAME records it provides for your email sending domain.
CNAME
hs1._domainkey
yourdomain-com.hs01a.dkim.hubspotemail.net
HubSpot generates two CNAME records (hs1 and hs2 selectors). Copy exact values from your HubSpot settings.
Go to app.hubspot.com and sign in.
Go to Settings > Website > Domains & URLs > Email Sending Domains.
Click "Connect a domain" and enter your sending domain. HubSpot generates the DKIM CNAME records.
Create the CNAME records in your DNS provider as shown by HubSpot.
hs1._domainkey.yourdomain.com CNAME yourdomain-com.hs01a.dkim.hubspotemail.net
hs2._domainkey.yourdomain.com CNAME yourdomain-com.hs01b.dkim.hubspotemail.netClick "Verify" in HubSpot. Once DNS propagates, HubSpot will confirm DKIM is active.
HubSpot uses hs1 and hs2 as DKIM selectors, published as CNAME records pointing to HubSpot-managed keys.
Yes. Since DKIM records are CNAMEs pointing to HubSpot-hosted keys, HubSpot can rotate keys without requiring DNS changes.
Yes. If you send from a subdomain, configure the DKIM records for that subdomain during the domain connection process.
Publish a DMARC record to protect your domain when sending marketing email through HubSpot.
TXT
_dmarc
v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1
Complete HubSpot domain authentication (SPF + DKIM) before enforcing DMARC.
Ensure SPF and DKIM are both configured and verified in HubSpot settings.
Send a test email from HubSpot and verify SPF and DKIM pass in the email headers.
Add a TXT record at _dmarc.yourdomain.com.
v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1Monitor DMARC reports for 2-4 weeks to confirm HubSpot emails pass alignment.
Gradually move from p=none to p=quarantine to p=reject.
Yes, when email domain authentication is complete. This aligns the DKIM d= domain with your From domain.
Only if email domain authentication is not complete. With SPF and DKIM properly configured, HubSpot emails pass DMARC.
DMARC is one record per domain. If you already have a DMARC record, it covers all email from your domain, including HubSpot. You do not need a separate one.
Once your SPF, DKIM, and DMARC records are in place, run a full domain scan to confirm everything is configured correctly. DNS changes typically propagate within minutes but can take up to 48 hours.