Do I need to set up separate DKIM records for each sender domain in HubSpot?

Yes, you absolutely need to set up separate DKIM records for each sender domain you use in HubSpot, whether it's your primary domain or a non-primary one. Each domain requires its own unique cryptographic key pair, and HubSpot will provide the specific DNS records for each domain you connect.

What type of DNS records does HubSpot provide for DKIM setup?

HubSpot will provide you with CNAME records that act as your DKIM key. You'll need to copy these Host (name) and Value fields and paste them into your domain's DNS settings with your domain registrar or DNS hosting provider. These records tell receiving mail servers where to find your public DKIM key.

My emails are still going to spam after setting up DKIM, what else can I do?

While HubSpot handles the DKIM signing, your overall deliverability also depends on your sender reputation, email content, and subscriber engagement. Ensure your SPF records are correct, and implement DMARC to monitor authentication results and gain visibility into your email traffic.

How long does it take for DKIM changes to take effect in HubSpot?

DNS changes can take anywhere from a few minutes to 48 hours to fully propagate across the internet. After adding or updating your DKIM records, return to HubSpot and use their verification tool. If it's not verified immediately, give it some more time and check again.

How do I sign DKIM on a sender domain that isn't the primary domain while using Hubspot? - Technical - Email deliverability - Knowledge base

Email deliverability can be a complex challenge, especially when you're managing multiple domains through a platform like HubSpot. One common hurdle I've encountered is ensuring that DKIM (DomainKeys Identified Mail) is properly signed for sender domains that aren't the primary domain associated with my HubSpot account.

Many email marketers and businesses use HubSpot for their campaigns, but they often send emails from various domain names, not just their main website domain. When these secondary domains aren't correctly authenticated with DKIM, your emails are far more likely to land in the spam folder, undermining your outreach efforts.

The good news is that HubSpot provides a straightforward process to set up email sending domains, including those that aren't your primary one, and correctly configure their DKIM records. This ensures your emails maintain authenticity and improve their chances of reaching the inbox.

Suped DMARC monitoring

Free forever, no credit card required

Learn more

Trusted by teams securing millions of inboxes

Understanding DKIM and Hubspot's approach

Before diving into the setup process, it's crucial to understand what DKIM is and why it's so vital for email deliverability. DKIM is an email authentication method that uses a digital signature to verify the sender of an email and ensure that the email content hasn't been tampered with in transit. It adds a layer of trust, which is highly valued by mailbox providers like Gmail and Yahoo.

When you send an email, your email service provider (ESP), in this case, HubSpot, signs the outgoing message with a private cryptographic key. Receiving servers then use a corresponding public key, which is published in your domain's DNS records, to verify the signature. If the signature is valid, it confirms the email's authenticity and origin.

HubSpot handles DKIM (and other authentication methods like SPF and DMARC) for the email sending domains you connect within its platform. This means you don't generate the DKIM keys yourself. Instead, HubSpot provides you with the specific DNS records you need to add to your domain's DNS settings. This process is consistent whether it's your primary domain or a secondary one.

The primary challenge when dealing with non-primary domains often stems from misunderstanding how to tell HubSpot you intend to send from them, or where to find the unique DKIM records required. Each domain (or subdomain) you want to send from needs its own set of authentication records, not shared ones from your main domain. This is critical for maintaining proper email authentication.

Connecting your non-primary sender domain in Hubspot

To sign DKIM on a sender domain that isn't your primary domain in HubSpot, you'll need to connect it as an "email sending domain" within your HubSpot account. This process is essentially the same as connecting your primary domain, but it's important to differentiate which domain you're adding.

Log in: Log in to your HubSpot account.
Navigate to domain settings: Click the settings icon in the top navigation bar, then go to Website > Domains & URLs in the left sidebar menu.
Connect a domain: Click Connect a domain. In the dialog box, select Email Sending and click Connect.
Enter email address: On the domain connection screen, enter an email address used for sending emails from this specific domain (e.g., info@yoursecondarydomain.com), then click Next.
Verify the domain: Confirm the email sending domain on the next screen and click Next.

