HubSpot SPF, DKIM & DMARC Setup Guide

Overview

HubSpot is an all-in-one CRM and marketing platform used for email campaigns, lead management, and sales automation. Its SPF record uses include:hubspot.com — note the include is just hubspot.com, not a subdomain — costing 1 DNS lookup. DKIM is configured through 2 CNAME records that delegate signing to HubSpot's infrastructure for automatic key management.

Domain Connection and Verification

HubSpot's domain connection wizard is unusually thorough: it requires DKIM, SPF, and DMARC to be configured before it allows sending from your domain. The wizard walks through all three in a single flow, verifying each record before proceeding. This makes HubSpot one of the few providers that enforces DMARC as a prerequisite rather than a recommendation.

Without completing the domain connection process, HubSpot sends using shared infrastructure with HubSpot-owned domains in the DKIM signature and return-path. Messages sent this way fail DMARC alignment on both SPF and DKIM. HubSpot's verification is relatively fast — DNS records typically validate within 10-70 minutes, compared to the 24-48 hours most providers require.

DKIM Configuration Details

HubSpot uses CNAME-delegated DKIM with two records that point to HubSpot's signing infrastructure. The selector names are auto-generated during domain connection — you do not choose them. Because the keys are managed behind CNAME records, HubSpot handles all key rotation transparently. There are no manual key updates, no expiration notices, and no rotation windows to manage.

If you disconnect and reconnect a domain in HubSpot, new CNAME records are generated. The old records become orphaned in your DNS and should be removed to avoid confusion during future troubleshooting. Always verify DKIM status after a domain reconnection by checking the DKIM record with a lookup tool.

Troubleshooting

Domain Connection Fails Verification

The most common cause is DNS propagation delay. HubSpot checks for published records during the wizard flow, and if any of the three (SPF, DKIM, DMARC) are not yet visible, verification fails. Wait 15-30 minutes and retry. If verification continues to fail after an hour, check the raw DNS records directly — some DNS hosting providers add the domain suffix automatically to the record hostname, resulting in a doubled domain (e.g., hubspot._domainkey.example.com.example.com).

SPF Record Already Exists

HubSpot's wizard may report an SPF conflict if your domain already has an SPF record. You cannot have two separate SPF TXT records on the same domain — this causes a PermError. Instead, add include:hubspot.com to your existing SPF record. If the wizard does not recognize your existing record, publish the include manually and skip past the SPF verification step.

Shared IP Reputation and Deliverability

HubSpot sends marketing email from shared IP pools unless you are on a dedicated IP add-on. Shared IP reputation is generally well-maintained, but if you notice deliverability dips, check whether HubSpot has recently rotated you to a different sending pool. Dedicated IP add-ons are available for enterprise accounts with consistent send volume — HubSpot requires a minimum daily volume to qualify.

Email Sends Failing After DMARC Policy Change

Organizations that move from p=none to p=quarantine or p=reject sometimes see HubSpot emails start failing. This typically happens when the domain connection was completed before DMARC was enforced, and one of the authentication mechanisms (usually SPF) was configured incorrectly during initial setup. Before tightening your DMARC policy, verify that both SPF and DKIM pass independently for HubSpot-sent messages by inspecting the Authentication-Results header in a recent email.

Additional Setup Notes

Lookup Budget with Common HubSpot Stacks

HubSpot is commonly paired with Salesforce (CRM sync) and Google Workspace or Microsoft 365 for primary email. That's 3 SPF includes before adding transactional senders, support platforms, or email security gateways. Enterprise HubSpot deployments using Salesforce integration frequently approach the 10-lookup limit. A typical enterprise stack — Google Workspace, HubSpot, Salesforce, a support desk, and a transactional sender — uses 5 lookups minimum. Add an email security gateway like Mimecast or MailRoute, and you are at 6-7 lookups with no room for growth.

Bulk Sender Requirements

Gmail and Yahoo bulk sender requirements (February 2024) align with HubSpot's existing DMARC prerequisite — organizations already authenticated through HubSpot's wizard meet the new requirements automatically. If you set up HubSpot before these requirements existed and skipped domain connection, your marketing emails may now be rejected by Gmail and Yahoo. Complete the full domain connection wizard to comply.

Migrating To or From HubSpot

When migrating from another marketing platform to HubSpot, add the include:hubspot.com to your SPF record before sending your first campaign. Run both includes in parallel during the migration window — remove the old provider's include only after confirming all sends have moved to HubSpot. When migrating away from HubSpot, disconnect the domain in HubSpot's settings first, then remove the SPF include and DKIM CNAME records from DNS. Leaving orphaned HubSpot includes in your SPF record wastes a lookup on a provider that is no longer sending.

Subdomains and Dedicated Sending Domains

Some organizations configure HubSpot to send from a subdomain (e.g., email.example.com or marketing.example.com) to isolate marketing reputation from their primary domain. When using a subdomain, the SPF record with include:hubspot.com goes on the subdomain's DNS, not the root domain. DKIM CNAME records are also published under the subdomain. DMARC alignment still works under relaxed mode because the organizational domain matches.

Managed SPF can flatten nested includes into direct IP references, freeing up lookup budget for additional providers.