Skip to content

Use a DMARC policy with HubSpot

Last updated: June 28, 2023

Available with any of the following subscriptions, except where noted:

Marketing Hub Starter, Professional, Enterprise
CMS Hub Professional, Enterprise
Legacy Marketing Hub Basic

You can use DMARC (Domain-based Message Authentication, Reporting and Conformance) with HubSpot. 

Set up DMARC

DMARC is an email authentication protocol that you implement outside of HubSpot, which is designed to help you protect your email domain against unauthorized use. For DMARC to pass, you need one of two domain authentication protocols, DKIM or SPF, to be set up correctly. If you don't have a dedicated IP, you should use the DKIM security protocol to ensure DMARC will pass. If needed, you can also set up SPF as another security safeguard.

  1. To use the DKIM protocol to authenticate: connect your domain as an email sending domain.
  2. To use the SPF protocol to authenticate: add HubSpot to your SPF policy.

 

Troubleshoot issues with DMARC authentication 

You may see this error if HubSpot is having trouble authenticating your email sending domain. 

 DMARC authentication has failed for [email sending domain]. The error is: [error description]. Learn more.

This error means that the domain of the email address which you used as your “from address” has a DMARC policy configured outside of HubSpot, but that policy is not compatible with your HubSpot email sending domain configuration.

This error is not critical, but may result in a higher rate of email messages failing to deliver or being routed to the spam folder.

Refer to the chart below for the solution to the error description indicated: 

Error Description

Solution

No email sending domain configured

A DKIM record was not found for your “from address” domain. To fix this issue, connect an email sending domain

Email sending domain incorrectly configured

A DKIM record was found for your “from address” domain, but it was not correctly configured. To fix this issue, finish configuring your email sending domain. The domain is correctly configured when Setup complete is displayed.

SPF validation failure

Your DMARC policy specifies that it requires SPF alignment. This means that HubSpot’s servers must be included in your SPF record, but they have not been. To fix this issue, add HubSpot’s servers to your SPF record.

Your domain's DMARC policy should have both the adkim and aspf tags set to "relaxed" or "r" alignment, which should be the default setting for DMARC for DNS services. You can use a third-party DNS tool like dmarcian to verify the values the adkim and aspf tags are set correctly.

Please note: when using some third-party DNS tools, you may notice a failure for the SPF protocol, which can occur when the from domain matches your domain but you're sending over a shared IP. You can safely ignore this failure if you've correctly set up DKIM and it aligns with your sending domain.

Was this article helpful?
This form is used for documentation feedback only. Learn how to get help with HubSpot.