Use a DMARC policy with HubSpot

You can use DMARC (Domain-based Message Authentication, Reporting and Conformance) with HubSpot. 

Set up DMARC

DMARC is an email authentication protocol that you implement outside of HubSpot, which is designed to help you protect your email domain against unauthorized use. For DMARC to pass, you need one of two domain authentication protocols, DKIM or SPF, to be set up correctly. If you don't have a dedicated IP, you should use the DKIM security protocol to ensure DMARC will pass. If needed, you can also set up SPF as another security safeguard.

1. To use the DKIM protocol to authenticate: connect your domain as an email sending domain.
2. To use the SPF protocol to authenticate: add HubSpot to your SPF policy.

Troubleshoot issues with DMARC authentication  

You may see this error if HubSpot is having trouble authenticating your email sending domain. 

 DMARC authentication has failed for [email sending domain]. The error is: [error description]. Learn more.

This error means that the domain of the email address which you used as your “from address” has a DMARC policy configured outside of HubSpot, but that policy is not compatible with your HubSpot email sending domain configuration.

This error is not critical, but may result in a higher rate of email messages failing to deliver or being routed to the spam folder.

Refer to the chart below for the solution to the error description indicated: 

Your domain's DMARC policy should have both the adkim and aspf tags set to "relaxed" or "r" alignment, which should be the default setting for DMARC for DNS services. You can use a third-party DNS tool like dmarcian to verify the values the adkim and aspf tags are set correctly.

Please note: when using some third-party DNS tools, you may notice a failure for the SPF protocol, which can occur when the from domain matches your domain but you're sending over a shared IP. You can safely ignore this failure if you've correctly set up DKIM and it aligns with your sending domain.