How to Set Up SPF, DKIM, and DMARC with HubSpot
TABLE OF CONTENTS
Though it is still the pillar of corporate communication, email is also a target for cyberattacks. Over 3.4 billion phishing emails are sent globally every day, using email security flaws. Technologies include SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance) are vital in combat of this. By verifying that departing emails have not been altered and authenticating them, these systems greatly lower the phishing and spoofing threat.
Using SPF, DKIM, and DMARC on HubSpot not only protects your emails but also improves the reputation of your domain, so increasing delivery generally. This article will walk over how to properly set up these security policies in HubSpot so that your email correspondence are reliable and safe.
HubSpot’s email authentication is a must-have tool for making sure your emails go to their intended recipients unaltered by malevolent actors. HubSpot offers strong capabilities to handle email authentication, thereby enabling companies to keep high deliverability rates and preserve brand identification.
- SPF lets you indicate which mail servers your domain lets send emails on behalf of itself. This makes it simple to spot as possibly fraudulent if an email comes from a server not shown on your SPF record.
- Every departing email is digitally signed by DKIM, which destination email systems can utilize to confirm that the email was truly sent by the domain owner and unaltered en route.
- Using SPF and DKIM, DMARC finds the authenticity of an email and gives receiving agents directions on what to do should neither of those authentication techniques pass – that is, reject the email or flag it as spam. It also provides comments on messages that pass and fail DMARC evaluation, therefore illuminating possible security flaws or authentication weaknesses.
By increasing deliverability, using these authentication criteria inside HubSpot not only enhances your email security but also your email performance generally.
Verifying sender IP addresses helps avoid spoofing by means of a crucial email authentication method called Sender Policy Framework (SPF). It lets domain owners designate which email servers, on behalf of their domain, are allowed to deliver emails. The receiving server verifies that an email comes from an authorized server by looking over this SPF record upon receipt of it.
Verify Your Current SPF Record: Before you make any changes, check if you already have an SPF record. You can use tools like MXToolbox to retrieve your domain’s current SPF record.
Access Your Domain Settings: Log in to your domain provider’s control panel. This will typically be where you registered your domain name (e.g., GoDaddy, Bluehost).
Locate the DNS Management Section: Once you’re in the control panel, navigate to the section where DNS settings are managed.
Modify or Create an SPF Record:
- If you do not have an SPF record, you’ll need to create one. Use Free SPF Record Generator to do this in easiest way or add a TXT record with the following value:makefile
v=spf1 include:_spf.hubspot.com ~all
- If an SPF record already exists, append
include:_spf.hubspot.comto it, ensuring not to create multiple SPF records, which can lead to failures. It should look something like this:makefilev=spf1 include:your_existing_record include:_spf.hubspot.com ~all
- If you do not have an SPF record, you’ll need to create one. Use Free SPF Record Generator to do this in easiest way or add a TXT record with the following value:
Save Your Changes: After updating or creating your SPF record, save the changes in your DNS settings.
Verify the SPF Record: Use an SPF validation tool to ensure your SPF record is correct and recognized. You can check it immediately, but DNS changes might take up to 48 hours to propagate fully.
After updating your SPF record, if it’s not recognized, ensure you’ve waited enough time for DNS propagation. If it still doesn’t work, double-check your record for any typos or syntax errors.
Having more than one SPF record can lead to authentication failures. If you find multiple SPF entries, consolidate them into a single SPF record.
The ~all mechanism in the SPF record results in a soft fail, where emails from unauthenticated servers are marked but not rejected. If you prefer a stricter approach, replace ~all with -all after confirming all legitimate sending servers are listed in your SPF.
Using a digital signature to confirm the sender’s identity and guarantee the email contents has not been altered on route, DomainKeys Identified Mail (DKIM) is an email authentication system. By telling ISPs your emails are legitimate and safe, you boost deliverability and build confidence with email receivers.
Enable DKIM in HubSpot:
- Log in to your HubSpot account.
- Navigate to
Settings, then selectDomains & URLs. - Under the
Emailtab, find the section forEmail Sending Domains. - Click on the domain you want to set up DKIM for, or add a new domain if necessary.
Generate DKIM Key:
- Once you select the domain, HubSpot will automatically generate a DKIM key if one isn’t already set up. This includes a public key that needs to be added to your DNS records.
Access Your DNS Settings:
- Log into the control panel of your domain provider.
- Go to the DNS management area.
Create a DKIM TXT Record:
- Add a new TXT record. The host name (or name) should be something like
hs._domainkey.yourdomain.com(replaceyourdomain.comwith your actual domain name). - In the value field, paste the DKIM key provided by HubSpot. It will look something like:css
v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQD...
- Add a new TXT record. The host name (or name) should be something like
Save the Changes:
- Make sure to save or update the record in your DNS settings.
Verify DKIM Configuration:
- Return to HubSpot’s
Email Sending Domainssection and verify the DKIM configuration by following the prompts provided by HubSpot. - HubSpot may provide a verification tool or button to check if the DKIM record is correctly set up.
