Customer Success Team Resources

by: HubSpot Moderator
HubSpot Moderator

Q and A: Demystifying Email Authentication and Deliverability

Experts from HubSpot’s Deliverability team recently shared their insights and support during the "Demystifying Email Authentication with HubSpot" webinar. 


🔗 Watch the recording and discover additional resources here.


Here are expanded answers to your email authentication and deliverability questions:


💡 DIY ("Do it yourself")

In my portal, under email sending domains it says authenticated. We are good to go, right? How do I get to the in-app wizard?

Navigate to the 'settings' gear in your portal, then scroll down to Website, then Domains and URLs. Yes, if under email sending domains it says 'authenticated' you are all set.


What if we don't have a tech team to help set this up? Are there detailed instructions?

Here is guidance for how to configure this.


This article also explains why it is important.


Our support team can help troubleshoot any messages you see within HubSpot, and our Knowledgebase articles provide guidance on how to set this up. There are also integrations with Cloudflare, GoDaddy and a couple of other DNS hosting providers in HubSpot that should help make this easier.


How should we ask for consent to send emails to new marketing email lists so they are subscribed to marketing email via HubSpot?

Great Question! There are a few different ways to do this, but a very popular tactic is to use paid ads to target those lists. From there, the ad would direct those contacts to a landing page where they can complete a form and officially receive their opt-in. This is a great opportunity to think about your content strategy and where and how you promote forms.


If I enable opt in now, will I lose the ability to email my old contacts? Or will I still be able to send them emails and it will only affect my open rates?

There will be no changes to reaching out to your existing contacts. We just want to encourage you to use opt-in consent. An opt-in list is not only encouraged but a requirement under our use policy.


Can you share best practices for what to do with the many emails I get now that I set up DMARC? How would you manage that data and make it actionable? Does HubSpot provide that reporting? Is there a trick to opening up these xml files I get for the DMARC reports?

DMARC reporting comes in two formats: aggregate and forensic. Aggregate reports come in XML format, while forensic reports come in plain text. Forensic reports contain PII (Personally Identifiable Information), while aggregate reports do not. These are useful for determining the source of authentication failures and if your brand is being spoofed but it can be hard to manage the volume of reporting and to interpret your findings.


You may consider a third party reporting tool like DMARCIAN or ValiMail to sort out reporting and get actionable insight. The reports come directly from the mailbox provider your sending mail to (like Gmail or Yahoo). HubSpot does not provide the reporting.



Is setting DKIM and DMARC mandatory? IT already setup domains for the marketing team. Is this an additional step?

DKIM and DMARC will be mandatory at Yahoo and Gmail. You'll want to check with your IT team to see if they've already published a policy for your root domain that covers your subdomains.


What are the top changes we should go in and make in HubSpot to remain compliant?

Implement SPF, DKIM and DMARC authentication, manage your opt-in list to keep complaints low, and sunset your nonresponders.


When should these implementations be done? 

These changes began to roll out on February 1, but will be rolled out gradually. As soon as you can is great, but aim for the end of Q1!


Can I have more than 1 SPF record? My domain provider said I can only use one, so if I use the one from Hubspot will personal emails using the same sending domain not be compliant?

There is only one SPF record, but you can have multiple providers on that one record. This allows you to be compliant across multiple platforms. We are updating our knowledge base articles to explain this better.


I've gone through your steps but once I used Dmarcian to check I got a message saying that our DMARC record is valid but we're not fully protected. Is this ok or should we be taking further steps?

DMARCIAN often shows that if you have published p=none. This means that you've not established a policy to reject mail or deliver to spam when mail is not authenticated. So the minimum requirement is p=none, so it's valid... but you'll want to confirm with your IT team to make sure you're good.


Should or can I replace all of my system domains with my custom domain, and if so, can you remind me how to do that? Website pages for example are still represented by a system domain.

We don’t recommend using the same domain as you leverage for hosting content, instead we recommend using a subdomain. Example, we would not recommend connecting, instead connecting The reason for this is because there are hierarchy rules that can have a negative impact.


🔶 HubSpot Features

What is Hubspot doing to ensure accuracy of open rates, given the issues mentioned about fake opens?

Check out how to filter out bots here.


