Troubleshoot email authentication issues

If you encounter issues while setting up email authentication in HubSpot, you can try following the steps in the sections below to fix common SPF and DMARC problems.

SPF troubleshooting

To correctly configure SPF, you must add a TXT record in your DNS provider and copy over HubSpot's include statement. Learn more about some of the common SPF setup errors in the sections below.

Multiple SPF records

If you also send emails via another email provider besides HubSpot, you may already have an existing SPF record set up in your DNS provider. If this is the case, you can add HubSpot's SPF record after any existing include: statements to the same TXT record.

The following example demonstrates how a TXT record would be configured with multiple SPF entries using a provider like GoDaddy:

Keep the following in mind when combining SPF records:

• Each include: statement should be separated by a space.
• You can have up to 10 include: statements for any given domain or subdomain.
• The SPF version (v=spf1) only needs to be specified once, at the beginning of record.
• The -all flag only needs to be included once. This flag indicates that only the servers listed in the SPF record are authorized to send emails on behalf of the domain. Any email from a server not listed should be rejected.

Hard coded IP addresses

HubSpot's SPF record that appears in your email sending domain setup page is written in a way that it will automatically pull all IP addresses that your account will send emails from. This will ensure that you do not need to update the record in your DNS provider once you've set it up.

If your SPF record includes any other hard coded IP addresses from other email service providers, you may encounter errors with your SPF authentication. Hard coding IP addresses or CIDRs in your SPF record is not considered best practice. If you do have hard coded addresses or CIDRs in your SPF record:

• Audit the contents of your SPF record and remove any hard-coded HubSpot IP addresses or CIDRs. You can follow the instructions in this article to find a list of HubSpot's sending addresses and CIDRs you can use for cross-referencing.
• If you need to maintain other hard-coded IP addresses (e.g., you have another third-party email service provider), you should add HubSpot's include: statement at the end of any hard-coded addresses, followed by the -all flag. You can consult the syntax in the example SPF record with placeholder values below:

v=spf1 ip4:.../24 ip4:.../24 include:123456.spf01.hubspotemail.net -all

DMARC troubleshooting

A DMARC record consists of a TXT record that you can customize based on how you want inbox providers to process emails from your domain that fail SPF and DKIM checks. The sections below outline common DMARC configuration issues.

Multiple records

To ensure that DMARC is configured properly, you should only have a single TXT record that begins with the version flag (i.e., v=DMARC1). If multiple DMARC records are present, the receiving email server will immediately end its policy discovery process and your DMARC policy will not be applied.

Missing required DMARC tags

Although some DMARC policy tags are optional, you must specify the version and policy tags (e.g., v=DMARC1; p=YOUR_POLICY_VALUE;).

You can review all available DMARC tags and the values you can define for them in the overview of email authentication. 

Invalid DMARC policy value

If you notice a Invalid DMARC policy error while setting up your email sending domain in HubSpot, it's likely due to an invalid policy value for the p or sp tag. The only values that are valid are none, reject, or quarantine. These values are case sensitive and must be lower-cased.

Invalid reporting address

The ruf and rua tags are optional parameters to specify an email address to send DMARC reporting data to. If you specified a value for either tag, the email address you provide must be valid and properly formatted:

• The email address you provide must be in URI mailto format, which requires that you prefix the email address with mailto: (e.g., mailto:reporting@example.com).
• Both the rua and ruf tags support multiple email addresses for reporting, as long as they're separated by a comma. For example, the following would specify two different email addresses for reporting purposes:

• The only valid value for the rua or ruf tag is an email address (or addresses). If you only include a domain name (e.g., rua=example.com), it will not be considered valid.

Invalid DMARC alignment mode

The adkim and aspf flags specifies the alignment mode for DKIM and SPF. Both flags should be set to r for a relaxed alignment. For most DNS services, this should be the default setting for DMARC.

Invalid DMARC percentage format

The pct flag is used to specify the percentage of total unique sends that failed authentication that your policy will be applied to. The value you specify should be a number and should exclude any additional characters (i.e., the % symbol should not be included).