- Return to HubSpot’s
- Check Propagation. DNS changes can take up to 48 hours to propagate. Use a DNS checker tool to confirm that your DKIM record is visible publicly.
- Avoid Typos in Records. Ensure there are no extra spaces or characters in your DKIM record that could invalidate the setup.
- Consistency in DNS Entries. Make sure the selector (hs._domainkey) and the domain name in your DKIM record match exactly with what’s specified in HubSpot.
- Regularly Update Your DKIM Keys. Periodically updating your DKIM keys can enhance security. Remember to update your DNS records with the new keys each time you make a change.
Designed to provide email domain owners the means to guard their domain from illegal usage, sometimes referred to as email spoofing, Domain-based Message Authentication, Reporting, and Conformance (DMARC) is an email authentication system DMARC’s goal is to guarantee that any fraudulent activity seeming to originate from domains under your control is banned and that real emails are correctly validated against accepted SPF and DKIM standards.
Review SPF and DKIM Settings:
- Before setting up DMARC, ensure that SPF and DKIM are properly configured and passing. DMARC relies on these two protocols to function correctly.
Generate a DMARC Record:
- A typical DMARC record looks like this:css
v=DMARC1; p=none; rua=mailto:yourname@yourdomain.com - Here,
p=nonespecifies the policy (none, quarantine, reject), andruais where aggregate reports are sent.
- A typical DMARC record looks like this:
Access Your DNS Settings:
- Log into the control panel of your domain registrar.
- Navigate to the section for managing DNS records.
Add the DMARC Record:
- Add a new TXT record.
- The host name should be
_dmarc.yourdomain.com. - Paste the DMARC record in the value field.
Save the Changes:
- Apply and save your DNS record changes.
Verify the DMARC Record:
- Use a DMARC verification tool to check that your record is correctly published.
Authentication Check. DMARC uses SPF and DKIM to verify whether an email claims to be from your domain is actually from your authenticated sending sources or is properly signed with your DKIM signature.
Alignment Check. DMARC also checks for alignment, meaning the domain in the From header must match the domain in the SPF return-path or DKIM signature for the DMARC check to pass.
Policy Enforcement. Based on the results of these checks, DMARC applies the specified policy (none, quarantine, reject) to handle emails that fail these checks. This is crucial for preventing spoofed or fraudulent emails from being delivered.
Reporting. DMARC also provides feedback on messages that pass or fail DMARC evaluation through reports sent to the specified email in the DMARC record. This helps organizations identify potential security issues related to their domain’s email.
Authentication Check. DMARC uses SPF and DKIM to verify whether an email claims to be from your domain is actually from your authenticated sending sources or is properly signed with your DKIM signature.
Alignment Check. DMARC also checks for alignment, meaning the domain in the From header must match the domain in the SPF return-path or DKIM signature for the DMARC check to pass.
Policy Enforcement. Based on the results of these checks, DMARC applies the specified policy (none, quarantine, reject) to handle emails that fail these checks. This is crucial for preventing spoofed or fraudulent emails from being delivered.
Reporting. DMARC also provides feedback on messages that pass or fail DMARC evaluation through reports sent to the specified email in the DMARC record. This helps organizations identify potential security issues related to their domain’s email.
Improving email deliverability in HubSpot can significantly impact your marketing and communication efforts. One effective tool for enhancing deliverability is Warmy.io, designed to optimize and maintain the health of your email sending reputation.
Warmy.io is a specialized tool that focuses on improving email deliverability through automated warm-up processes and advanced deliverability management features. It helps in warming up your email accounts, which is essential for establishing a reliable sender reputation with email service providers (ESPs). By sending emails from your accounts to its network of email addresses and ensuring interactions like opens and replies, Warmy.io gradually builds the trustworthiness of your email account. This process is crucial, especially if you are starting with a new email domain or have faced deliverability issues in the past.
Email Warm-Up. Warmy.io automates the process of warming up your email accounts by regularly sending and receiving emails that mimic real interactions. This helps in gradually increasing the volume of emails your account can send without being marked as spam.
Reputation Building. By ensuring consistent positive engagement, Warmy.io helps build a strong sender reputation. A good reputation with ESPs like Google and Microsoft means fewer emails landing in spam, enhancing overall deliverability.
Deliverability Analytics. Warmy.io provides detailed analytics and insights into your email performance. This data can help identify potential deliverability issues before they become significant problems, allowing you to make data-driven decisions to optimize your email strategies.
SPF and DKIM Optimization. Besides warming up emails, Warmy.io also assists in setting up and optimizing SPF and DKIM records. Proper configuration of these records is crucial for email authentication and plays a significant role in improving deliverability.
Related – SPF, DKIM, and DMARC: Boosting Email Security and Deliverability
We have discussed the key stages for configuring SPF, DKim, and DMARC inside HubSpot throughout this article, therefore stressing the critical part these email authentication systems do in protecting your email correspondence. These steps can help companies greatly strengthen their email security, safeguard their brand identification, and raise general email deliverability.
Businesses using HubSpot not only raise the likelihood that their emails find their intended recipients but also develop a good sender reputation by carefully executing these standards.