Use a DMARC policy with HubSpot

Last updated: October 13, 2020

Applies to:

Marketing Hub  Starter, Professional, Enterprise
CMS Hub  Professional, Enterprise
Legacy Marketing Hub Basic

You can use DMARC (Domain-based Message Authentication, Reporting and Conformance) with HubSpot. 

Set up DMARC with HubSpot

The domain's DMARC policy should have SPF and DKIM both set to "relaxed" alignment, and you'll want to take the following steps: 

  1. Connect the domain as an email sending domain.
  2. Add HubSpot to your SPF policy.

DMARC is used to tell your recipients' email servers how to use existing authentication methods like SPF or DKIM to verify the owner of the domain. All HubSpot customers are on HubSpot's shared email servers hosted on, so mail won't be in alignment with your own domain's policy by default. 

Troubleshoot issues with DMARC authentication  

You may see this error if HubSpot is having trouble authenticating your email sending domain. 

 DMARC authentication has failed for [email sending domain]. The error is: [error description]. Learn more.

This error means that the domain of the email address which you used as your “from address” has a DMARC policy configured outside of HubSpot, but that policy is not compatible with your HubSpot email sending domain configuration. Depending on how you or your IT team have configured your domain’s DMARC policy, you may need to set up an email sending domain and/or add HubSpot’s servers to your domain’s SPF record.

This error is not critical, but may result in a higher rate of email messages failing to deliver or being routed to the spam folder.

Refer to the chart here for the solution to the error description indicated: 

Error Description


No email sending domain configured

Your DMARC policy specifies that it requires DKIM. This means that you need a matching, correctly configured email sending domain. However, a matching email sending domain was not found for your “from address” domain. To fix this issue, connect an email sending domain

Email sending domain incorrectly configured

Your DMARC policy specifies that it requires DKIM. This means that you need a matching, correctly configured email sending domain. A matching email sending domain was found for your “from address” domain, but it was not correctly configured. To fix this issue, finish configuring your email sending domain. The domain is correctly configured when Setup complete is displayed.

SPF validation failure

Your DMARC policy specifies that it requires SPF alignment. This means that HubSpot’s servers must be included in your SPF record, but they have not been. To fix this issue, add HubSpot’s servers to your SPF record.

Please note: some email services like Gmail, Yahoo, and Outlook do not allow users to use a custom DMARC policy.