Overview of email authentication

To ensure your marketing emails sent via HubSpot comply with the authentication standards and sending policies enforced by major email inbox providers (e.g., Gmail and Yahoo Mail), you can connect your email sending domain to HubSpot. The domain connection process involves setting up three separate DNS record types in your DNS provider's settings: DKIM, SPF, and DMARC.

This article provides an overview of what these records are and how their associated authentication protocols work.

Once you're ready to authenticate your email sending domain, you can begin the DNS configuration process or review your current authentication status in HubSpot.

Please note: your HubSpot account manager or members of HubSpot support can help you understand best practices and how to use HubSpot tools to set up authentication, but they cannot make these decisions for you, nor can they manage your DNS settings. You will need to work with your IT team or your email administrator to fully set up email authentication. You can also contact a third-party DMARC consulting or reporting service for additional assistance.

Understand the impact of authenticated emails

Impact on your HubSpot account

While DKIM, SPF, and DMARC are not strictly required to send emails via HubSpot, you cannot send emails with your domain in the From Address (e.g., employee@example.com) until you connect that domain to HubSpot by setting up DKIM. This will also increase email deliverability for that domain.

Domains not connected as an email sending domain in your account will be modified to a HubSpot-hosted variable domain. Learn more about unauthenticated emails in this article.

Impact on email performance

Most inbox service providers prefer emails authenticated by DKIM. Emails sent without DKIM authentication are more likely to bounce, quarantine, or be categorized as spam. Quarantined emails will appear as delivered in HubSpot, but will not be visible to most recipients, so it's highly recommended that you set up DKIM to improve deliverability.

Please note: some inbox providers, such as Google and Yahoo, will be requiring DMARC, DKIM, and SPF to be fully set up on any domain sending bulk emails to their users. If you don't meet these requirements, emails from your domain will be bounced. These bounces will be categorized as a DMARC or Policy bounce.

Guide to DKIM

DKIM (DomainKeys Identified Mail) is a method of email authentication aimed to prevent email spoofing, which is a technique used by malicious actors to send emails with forged sender addresses.

To set up DKIM in HubSpot, you'll be guided to set up DKIM using two CNAME records in your DNS provider. Once you configure your DKIM records in your DNS provider using a public key that HubSpot provides you with, a receiving mail server (e.g. Gmail) will be able to verify the signature of your sent email that's associated with your domain.

Learn how to add these records by following the instructions in this article.

Once you've added these DNS records and they've been verified by HubSpot and your DNS provider, the DKIM signature will be included in the headers of your sent emails, which correlates to the associated CNAME entries you configured.

Guide to SPF

SPF (Sender Policy Framework) is an email authentication standard used to verify that the sending email server is authorized to send email on behalf of a specific domain.

SPF is traditionally required for the envelope return path domain, which is the address that bounces will be sent to. HubSpot already has this configured for marketing emails sent through its shared servers. All dedicated IP customers are required to configure SPF on their envelope return path domain as part of their initial IP setup.

It's also highly recommended that you add HubSpot's SPF record to your From Address domain. This will be set up as a TXT record in your DNS provider, using the value provided in your HubSpot domain settings. This record will provide a regularly updated list of IP addresses that HubSpot will use to send marketing emails from your From Address domain.

You can follow this guide to add HubSpot to your SPF record.

Once you've added the SPF record and the verification process is complete, when an email server processes one of your sent emails, they can validate that HubSpot is on your domain's allowlist of valid senders.

Guide to DMARC

DMARC (Domain-based Message Authentication, Reporting and Conformance) is an email authentication protocol that further safeguards email domain owners from email spoofing and other unauthorized use of their domain.

By configuring a DMARC record, inbox providers can confirm how to process any emails sent from your domain that do not pass SPF and DKIM checks. A DMARC also provides a reporting mechanism for domain owners to learn how often recipient servers around the world are receiving emails sent from their domain, and what percentage is properly authenticated.

Learn more about the available policy values and a couple example policies in the sections below. When you're ready to set up your DMARC record, check out the instructions in this article.

Policy values

A DMARC policy can be defined by adding a TXT record in your DNS provider settings, with a value that can include the following semicolon-separated properties:

• v: the DMARC version.
• p: the policy type that dictates how to process emails that do not pass. The policy can be set to one of the following types:
  
  • none: used to collect feedback and gain visibility into email streams without impacting existing flows.
  • quarantine: filter emails that do not pass authentication into the recipient's quarantine.
  • reject: bounce emails that do not pass authentication.
• sp: used to apply a policy to a subdomain of the DMARC record.
• pct: the percentage of total unique sends that failed authentication to apply this policy to. For example, if your DMARC record included p=reject; pct=25, and 100 emails failed authentication, only 25 of them will be bounced, while the other 75 will be delivered to their recipients.
  
  • Defining this property can help slowly ramp up your authentication policy to ensure it's working as expected.
  • Note that this parameter is sometimes ignored by certain inbox service providers.
• ruf & rua: two optional parameters that specify an email address to send DMARC reporting data to. These must be provided in URI mailto format (e.g., mailto:reporting@example.com). The reporting data that's sent differs based on the parameter:
  • rua: an aggregate report of all your domain traffic.
  • ruf: failure reporting data that includes redacted copies of individual messages that failed authentication.
• adkim & aspf: specifies the alignment mode for DKIM and SPF. These should both be set to r (i.e., a relaxed alignment). A relaxed alignment should be the default setting for DMARC for DNS services.

Once you've added and verified the DMARC record in your DNS provider, all receiving email servers can authenticate incoming emails from your domain and handle any failures according to the policy you specified.

Example policies

You can customize your DMARC policy to fit your business needs. Here are a few examples:

Neutral policy

v=DMARC1; p=none;

This is an example of a neutral DMARC policy with no additional parameters. A neutral policy is useful for senders who're just starting to get familiar with DMARC. This is the bare minimum for DMARC to function.

Strict policy with aggregate reporting

v=DMARC1; p=reject; rua=mailto:reporting@example.com;

The example above defines a strict DMARC policy to bounce any emails that fail authentication, and provides an email address to send aggregate reporting data to.

Quarantine policy with failure reporting

v=DMARC1; p=quarantine; pct=25; ruf=mailto:reporting@example.com;

This example defines a policy that will quarantine 25% of emails that fail authentication, while the other 75% of emails that fail authentication will be permitted for delivery. The policy also provides a reporting address where an individual notification email can be sent for each email that fails authentication.

Defining a value for the pct property can allow you to test a random sample of messages that failed DMARC to allow you to check that legitimate emails are still being delivered properly.

Please note: HubSpot Support cannot help with DMARC record setup. The DMARC policy you set up is unique to your business needs and your DNS provider. You should consult your IT administrator or whoever manages your DNS settings for help setting up DMARC. You can also consult third-party DMARC consulting or reporting services for additional assistance.