Do you need Marketing Hub to set up one-click unsubscribe, or is it available on any Hubspot subscription?

This feature is available to all Hubs and tiers but the primary use case is marketing email.


When adding new contacts, will these be updated or do we need to do these steps for any new contacts added?

Authentication is applied at your domain level within the portal. There are no impacts as you are adding new contact records in HubSpot CRM.


What does “sending on a dedicated IP" mean?

A Dedicated IP is a unique IP address designated for your exclusive use. Unlike the shared pool, you will have full reputational control over the IP address and this is a great add-on feature if you're sending 100,000+ messages per month consistently.


If I send emails without SPF/DMARC in the meantime like previously we did, will there be any detriment to our sent emails our sender reputation? What about sending to Outlook emails?

These requirements were released with a slow roll out starting Feb 1. We've been told that that roll out will allow senders to comply, but that you may expect to see a portion of your mail deferred with specific bounce errors if your mail remains unathenticated through the rollout window... and eventually your mail will be rejected.


When will our unauthenticated/unverified emails default to the if we don't have DMARC set up?

Unauthenticated and unverified email domains will be changed to a HubSpot authenticated domain now. We've released this feature and you can find more info at the bottom of this knowledge base article.


How do we improve, or reduce the "unengaged lists" in terms of marketing emails?

The best path is to listen for signs of life, like clicks and opens (but we already know opens are not so reliable) , attempt to re-engage then sunset non responders. HubSpot offers a native feature to suspend mailing to inactive contacts. More details here.


Do any of these things overlap at all with the inbox automation function (or, any email tracking/logging outside of the existing settings you can adjust in your own email)? I work in healthcare and we are unable to have emails linked in HubSpot for HIPAA purposes.

Authentication is an important part of your sender reputation regardless of the audience you mail. However, HubSpot is not presently HIPAA compliant, so please submit your question through support for clarity.


🚩 Other Requirements

Has Microsoft published a list of requirements like Google and Yahoo have?

Outlook and others do not yet require DMARC authentication as Yahoo and Gmail have. Very few mailbox providers share their allowable complaint rates. Also, not all mailbox providers share complaints (spam reports) back to the sender. We have configured those for you at HubSpot for those that offer them and we report on your spam rate across all your mail in your portal.


We use Google for our company email, but our recipients mostly use Outlook - rare for gmail, yahoo and the like. How important is it to authenticate for us?

Authentication is an important part of your sender reputation regardless of the audience you mail. We have learned that in the short term Yahoo and Google are applying these changes to their consumer mailboxes, but we expect they will also apply to their business hosted mailboxes also in the longer term.


Do we lose contacts who have not opted in previously?

No contacts will be removed from your CRM if these changes aren’t implemented, it’s just likely your deliverability is impacted if you are mailing to a list that's not well-permissioned.


If you update these things in HubSpot do those push up to the mail provider (in our case gmail) or do we also need to do this outside of HubSpot for any emails that aren’t generated in HS?

SPF and DMARC are applied at the domain/subdomain level, so any changes you make will impact all mailstreams that share that domain. DKIM is applied by each email platform you mail from (ie: your corporate mail vs. HubSpot). For marketing mail NOT generated in HubSpot, you'll want to work with your IT team to ensure that platform is also authenticating with SPF, DKIM and DMARC.


When the news broke about email changes coming, there were specific sending volumes referenced. It mentioned if you were under that volume, DMARC was not required. Is this still the case?

Google has published that senders who send more than 5K messages per day should comply with the new requirements. This is intended to cover 'bulk' email senders. We'd recommend to align to best practice that you comply with the requirements.


If we send to business emails, not does that still count toward the 0.3% spam rate?

Complaint rates are a challenging topic because each mailbox provider has their own reputational logic around complaints. Some publish their requirements as Yahoo and Gmail have now and some don't. Also, not all mailbox providers offer a feedback loop to send back complaint data to the sender (HubSpot) so we can unsubscribe the complainers.


The best guidance is to send mail only to those who have opted in and sunset non responders who are not engaged and therefore more likely to mark your mail as junk. The good news is, we've enabled the new compliant List Unsubscribe for you in Marketing Hub, so that's one more way to make it easier to unsubscribe than to complain.