HubSpot DMARC Alignment Configuration

If you're using HubSpot to send marketing emails, transactional notifications, or sales outreach, and you're also serious about email deliverability and security, you've likely encountered DMARC. DMARC (Domain-based Message Authentication, Reporting, and Conformance) is crucial for protecting your brand from spoofing and ensuring your legitimate emails reach inboxes. However, simply having a DMARC record isn't enough; your sending services, like HubSpot, need to align correctly with your DMARC policy.

This article will break down what DMARC alignment means in plain English, specifically for HubSpot users. We'll explain why alignment failures happen and, more importantly, tell you exactly what you need to configure in HubSpot and your DNS to fix them.

Understanding DMARC Alignment

Before diving into HubSpot specifics, let's quickly recap DMARC and alignment.

DMARC builds upon two foundational email authentication protocols: SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail).

• SPF verifies that an email originates from an IP address authorized by the domain owner. It checks the Return-Path (or Mail From) domain.
• DKIM uses cryptographic signatures to verify that an email hasn't been tampered with in transit and was sent by an authorized sender. It checks the d= tag in the DKIM-Signature header.

DMARC Alignment is the critical step. For an email to pass DMARC, at least one of these checks (SPF or DKIM) must not only pass, but also align with the From header domain (the domain your recipients see).

• SPF Alignment: The Return-Path domain must match or be a subdomain of the From header domain.
• DKIM Alignment: The d= tag domain in the DKIM-Signature must match or be a subdomain of the From header domain.

Alignment can be either relaxed (r) or strict (s). * Relaxed alignment allows the domains to be subdomains of each other (e.g., bounce.yourdomain.com aligns with yourdomain.com). This is typically sufficient and often the default for many services. * Strict alignment requires an exact match (e.g., yourdomain.com must align with yourdomain.com).

If neither SPF nor DKIM aligns and passes, the email fails DMARC, and your DMARC policy (e.g., p=quarantine or p=reject) will be applied.

HubSpot's Role in Email Sending

When you send an email through HubSpot, HubSpot's servers are the ones physically sending the email. By default, HubSpot sends emails on your behalf, but it uses its own infrastructure. This is where alignment issues arise if not configured correctly.

Consider a typical email sent by HubSpot without custom configuration:

• The From header will be you@yourdomain.com.
• The Return-Path header will likely be something like bounce-somehash@sends.hubspot.com.
• The DKIM-Signature header's d= tag will often be hubspotemail.net or a similar HubSpot-owned domain.

Notice the mismatch? sends.hubspot.com and hubspotemail.net do not align with yourdomain.com. This will cause DMARC failures.

Fixing SPF Alignment with HubSpot

For SPF alignment, the Return-Path domain needs to align with your From header domain. By default, HubSpot uses sends.hubspot.com for the Return-Path, which won't align with yourdomain.com.

The solution is to configure a custom sending domain in HubSpot. This process involves adding a CNAME record to your DNS that points a subdomain of your choice (e.g., hs.yourdomain.com or mail.yourdomain.com) to HubSpot's infrastructure.

Here's how it works:

1. HubSpot Configuration: In HubSpot, navigate to Website > Domains & URLs > Email Sending. You'll be prompted to add your domain and configure it.

2. CNAME for Return-Path: HubSpot will provide a CNAME record. This record will typically look something like this:

   TYPE: CNAME HOST: hs1234567._spf.yourdomain.com (or a similar HubSpot-generated subdomain) VALUE: 1234567.spf.hubspotemail.net

   Important Note: This CNAME record is not for the Return-Path itself. Instead, HubSpot uses this CNAME to verify domain ownership. Once verified, HubSpot will automatically rewrite the Return-Path for emails sent from you@yourdomain.com to use a subdomain like hs-abcdef.yourdomain.com or hs-bounce.yourdomain.com.

3. SPF Record for your Custom Sending Subdomain: If HubSpot is rewriting the Return-Path to hs-bounce.yourdomain.com, then the SPF record for hs-bounce.yourdomain.com needs to authorize HubSpot. You'll typically add an SPF record to this specific subdomain:

   TYPE: TXT HOST: hs-bounce.yourdomain.com VALUE: v=spf1 include:spf.hubspot.com ~all (Note: The ~all is a softfail, often preferred initially. You can tighten to -all later if confident.)

   By doing this, the Return-Path domain (hs-bounce.yourdomain.com) now aligns with your From header domain (yourdomain.com) under relaxed SPF alignment.

Fixing DKIM Alignment with HubSpot

For DKIM alignment, the d= tag in the DKIM-Signature needs to align with your From header domain. By default, HubSpot signs with its own domain (e.g., d=hubspotemail.net).

The solution is to configure custom DKIM signing in HubSpot. This involves adding two CNAME records to your DNS, allowing HubSpot to sign emails on behalf of your domain.

1. HubSpot Configuration: In the same Email Sending settings within HubSpot, you'll find instructions for connecting your domain for DKIM.

2. CNAME Records for DKIM: HubSpot will provide two CNAME records. These records delegate authority for specific DKIM selectors to HubSpot's signing infrastructure. They usually look like this:

   ``` TYPE: CNAME HOST: hs1-############.yourdomain.com VALUE: hs1-############.dkim.hubspot.com

   TYPE: CNAME