HubSpot marketing emails send from HubSpot's infrastructure — connecting your sending domain with hs1/hs2 DKIM CNAMEs is what makes them yours in DMARC's eyes.
Check your domain first — 10 seconds, free, no signup.
See your DMARC policy, SPF lookup count and every issue explained in plain English. Run the free check →
Step 1. Complete domain authentication inside the service (see above) and paste the DNS records it generates.
Step 2. Make sure your SPF record includes this service — and count your lookups: the limit is 10 and every service adds some.
Step 3. Publish DMARC with p=none and a rua address, watch reports for a week, confirm this sender shows 100% pass.
Step 4. Only then tighten the policy — quarantine, then reject.
Frequently asked
Will this change break my current sending?
No. Adding SPF includes and DKIM records only adds authentication — it never blocks existing mail. The only risky step is tightening your DMARC policy, and that comes later, after reports confirm everything passes.
How do I know it worked?
Send yourself a test email and inspect the headers for spf=pass, dkim=pass and dmarc=pass — or just watch your DMARCKeeper dashboard: the sender's pass rate should hit 100% within a day or two.
Do I still need DMARC if SPF and DKIM are set up?
Yes. SPF and DKIM authenticate mail; DMARC is what tells receivers to BLOCK mail that fails, and it's the piece Gmail, Yahoo and Outlook now check for explicitly.
Don't want to babysit DNS records? DMARCKeeper monitors your reports, names every sender, and walks you to full p=reject protection. Start free monitoring →