HubSpot SPF and DKIM setup

What you are setting up

HubSpot sends your marketing email from its servers. Connecting an email sending domain sets up three records, but understand the roles: the two DKIM records are the ones that make DMARC pass, by signing your mail with your domain. HubSpot also gives you an SPF record, but that SPF authenticates HubSpot's shared return-path, not your from address, so it does not align. DKIM is the load-bearing leg. And there is a hard gate worth knowing first: in modern HubSpot you cannot send from your own domain at all until this is connected.

Connect the sending domain

Go to Settings > Content > Domains & URLs > Email Sending and click Connect sending domain (you can connect your root domain or a subdomain). HubSpot generates the records and shows you the exact values for your account:

Type:  CNAME
Host:  hs1-<account-id>._domainkey.yourdomain.com    (DKIM)
Value: (copy the exact target HubSpot shows, a dkim.hubspotemail.net host)

Type:  CNAME
Host:  hs2-<account-id>._domainkey.yourdomain.com    (DKIM)
Value: (copy the exact target HubSpot shows, a dkim.hubspotemail.net host)

Type:  TXT
Host:  @          (or merge into your existing SPF record)
Value: v=spf1 ... include:<account-id>.spfNN.hubspotemail.net ... -all

Copy the values exactly as HubSpot shows them. The DKIM selector hosts carry your account id and the targets are account-specific, so a guide that hardcodes them would be wrong. If you already publish an SPF record, merge HubSpot's include into it rather than adding a second SPF record (two SPF records is itself a failure), and mind the ten-lookup limit. Our SPF builder handles the merge.

Add DMARC

Publish a standard _dmarc TXT record. HubSpot needs alignment to stay relaxed (the DNS default), so do not set adkim=s or aspf=s. Start in monitor-only mode:

Type:  TXT
Host:  _dmarc
Value: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

If you connected a subdomain, it inherits your root domain's DMARC record. Build the record with our DMARC builder and progress past p=none once reports are clean.

The HubSpot gotcha

The gate that surprises people: HubSpot will not let you send email with your domain in the from address until the sending domain is connected via DKIM. If your campaigns are going out from a HubSpot address instead of yours, this is why, connect the domain first. The other classic break is the DNS host appending your root domain to the CNAME, turning hs1-123._domainkey.yourdomain.com into hs1-123._domainkey.yourdomain.com.yourdomain.com. Enter only the host portion and let your provider append the domain.

HubSpot shows a three-state status: Not authenticated, Partially authenticated (DKIM verified but SPF or DMARC not yet), and Authenticated (all three). Aim for the last one.

Confirm it worked

• Verify in HubSpot. The Email Sending page should read Authenticated once all the records resolve.
• Send a test and read the headers. Send a marketing email to an address you can inspect, open the original, and confirm the DKIM signature shows d=yourdomain.com and dmarc=pass. Our header analyzer reads it in plain English.
• Watch the reports. HubSpot should appear as an aligned, passing source in your DMARC aggregate reports, labeled as a known sender in trustyourinbox.