HubSpot is a popular CRM and marketing platform that sends transactional emails, marketing campaigns, and sales sequences on behalf of your domain. Proper authentication ensures these messages are trusted by receiving mail servers and protects your domain from spoofing.
SPF Configuration
HubSpot provides a dedicated SPF include for their sending infrastructure.
DNS Record:
Type: TXT
Host: @
Value: v=spf1 include:spf.hubspot.com ~all
Combined with other services:
v=spf1 include:_spf.google.com include:spf.hubspot.com ~all
Verify your total lookup count with the SenderClarity SPF Checker after adding this record.
DKIM Configuration
HubSpot supports custom DKIM through their email sending domain settings.
- In HubSpot, go to Settings → Content → Domains & URLs → Email Sending Domains (or Settings → Website → Domains & URLs depending on your version).
- Click Connect an email sending domain.
- Enter your domain name.
- HubSpot will provide two CNAME records for DKIM:
Type: CNAME
Host: hs1._domainkey
Value: (provided by HubSpot — unique to your portal)
Type: CNAME
Host: hs2._domainkey
Value: (provided by HubSpot — unique to your portal)
- Add both CNAME records to your DNS.
- Return to HubSpot and click Verify.
HubSpot uses two selectors for redundancy and key rotation, similar to Microsoft 365.
DMARC Configuration
Start with monitoring mode:
Type: TXT
Host: _dmarc
Value: v=DMARC1; p=none; rua=mailto:your-address@reports.senderclarity.com; fo=1
Move toward enforcement after confirming all legitimate sources pass:
p=quarantine; pct=25p=quarantine; pct=100p=reject
DMARC Considerations for HubSpot
Three email streams from one platform: HubSpot sends marketing emails, sales sequences (from individual rep addresses), and transactional emails (workflow notifications, form submissions). All three appear differently in DMARC reports. Sales emails sent via HubSpot's CRM still route through HubSpot infrastructure, even though they appear to come from individual users.
The return-path CNAME matters for SPF alignment: HubSpot's domain authentication includes a return-path CNAME that points a subdomain back to HubSpot. Without it, the envelope sender is a HubSpot domain and SPF won't align. If you only set up the DKIM CNAMEs and skip this step, you're relying on DKIM alone for DMARC.
Multiple portals are a common blind spot: Organizations with separate HubSpot portals for different brands or regions need domain authentication in each portal. A single unauthenticated portal sending as your domain will create DMARC failures that can be hard to trace — especially if you didn't set up that portal yourself.
Verification
- Check your SPF record →
- Send a test marketing email to an address you control
- Check email headers for
dkim=passaligned to your domain - Monitor DMARC reports in SenderClarity
Common Issues
DKIM not passing after setup: HubSpot DKIM verification can take up to 24 hours. If it still fails, verify the CNAME records exactly match what HubSpot provided — including any trailing dots that your DNS provider may or may not require.
Emails show "via hubspot.com": This typically appears in Gmail when DKIM is not yet configured for your domain. Once custom DKIM is active and verified, this label should disappear.
Multiple HubSpot portals: If your organization uses separate HubSpot portals (e.g., for different brands or regions), each portal needs its own email sending domain configuration. The SPF include only needs to appear once.
SPF Lookup Impact
| Include | Estimated Lookups |
|---|---|
spf.hubspot.com |
1–2 |