How do I set up SPF and DKIM for HubSpot?

To set up SPF and DKIM for HubSpot, connect your domain as an email sending domain: in HubSpot, click the settings icon, go to Content > Domains & URLs, open the Email Sending tab, and click Connect sending domain. HubSpot then generates the exact DNS records for your account: two DKIM CNAME records (hosts starting with hs1- and hs2-), an SPF TXT record with an account-specific include value, and a DMARC TXT record. Add them at your DNS host, wait at least 20 minutes, and verify. Most records propagate within 10 to 70 minutes, though it can take up to 48 hours.
Why does HubSpot email authentication matter?
HubSpot's email authentication overview is blunt about the stakes: inbox providers like Google and Yahoo require DMARC, DKIM, and SPF to be fully set up on any domain sending bulk email to their users, and mail that misses the bar gets bounced. Google's sender requirements got stricter again in late 2025, so unauthenticated bulk mail is increasingly rejected outright. HubSpot also notes that connecting your sending domain increases deliverability for that domain, and that unauthenticated marketing email can be modified to send from HubSpot's own managed domain instead of yours, with a From address like user=yourcompany.com@hs-domain.com. For MSPs, HubSpot email authentication is usually the first thing to check when a client complains that their newsletters land in junk.
Where do I set up SPF and DKIM in HubSpot?
HubSpot's wizard, documented in Manage your email authentication, generates every record in one flow. Get admin access to the client's DNS host before you start.
The records HubSpot's wizard generates. Every value is account-specific.
- In HubSpot, click the settings icon in the top navigation bar.
- In the left sidebar, go to Content > Domains & URLs.
- Click the Email Sending tab.
- Click Connect sending domain in the top right.
- Enter an email address you use for marketing sends. The domain you connect should match the domain in the From address.
- Choose Sign in with [provider] to let HubSpot apply the records automatically at supported DNS hosts, or No, I'll set it up manually to copy each record yourself.
How do I set up DKIM for HubSpot?
HubSpot DKIM setup uses two CNAME records. The hosts follow the pattern hs1-123456._domainkey and hs2-123456._domainkey, where 123456 stands for a number tied to your HubSpot account (HubSpot's own troubleshooting docs use hs1-123456._domainkey.example.com as their example). Both point at targets on dkim.hubspotemail.net that are generated for your specific account and domain.
Type: CNAME
Host: hs1-123456._domainkey
Value: (copy the exact target from your HubSpot wizard)
Type: CNAME
Host: hs2-123456._domainkey
Value: (copy the exact target from your HubSpot wizard)
Use HubSpot's Copy buttons for both the Host and Required data columns and paste the values into DNS unchanged. Don't retype them, and don't reuse values from another account's setup; the targets are unique to you. The CNAMEs delegate your DKIM public keys to HubSpot, so HubSpot can manage the underlying signing keys without you touching DNS again. If the domain sits behind Cloudflare, create both records as DNS-only: HubSpot warns that proxying and domain-wide CNAME flattening must be turned off.
How do I set up the HubSpot SPF record?
This is where most HubSpot SPF record setups go wrong: there is no generic HubSpot include. Each account gets its own value shaped like include:123456.spf03.hubspotemail.net, where the number is specific to your HubSpot account (the spf03 portion can vary too; HubSpot's docs also show spf01 in some examples). Never paste an include from a blog post, a forum answer, or another client's DNS. Someone else's number authorizes someone else's HubSpot account, not yours. Always copy the value from the Email Sending tab in your own account.
If the domain has no SPF record yet, publish one TXT record at the root:
Type: TXT
Host: @
Value: v=spf1 include:123456.spf03.hubspotemail.net -all
If an SPF record already exists, don't create a second one. A domain must have exactly one record starting with v=spf1, so merge HubSpot into the existing record, as HubSpot's own example shows:
v=spf1 include:anotherprovider.com include:123456.spf03.hubspotemail.net -all
HubSpot's authentication troubleshooting guide caps this at up to 10 include: statements for any given domain, in line with SPF's DNS lookup limit, so audit the record before bolting on another service.
Does HubSpot pass DMARC alignment?
Yes, through DKIM. HubSpot's overview notes that SPF traditionally applies to the envelope return-path domain and that HubSpot "already has this configured" for marketing email sent through its shared servers. That return path belongs to HubSpot's sending network and, per HubSpot's email sending documentation, "cannot be customized by senders on HubSpot's shared network." Since DMARC needs SPF or DKIM to pass with a domain that matches your From address, the aligned DKIM signature created by the two CNAMEs is what carries HubSpot DMARC compliance. If DKIM breaks, DMARC fails with it.
