Stop HubSpot Emails from Hitting Spam: SPF, DKIM & DMARC Setup [2024]

Today, we’ll show you exactly how to set up SPF, DKIM, and DMARC to prevent your HubSpot marketing emails from landing in the spam folder.

These email authentication protocols are crucial for maintaining high deliverability rates and protecting your domain from being used for phishing or spoofing attacks. 

With phishing attempts on the rise—57% of companies face them weekly or daily—setting up these technologies is no longer optional if you want to safeguard your emails.

This guide will walk you through each step to correctly configure SPF, DKIM, and DMARC, ensuring your emails are authenticated and reach your audience’s inbox while protecting your brand’s reputation. 

1. The Importance of Email Authentication
2. Understanding Email Authentication
3. Where Are SPF, DKIM, and DMARC Records Stored?
4. How to Set Up SPF, DKIM, and DMARC in HubSpot
5. How to Verify Correct Email Configuration

The Importance of Email Authentication

Email authentication is not just a technical formality; it has significant business implications. 

Setting up SPF, DKIM, and DMARC ensures that your marketing emails are delivered safely, enhances your brand's reputation, and prevents malicious actors from exploiting your domain. 

Here’s why setting up these technologies is essential:

1. Prevent Emails from Being Rejected or Landing in the Spam Folder

Email providers like Gmail, Yahoo, and Microsoft may flag your emails as suspicious or spam without proper email authentication. 

This could result in a significant portion of your emails landing in the recipient's spam folder or being rejected outright by the mail server.

Email authentication improves deliverability by ensuring that your emails are recognized as legitimate and not marked as spam.

2. Protect Against Phishing and Spoofing Attacks

Email spoofing, where attackers forge your domain to send fraudulent emails, is one of the most common techniques used in phishing scams. 

According to GreatHorn, 57% of organizations experience phishing attempts weekly or daily. SPF, DKIM, and DMARC act as a protective shield, ensuring that only authorized emails are sent from your domain. 

DMARC adds an extra layer of protection by allowing you to define how unauthorized emails are handled (rejected, quarantined, or monitored).

3. Safeguard Your Brand’s Reputation

When malicious actors spoof your domain, not only do they put your customers at risk, but they also damage your brand’s reputation. 

If recipients believe they’ve received phishing emails from your company, trust in your brand could erode. SPF, DKIM, and DMARC protect your brand’s reputation by ensuring that only legitimate emails are sent from your domain.

4. Compliance with Email Security Standards

Many industries, especially in finance, healthcare, and e-commerce, have stringent email security standards requiring SPF, DKIM, and DMARC. 

Failure to comply with these standards can lead to penalties, fines, or even blacklisting of your domain by major email providers. 

By setting up email authentication, you ensure that your company remains compliant with evolving email security regulations, protecting your business from legal or financial risks.

Understanding Email Authentication

Email authentication is a process that helps verify the legitimacy of an email message and ensure that it hasn't been tampered with during its journey from sender to recipient.

It relies on cryptographic techniques such as digital signatures and encryption to verify the sender’s identity and ensure the integrity of the message. 

HubSpot has built-in email authentication mechanisms to protect outgoing emails from tampering by cyber criminals. Still, additional layers of authentication—like SPF, DKIM, and DMARC—are necessary to ensure complete security.

What Are SPF, DKIM, and DMARC?

SPF (Sender Policy Framework): 

SPF defines which IP addresses are authorized to send emails on behalf of your domain. It compares the sender’s IP address with the list of authorized IPs in your domain’s DNS records.

DKIM (DomainKeys Identified Mail): 

DKIM adds a digital signature to the header of your email, verifying that the message hasn't been altered after being sent and that it originates from the claimed domain. It uses public and private key encryption for validation.

DMARC (Domain-based Message Authentication, Reporting, and Conformance):

 DMARC aligns both SPF and DKIM to provide an additional layer of protection. It tells the recipient’s email server how to handle emails that fail SPF or DKIM checks—whether to reject, quarantine, or monitor these emails.

How Do These Technologies Differ?

SPF focuses on IP-based validation, ensuring the email comes from an authorized source.

DKIM ensures the integrity of the email by verifying that it hasn’t been altered during transit.

DMARC combines SPF and DKIM to provide comprehensive protection. It allows you to define how to handle unauthorized emails and monitor for suspicious activities.

Where Are SPF, DKIM, and DMARC Records Stored?

Now, we’re getting a bit more technical!

SPF, DKIM, and DMARC records are stored in the Domain Name System (DNS) as TXT records. Here’s how each of these records works:

SPF Records:

SPF records specify which mail servers are allowed to send emails on behalf of your domain. For example:

v=spf1 include:hubspot.com ~all

This SPF record allows HubSpot to send emails on behalf of your domain. The ~all indicates that unauthorized emails will result in a soft fail, meaning the email might still be delivered but will be flagged as suspicious.

