If you encounter issues while setting up email authentication in HubSpot, you can try following the steps in the sections below to fix common SPF and DMARC problems.
SPF troubleshooting
To correctly configure SPF, you must add a TXT record in your DNS provider and copy over HubSpot's include statement. Learn more about some of the common SPF setup errors in the sections below.
Multiple SPF records
If you also send emails via another email provider besides HubSpot, you may already have an existing SPF record set up in your DNS provider. If this is the case, you can add HubSpot's SPF record to the same TXT record after any existing include: statements.
The following example demonstrates how a TXT record would be configured with multiple SPF entries using a provider like GoDaddy:
| Record type |
Host |
Required data |
| TXT |
@ |
v=spf1 include:anotherprovider.com include:123456.spf03.hubspotemail.net -all |
Consider the following when combining SPF records:
- Each
include: statement should be separated by a space.
- You can have up to 10
include: statements for any given domain or subdomain.
- The SPF version (
v=spf1) only needs to be specified once, at the beginning of record.
- The
-all flag only needs to be included once. This flag indicates that only the servers listed in the SPF record are authorized to send emails on behalf of the domain. Any email from a server not listed should be rejected.
Hard coded IP addresses
HubSpot's SPF record automatically includes all IP addresses that your account uses for marketing and transactional emails. Once you've set up the record in your email sending domain, you shouldn't need to update it further.
If your SPF record includes any other hard coded IP addresses from other email service providers, you may encounter errors with your SPF authentication. Hard coding IP addresses or CIDRs in your SPF record is not recommended.
If you do have hard coded addresses or CIDRs in your SPF record:
- Audit the contents of your SPF record and remove any hard-coded HubSpot IP addresses or CIDRs. Learn more about finding your sending IPs in HubSpot.
- If you need to maintain other hard-coded IP addresses (e.g., you have another third-party email service provider), you should add HubSpot's
include: statement at the end of any hard-coded addresses, followed by the -all flag. You can use the syntax in the following example SPF record with placeholder values:
v=spf1 ip4:.../24 ip4:.../24 include:123456.spf01.hubspotemail.net -all
DMARC troubleshooting
A DMARC record consists of a TXT record that you can customize based on how you want inbox providers to process emails from your domain that fail SPF and DKIM checks. The sections below outline common DMARC configuration issues.
Multiple records
To ensure that DMARC is configured properly, you should only have a single TXT record that begins with the version flag (i.e., v=DMARC1). If multiple DMARC records are present, the receiving email server will immediately end its policy discovery process and your DMARC policy will not be applied.
Missing required DMARC tags
Although some DMARC policy tags are optional, you must specify the version and policy tags (e.g., v=DMARC1; p=YOUR_POLICY_VALUE;).
You can review all available DMARC tags and the values you can define for them in the overview of email authentication.
Invalid DMARC policy value
If you notice a Invalid DMARC policy error while setting up your email sending domain in HubSpot, it's likely due to an invalid policy value for the p or sp tag. The only values that are valid are none, reject, or quarantine. These values are case sensitive and must be lower-cased.
Invalid reporting address
The ruf and rua tags are optional parameters to specify an email address to send DMARC reporting data to. If you specified a value for either tag, the email address you provide must be valid and properly formatted:
- The email address you provide must be in URI mailto format, which requires that you prefix the email address with
mailto: (e.g., mailto:reporting@example.com).
- Both the
rua and ruf tags support multiple email addresses for reporting, as long as they're separated by a comma. For example, the following would specify two different email addresses for reporting purposes:
rua=mailto:reporting@example.com,mailto:analytics@example.com;
- The only valid value for the
rua or ruf tag is an email address (or addresses). If you only include a domain name (e.g., rua=example.com), it will not be considered valid.
| Incorrect |
Correct |
rua=reporting@example.com; |
rua=mailto:reporting@example.com; |
Invalid DMARC alignment mode
The adkim and aspf flags specifies the alignment mode for DKIM and SPF. Both flags should be set to r for a relaxed alignment. For most DNS services, this should be the default setting for DMARC.
| Incorrect |
Correct |
adkim=s; aspf=s; |
adkim=r; aspf=r; |
Invalid DMARC percentage format
The pct flag is used to specify the percentage of total unique sends that failed authentication that your policy will be applied to. The value you specify should be a number and should exclude any additional characters (i.e., the % symbol should not be included).
| Incorrect |
Correct |
pct=25%; |
pct=25; |
Marketing Hub
Starter, Professional, Enterprise
Sales Hub
Starter, Professional, Enterprise
Service Hub
Starter, Professional, Enterprise
Content Hub
Starter, Professional, Enterprise