Three practical notes:
- HubSpot recommends relaxed alignment (
adkim=randaspf=r), which is also the DMARC default. - A subdomain counts as authenticated if the root domain carries a DMARC record, thanks to policy inheritance. A
_dmarcrecord on client.com covers marketing.client.com sends. - Dedicated IP customers can customize the envelope domain (HubSpot's example: 12345m.example.com), which brings SPF alignment within reach too.
p=none with a reporting address, watch the reports, then tighten the policy.
How is transactional email different from marketing email?
Marketing email ships with paid hubs; transactional email (password resets, receipts, account notices) is a separate paid add-on sold for Marketing Hub Professional and Enterprise that sends from a dedicated IP address.
| Marketing email | Transactional email | |
|---|---|---|
| Included with | Starter, Professional, Enterprise hubs | Paid add-on (Marketing Hub Professional or Enterprise) |
| Infrastructure | HubSpot shared IPs by default | Dedicated IP address |
| How you send | Marketing email tool | In-app, single-send API, SMTP API |
| Domain requirement | Connected sending domain | Same connected sending domain |
The authentication work is identical. HubSpot's transactional email guide states that any domain used as the From address "must be connected as an email sending domain," and SMTP API sends from an unconnected domain return an error. One properly connected sending domain covers both streams.
How do I verify my HubSpot email authentication?
HubSpot advises waiting at least 20 minutes after adding records before verifying. Back on the Email Sending tab, the domain shows one of three statuses: Not authenticated, Partially authenticated (DKIM verified, SPF or DMARC still pending), or Authenticated (all three verified). DNS updates usually land within 10 to 70 minutes but can take up to 48 hours, and HubSpot suggests confirming propagation with a dig lookup. You can also check from the outside with our SPF checker and DKIM checker; for DKIM, the selector is the part of each CNAME host before ._domainkey (hs1-123456 in HubSpot's examples), queried against the domain. Finish by sending a test to a Gmail mailbox and confirming spf=pass, dkim=pass, and dmarc=pass in the original headers.
Run this list for each client domain before calling it done.
Common issues
HubSpot's domain connection troubleshooting guide names three record-level errors: Typo (the record differs from what HubSpot expects), Missing record (HubSpot can't find it), and Conflicting record (another DNS record exists on the same host). Here's how they show up in practice:
- CNAME conflicts. A CNAME can't coexist with another record on the same host. If a leftover record from an earlier vendor sits at
hs1-123456._domainkey, delete it before adding HubSpot's value, then re-verify. - Duplicated root domain. Many DNS hosts auto-append the domain, turning
hs1-123456._domainkey.example.comintohs1-123456._domainkey.example.com.example.com. If verification keeps failing, dig the full host name and re-enter it without the trailing domain. - Cloudflare settings. Set the records to DNS-only and turn off domain-wide CNAME flattening. HubSpot notes that a Cloudflare TIME_1 error still present after five hours means Cloudflare is blocking requests, not slow propagation. Our Cloudflare DMARC guide shows where these DNS toggles live.
- Slow propagation. 10 to 70 minutes is normal and 48 hours happens. Wait at least 20 minutes before your first verify attempt.
- Two SPF records. Merge them into a single
v=spf1record; a duplicate breaks SPF validation entirely. - DMARC syntax. Keep exactly one TXT record starting with
v=DMARC1, use lowercase policy values (none,quarantine,reject), and prefix reporting addresses withmailto:.
Frequently asked questions
Is there a generic HubSpot SPF include I can paste?
No. The include is account-specific: include:123456.spf03.hubspotemail.net, where the number is unique to your HubSpot account. Copy it from Content > Domains & URLs > Email Sending in your own account. Pasting a value from someone else's setup authorizes their HubSpot account, not yours.
Do I need both hs1 and hs2 DKIM records?
Yes. HubSpot issues two CNAME records and checks for both, so a missing one keeps the domain from verifying. Delegating both hosts also lets HubSpot manage the underlying signing keys without further DNS changes on your side.
Which HubSpot plans can connect a sending domain?
Starter, Professional, and Enterprise tiers of Marketing Hub, Sales Hub, Service Hub, and Content Hub. An account can connect up to 2,000 sending domains, so an MSP can authenticate every client domain from one portal.
Should I set my DMARC policy to reject right after connecting HubSpot?
Not immediately. Start at p=none with reporting, confirm HubSpot mail passes with aligned DKIM for a few weeks, and check that no other legitimate senders are failing. Then step up to quarantine and reject.
Does a root-domain DMARC record cover my HubSpot subdomain?
Yes. HubSpot confirms a subdomain is considered authenticated when the root domain has a DMARC record, due to policy inheritance. A _dmarc record on client.com covers mail.client.com unless you publish a separate subdomain policy.

Written by
Samuel ChenardCEO & Co-Founder, Palisade
Samuel Chenard is the CEO and co-founder of Palisade, the DMARC automation platform for MSPs. He writes Palisade's guides on DMARC, SPF, DKIM and email deliverability.
More from Samuel →


