Thank you for your feedback, it means a lot to us.
This form is used for documentation feedback only. Learn how to get help with HubSpot.
Last updated: February 21, 2024
To ensure your marketing emails sent via HubSpot comply with the authentication standards and sending policies enforced by major email inbox providers (e.g., Gmail and Yahoo Mail), you can connect your email sending domain to HubSpot. The domain connection process involves setting up three separate DNS record types in your DNS provider's settings: DKIM, SPF, and DMARC.
This article provides an overview of what these records are and how their associated authentication protocols work.
Please note: your HubSpot account manager or members of HubSpot support can help you understand best practices and how to use HubSpot tools to set up authentication, but they cannot make these decisions for you, nor can they manage your DNS settings. You will need to work with your IT team or your email administrator to fully set up email authentication. You can also contact a third-party DMARC consulting or reporting service for additional assistance.
While DKIM, SPF, and DMARC are not strictly required to send emails via HubSpot, you cannot send emails with your domain in the From Address (e.g.,
firstname.lastname@example.org) until you connect that domain to HubSpot by setting up DKIM. This will also increase email deliverability for that domain.
Domains not connected as an email sending domain in your account will be modified to a HubSpot-hosted variable domain. Learn more about unauthenticated emails in this article.
Most inbox service providers prefer emails authenticated by DKIM. Emails sent without DKIM authentication are more likely to bounce, quarantine, or be categorized as spam. Quarantined emails will appear as delivered in HubSpot, but will not be visible to most recipients, so it's highly recommended that you set up DKIM to improve deliverability.
Please note: some inbox providers, such as Google and Yahoo, will be requiring DMARC, DKIM, and SPF to be fully set up on any domain sending bulk emails to their users. If you don't meet these requirements, emails from your domain will be bounced. These bounces will be categorized as a DMARC or Policy bounce.
DKIM (DomainKeys Identified Mail) is a method of email authentication aimed to prevent email spoofing, which is a technique used by malicious actors to send emails with forged sender addresses.
To set up DKIM in HubSpot, you'll be guided to set up DKIM using two CNAME records in your DNS provider. Once you configure your DKIM records in your DNS provider using a public key that HubSpot provides you with, a receiving mail server (e.g. Gmail) will be able to verify the signature of your sent email that's associated with your domain.
Learn how to add these records by following the instructions in this article.
Once you've added these DNS records and they've been verified by HubSpot and your DNS provider, the DKIM signature will be included in the headers of your sent emails, which correlates to the associated CNAME entries you configured.
SPF (Sender Policy Framework) is an email authentication standard used to verify that the sending email server is authorized to send email on behalf of a specific domain.
SPF is traditionally required for the envelope return path domain, which is the address that bounces will be sent to. HubSpot already has this configured for marketing emails sent through its shared servers. All dedicated IP customers are required to configure SPF on their envelope return path domain as part of their initial IP setup.
It's also highly recommended that you add HubSpot's SPF record to your From Address domain. This will be set up as a TXT record in your DNS provider, using the value provided in your HubSpot domain settings. This record will provide a regularly updated list of IP addresses that HubSpot will use to send marketing emails from your From Address domain.
You can follow this guide to add HubSpot to your SPF record.
Once you've added the SPF record and the verification process is complete, when an email server processes one of your sent emails, they can validate that HubSpot is on your domain's allowlist of valid senders.
DMARC (Domain-based Message Authentication, Reporting and Conformance) is an email authentication protocol that further safeguards email domain owners from email spoofing and other unauthorized use of their domain.
By configuring a DMARC record, inbox providers can confirm how to process any emails sent from your domain that do not pass SPF and DKIM checks. A DMARC also provides a reporting mechanism for domain owners to learn how often recipient servers around the world are receiving emails sent from their domain, and what percentage is properly authenticated.
Learn more about the available policy values and a couple example policies in the sections below. When you're ready to set up your DMARC record, check out the instructions in this article.
A DMARC policy can be defined by adding a TXT record in your DNS provider settings, with a value that can include the following semicolon-separated properties:
p=reject; pct=25, and 100 emails failed authentication, only 25 of them will be bounced, while the other 75 will be delivered to their recipients.
mailto:email@example.com). The reporting data that's sent differs based on the parameter:
Once you've added and verified the DMARC record in your DNS provider, all receiving email servers can authenticate incoming emails from your domain and handle any failures according to the policy you specified.
You can customize your DMARC policy to fit your business needs. Here are a few examples:
This is an example of a neutral DMARC policy with no additional parameters. A neutral policy is useful for senders who're just starting to get familiar with DMARC. This is the bare minimum for DMARC to function.
v=DMARC1; p=reject; rua=mailto:firstname.lastname@example.org;
The example above defines a strict DMARC policy to bounce any emails that fail authentication, and provides an email address to send aggregate reporting data to.
v=DMARC1; p=quarantine; pct=25; ruf=mailto:email@example.com;
This example defines a policy that will quarantine 25% of emails that fail authentication, while the other 75% of emails that fail authentication will be permitted for delivery. The policy also provides a reporting address where an individual notification email can be sent for each email that fails authentication.
Defining a value for the
pct property can allow you to test a random sample of messages that failed DMARC to allow you to check that legitimate emails are still being delivered properly.
Please note: HubSpot Support cannot help with DMARC record setup. The DMARC policy you set up is unique to your business needs and your DNS provider. You should consult your IT administrator or whoever manages your DNS settings for help setting up DMARC. You can also consult third-party DMARC consulting or reporting services for additional assistance.