Currently, if the portal does not have the dedicated IP add-on, all e-mails are sent using a "hubspotemail.net" domain in the "Return-Path" header.
By doing so HubSpot is breaking SPF Alignment rules. SPF and DKIM alignment are positive indicators and should be considered for the security of users, even those that do not need a dedicated IP setup.
Without proper return-path values, all DMARC reports and Google's Postm Authentication reports show SPF fails, making it harder to detect problems and postponing companies to fully implement DMARC's quarantine/reject policies.
My understanding is that a DMARC pass happens when either of the DKIM or SPF check passes, you don't need both. It's bewilderingly terrible that hubspot can't properly support SPF, a most basic of email security features, but so long as the DKIM works the DMARC will pass and Google/Yahoo will allow it.