How to Set Up DMARC for HubSpot Email Sending

If you use HubSpot for email marketing, sales sequences, or transactional emails, your domain needs a DMARC record. Without one, your HubSpot campaigns are more likely to hit spam folders, and your domain is left unprotected against spoofing. The good news is that HubSpot has solid support for email authentication, and adding DMARC on top of it is straightforward.

This guide covers how HubSpot handles email authentication, what you need to configure on the DNS side, and how to make sure your DMARC record works properly with HubSpot's sending infrastructure. If you have not created a DMARC record yet, our how to create a DMARC record guide will help you build one.

How HubSpot Handles Email Sending

When you send email through HubSpot — whether it is a marketing campaign, a sales sequence, or a CRM-triggered workflow — HubSpot's servers handle the actual sending. The "From" address shows your email (like marketing@yourdomain.com), but the infrastructure behind it is HubSpot's.

For DMARC to pass, the email needs to be authenticated in a way that aligns with your domain. HubSpot accomplishes this through its custom sending domain feature, which sets up DKIM signing using your domain. To understand how SPF, DKIM, and DMARC each contribute to this process, see SPF vs DKIM vs DMARC.

Custom Sending Domain Authentication

HubSpot requires you to connect and authenticate a sending domain before you can use it as your From address. In your HubSpot account, go to Settings > Marketing > Email > Configuration and look for the domain connection section. HubSpot provides DNS records — typically CNAME records — that you add at your DNS provider.

These CNAME records serve two purposes: they enable DKIM signing with your domain and set up the return path for SPF alignment. Once the DNS records are verified, HubSpot signs your outgoing emails with DKIM using your domain, which is the key to passing DMARC.

Prerequisites Before Adding DMARC

Confirm the following before creating your DMARC record:

HubSpot domain authentication is complete. In your HubSpot account, go to Settings > Marketing > Email > Configuration and verify your sending domain shows as connected and verified. If it shows warnings or pending status, resolve those first by adding or correcting the DNS records HubSpot provided.

Your SPF record covers all sending sources. HubSpot is likely not your only email sender. Your business email provider (Google Workspace, Microsoft 365), any other marketing platforms, and transactional email services all need to be in your SPF record. Build a complete one at spfcreator.com.

DKIM is active for other email services. If you use Google Workspace or another provider alongside HubSpot, enable DKIM there too. You can generate DKIM records at dkimcreator.com.

The Recommended DMARC Record for HubSpot Users

Start with a monitoring-only policy to collect data before enforcing:

v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; pct=100;

Replace the email address with one you control. This tells receiving mail servers to send you reports about every email using your domain without blocking anything. Starting with p=none is important because you need to verify that HubSpot's authentication is working correctly — and that all your other sending sources pass too — before you tighten the policy.

Adding the DMARC Record to Your DNS

Your DMARC record gets added at your DNS provider — not inside HubSpot. Where you add it depends on where your domain's DNS is managed (your domain registrar or a DNS hosting service like Cloudflare).

For provider-specific instructions, see our guides for GoDaddy, Namecheap, Cloudflare, or IONOS.

Common HubSpot DMARC Issues

DKIM Alignment Failures

If your DMARC reports show DKIM alignment failures for HubSpot-sent emails, the most likely cause is an incomplete or misconfigured sending domain. Go to Settings > Marketing > Email > Configuration in HubSpot and verify the CNAME records are correctly published in your DNS and showing as verified in HubSpot.

Another common cause is using a different From address domain than the one you authenticated. For example, if you authenticated yourdomain.com in HubSpot but send from marketing@subdomain.yourdomain.com, the DKIM alignment may fail unless you also authenticated the subdomain.

SPF Alignment Issues

HubSpot uses its own servers to send email, which means the SPF envelope sender (return path) may not directly align with your domain unless HubSpot's custom return path is configured. This is why DKIM is the primary alignment mechanism for HubSpot. As long as DKIM alignment passes, your DMARC check will pass — DMARC only requires one of the two (SPF or DKIM) to align.

From Address Does Not Match Authenticated Domain

HubSpot lets you set different From addresses for different campaigns, teams, or users. Make sure every From address you use matches the domain you authenticated. If your sales team sends from name@yourdomain.com and your marketing sends from campaigns@yourdomain.com, both use the same authenticated domain. But if someone sets up a From address using a different domain, those emails will fail DMARC for that domain.

HubSpot with Other Sending Services

Most HubSpot users also send email through other platforms. This is where DMARC configuration needs extra attention.

HubSpot Plus Google Workspace or Microsoft 365

Your day-to-day business email goes through your email provider, while marketing and sales sequences go through HubSpot. Both need proper authentication. Your SPF record must include both providers, and DKIM must be enabled for each. When reviewing DMARC reports, check that emails from both sources pass alignment.

HubSpot Plus a Transactional Email Service

If you use SendGrid, Amazon SES, or another service for transactional emails (receipts, notifications, password resets), that service needs its own authentication setup. Add its SPF include to your SPF record and configure DKIM. See our guides for SendGrid or Amazon SES.

Why Multi-Sender Matters

With multiple services sending as your domain, a single unauthenticated source can cause DMARC failures. Before moving past p=none, your DMARC reports need to show passing results from every service. If any one of them fails, fix it before enforcing. Agencies and consultants who manage HubSpot sending across client domains should review our DMARC for agencies guide for tips on scaling authentication.

Moving Toward Enforcement

After two to three weeks of monitoring at p=none, review your DMARC reports. Verify that HubSpot emails consistently pass DKIM alignment and that all your other sending sources pass either SPF or DKIM.

Then follow this progression:

Phase 1: Change to p=quarantine; pct=25;. A quarter of failing messages go to spam. Monitor for a week.

Phase 2: Increase to pct=100. All failing messages are quarantined. Watch for any deliverability issues in your HubSpot email analytics.

Phase 3: Move to p=reject. Failing messages are blocked entirely. This is the strongest protection and the goal for every domain.

For the full enforcement guide, see our DMARC policy levels guide.

Monitor Your DMARC Record

You've created your DMARC record — now make sure it keeps working. The Email Deliverability Suite watches your SPF, DKIM, DMARC, and MX records daily and alerts you when something breaks.