Email authentication setup is critical for getting your marketing emails delivered to inboxes instead of spam folders. This step-by-step guide shows you how to configure email authentication in HubSpot using DKIM, SPF, and DMARC records.
Without proper HubSpot email authentication, your emails face deliverability issues that can kill your marketing campaigns before they start.
What is Email Authentication and Why You Need It
Email authentication proves to email providers that your messages are legitimate and coming from your actual domain. Major inbox providers like Gmail and Outlook now require proper authentication to avoid spam folders.
HubSpot email authentication involves three DNS record types:
- DKIM: Digital signatures that verify email integrity
- SPF: Specifies which servers can send email from your domain
- DMARC: Tells recipients how to handle unauthenticated emails
What happens without authentication:
- Lower email deliverability rates
- Messages landing in spam folders
- Damaged sender reputation
- Reduced email campaign effectiveness
Before You Set Up Email Authentication
Requirements for HubSpot email domain setup:
✅ DNS access: Login credentials for your DNS provider
✅ Domain ownership: Must own and control the domain
✅ Subdomain strategy: Choose a dedicated email sending subdomain
✅ Cloudflare users: Turn off CNAME flattening and proxy settings
Important limitations:
- Can't authenticate domains currently hosting websites
- Use subdomains like
mail.yourdomain.comfor email sending - Up to 2,000 email-sending domains per account
- Same domain can connect to multiple accounts
Step 1: Connect Your Email Sending Domain
Start the HubSpot email authentication process:
- In your account, click the settings icon ⚙️ in top navigation
- Navigate to Content > Domains & URLs in left sidebar
- Click Connect a domain in top right
- Select Email Sending, then click Connect
Step 2: Configure Your Email Address
Set up your sending email:
- Enter an email address you use for marketing emails
- Click Next
- Verify the email sending domain is correct
- Click Next to proceed
Pro tip: Use a subdomain like
info@yourdomain.com rather than your main website domain for better deliverability.
Step 3: Set Up DNS Records
Configure email authentication records:
You'll need to add three types of DNS records for complete email authentication setup:
Option A: Automatic setup (if available)
- Click Sign in with [your DNS provider]
- Allow access to automatically configure records
Option B: Manual setup
- Click No, I'll set it up manually
- Access your DNS provider separately
- Add the required records manually
DNS Records Required
1. DKIM Setup (2 CNAME records):- Copy Host and Required data values
- Add as CNAME records in your DNS
- Copy the TXT record values
- Add to your DNS provider
For existing SPF records:
- Add the string after
include:to your existing SPF record - Ensure
v=spf1and-allflag appear only once - Example:
v=spf1 include:anotherprovider.com include:123456.spf03.hubspotemail.net -all
3. DMARC Setup (1 TXT record):
- Copy the DMARC TXT record
- Add to your DNS provider
Step 4: Verify Authentication Status
Check your HubSpot email domain setup:
DNS records take 10-70 minutes to verify. Monitor progress in domain settings:
- Go to Settings > Content > Domains & URLs
- Scroll to Email sending domains section
- Check authentication status: The Status levels are...
- Not authenticated: No methods set up or verified
- Partially authenticated: DKIM verified, SPF/DMARC pending
- Authenticated: All three methods fully verified
Troubleshooting: If authentication fails, click Continue setup to review DNS record values that need correction.
Step 5: Best Practices for Email Domain Changes
If switching from an existing email domain...
Pre-launch checklist:
- Use familiar "From" names recipients recognize
- Set up multiple subdomains for different email types
- Clean your subscriber list before switching
- Verify all authentication is working
Communication strategy:
- Inform subscribers about the domain change
- Ask them to allowlist your new sending domain
- Explain why you're making the change
- Phase announcements to engaged subscribers first
Transition approach:
- Use old and new domains together initially
- Reference "newdomain.com, formerly olddomain.com"
- Warm up the new domain gradually
- Monitor open rates, clicks, and deliverability
Common Email Authentication Issues
❌ Incorrect DNS records: Wrong Host or Required data values
✅ Solution: Double-check copied values match exactly
❌ Multiple SPF records: Creates DNS conflicts
✅ Solution: Combine into single SPF record with multiple includes
❌ Cloudflare interference: CNAME flattening blocks authentication
✅ Solution: Disable proxy and CNAME flattening for email domain
❌ Website domain conflict: Can't authenticate domains hosting websites
✅ Solution: Use dedicated subdomain for email sending
Why Email Authentication Matters for Your Business
Proper email authentication setup directly impacts your marketing ROI:
- Higher deliverability means more people see your emails
- Better sender reputation improves long-term email performance
- Compliance with provider requirements prevents blacklisting
- Professional appearance builds trust with recipients
Questions or comments? Share below!