In your documentation, your domain verification process requires setting up a signature in the root domain TXT record. As your technical team is probably aware, that record is needed for an SPF record.
And that means every time that record is queried by a receiving mail server everything in that record gets sent to them. Further, it doesn't take much to exceed the payload limitation for a UDP packet, and sadly way too many organizations don't even support switching to TCP for queries, and a lot of mailserver configurations won't support TCP anyway. So this requirement can quickly be a deal-breaker for even doing business with an organization for the sake of protecting their mail delivery.
Please follow the lead of other technical organizations and either support an https-hosted file for this or at least use a TXT record like setup like DMRC or DKIM does, with a proper LHS value. Such as, make the LHS _hubspot, and then the RHS the unique verification value.