DKIM Records:

DKIM records store the public key used to validate the digital signature attached to your emails. The recipient’s server uses this public key to ensure the email hasn’t been altered and that it originated from the claimed domain.

An example of a DKIM record looks like this:

v=DKIM1; k=rsa; p=MIIBIjANBgkqhki...

This record contains the public key (the part after p=) used for verification.

DMARC Records:

DMARC records define how receiving mail servers should handle emails that fail SPF and DKIM checks. They also provide reporting options to monitor any suspicious email activity.

A sample DMARC record might look like this:

v=DMARC1; p=reject; rua=mailto:dmarc-reports@yourdomain.com

In this example, the p=reject policy tells the receiving server to reject emails that fail SPF and DKIM checks, while the rua tag specifies where to send reports.

Why Proper Configuration Matters:

Failure to properly configure SPF, DKIM, or DMARC can lead to your emails being flagged as spam or rejected outright. Some email providers, such as Google and Yahoo, now require configuring all three records (SPF, DKIM, and DMARC) for optimal email deliverability.

How to Set Up SPF, DKIM, and DMARC in HubSpot

Setting up SPF, DKIM, and DMARC in HubSpot requires configuring your domain's DNS records.

Here’s how to do it step by step.

1. How to Configure SPF in HubSpot

Step 1: Log in to your DNS provider and navigate the DNS management section.

Step 2: Add a new TXT record for SPF. The SPF record for HubSpot usually looks like this:

v=spf1 include:hubspot.com ~all

Step 3: Save the record and allow time for DNS propagation.

2. How to Configure DKIM in HubSpot

Step 1: Go to Settings > Marketing > Email > Domain Authentication in HubSpot and select your domain.

Step 2: HubSpot will generate a CNAME record for DKIM, which you must add to your DNS provider.

Step 3: After adding the CNAME record, return to HubSpot to verify the setup.

3. How to Configure DMARC in HubSpot

Step 1: Log in to your DNS provider and create a TXT record for DMARC.

Step 2: A typical DMARC record looks like this:

v=DMARC1; p=reject; rua=mailto:dmarc-reports@yourdomain.com

Step 3: Save the record and monitor the DMARC reports to ensure proper email authentication.

How to Verify Correct Email Configuration

Once you've added the necessary DNS records for SPF, DKIM, and DMARC in your DNS provider, it's important to verify that each method is properly configured.

HubSpot provides an easy way to check the status of each authentication method, ensuring everything is set up correctly. Each DNS record will show one of the following statuses:

1. Not Authenticated: None of the three authentication methods (SPF, DKIM, or DMARC) have been properly configured or verified yet.

2. Partially Authenticated: DKIM has been set up and verified, but either SPF or DMARC still need to be fully configured and verified.

3. Authenticated: All three methods—SPF, DKIM, and DMARC—have been fully configured and verified successfully.

Additionally, if you’re authenticating a subdomain, it will automatically inherit the DMARC authentication status from the root domain’s DMARC record due to DMARC policy inheritance.

If there’s an issue with any of your DNS records, HubSpot will provide the option to Continue setup, allowing you to review and fix the DNS record values that need to be corrected within your DNS provider. This ensures you can promptly address any issues and maintain optimal email deliverability.

Other methods of verifying SPF:

Use tools like MxToolbox (https://mxtoolbox.com/SPF.aspx) or SPF Record Check Tool (https://www.kitterman.com/spf/validate.html) to verify your SPF configuration. Enter your domain and check whether the SPF record is valid.

Other methods of verifying DKIM:

Verify your DKIM setup using tools like DKIM Core (https://dkimcore.org/tools/keycheck.html) or Mail-tester (https://www.mail-tester.com). These tools will check if your DKIM key is available and valid.

Other methods of verifying DMARC:

Check your DMARC configuration with tools like MxToolbox DMARC Lookup (https://mxtoolbox.com/DMARC.aspx) or DMARC Analyzer (https://dmarcian.com/dmarc-inspector/). These tools will show whether your DMARC record is set up correctly and offer insights into improving it.

All-in-One Tools:

Use tools like GlockApps or Mail-tester to check SPF, DKIM, and DMARC simultaneously. Send a test email, and the tool will generate a detailed report on your email authentication setup.

Conclusion

Setting up SPF, DKIM, and DMARC ensures your emails are authenticated, reach their intended audience, and protect your domain from spoofing or phishing attempts. 

These technologies safeguard your email deliverability, protect your brand’s reputation, and ensure compliance with modern email security standards.

By regularly monitoring your SPF, DKIM, and DMARC settings and reviewing reports, you can stay ahead of potential threats and maintain optimal email security for your domain. 

Ensure email authentication is vital to your overall email marketing strategy to ensure long-term success.