HubSpot will then provide you with the necessary DNS records (typically CNAME records for DKIM, and potentially TXT records for SPF if not already set up). You'll need to log into your domain host's DNS management portal to add these records. It’s a common step for any email authentication setup.

DNS provider login: In a separate tab, log into your DNS provider (e.g., GoDaddy, Cloudflare, etc.) and navigate to your DNS settings for the non-primary domain.
Copy and paste: In HubSpot, copy the Host (name) and Value from the provided records and paste them into the corresponding fields in your DNS provider.
Subdomain consideration: If you are connecting a subdomain (e.g., mail.yoursecondarydomain.com), you'll typically need to append _domainkey to the hostname.
Verify: After saving the DNS records, return to HubSpot and click Check them again (or Done) to initiate verification. It may take up to 24 hours for DNS changes to propagate.

Once verified, HubSpot will use the newly configured DKIM records to sign emails sent from that specific non-primary domain. This ensures proper DKIM alignment, which is crucial for DMARC pass rates and overall deliverability.

Ensuring proper authentication and alignment

While DKIM is a cornerstone of email authentication, it's part of a larger ecosystem that includes SPF (Sender Policy Framework) and DMARC (Domain-based Message Authentication, Reporting & Conformance). For optimal deliverability, all three should be correctly configured for every domain you send from.

HubSpot will also guide you through setting up SPF records. SPF specifies which mail servers are authorized to send emails on behalf of your domain. Just like with DKIM, each sender domain, primary or not, should have an SPF record that includes HubSpot's sending servers.

Importance of DMARC

DMARC leverages both SPF and DKIM to provide instructions to receiving mail servers on how to handle emails that fail authentication checks. It also enables senders to receive DMARC reports, which are invaluable for monitoring your email authentication status and identifying potential issues.

Proper DKIM signing and SPF alignment are critical for improving email deliverability and preventing your emails from being flagged as spam. When sending from multiple domains, ensure each one has its distinct, correctly configured authentication records. Don't assume that authenticating your primary domain automatically covers others.

Troubleshooting and best practices for multiple domains

Even with correct setup, you might encounter issues. One common problem is emails still landing in spam, even after setting up DKIM and SPF. This could be due to other factors affecting your sender reputation, such as sending to invalid email addresses, low engagement rates, or being listed on a blocklist (or blacklist).

Potential issue

Generic DKIM signatures: Sometimes, shared ESP domains (like gappssmtp.com for Gmail) might sign your emails if your own domain's DKIM isn't set up. This can lead to authentication failures.
Blocklist issues: Even with correct authentication, if your IP address or domain is on a blocklist, emails may still go to spam.

Solution and best practice

Connect owned domains:Always ensure you connect any domain or subdomain you send from in HubSpot. This ensures HubSpot handles DKIM signing correctly for your specific domain.
Monitor deliverability: Regularly check your email deliverability rates and DMARC reports. Pay attention to bounce messages for clues regarding authentication failures or blocklist (blacklist) issues.

If you're using multiple email service providers (ESPs) alongside HubSpot, remember that each ESP typically requires its own set of authentication records. Consult their documentation for specific instructions, and ensure you're not trying to use one ESP's DKIM key for another. Consistency across all sending platforms is key for a strong sender reputation.

Views from the trenches

Best practices

Always authenticate all sender domains and subdomains you use with HubSpot, not just your primary one. This helps ensure proper DKIM signing and alignment.

Regularly monitor your DMARC reports to catch any authentication failures or issues with your DKIM setup for non-primary domains. These reports provide valuable insights.

Ensure consistency in your email authentication across all platforms if you use multiple email service providers. Each ESP needs its own set of records.

Maintain a healthy sender reputation by sending relevant content, avoiding spam triggers, and managing your subscriber lists effectively to minimize bounces.

Common pitfalls

Assuming that authenticating your primary domain automatically covers all other domains or subdomains you send from. Each domain needs explicit setup.

Overlooking the propagation time for DNS changes. It can take up to 24-48 hours for new DKIM records to fully update across the internet.

Ignoring DMARC reports, which can reveal hidden authentication issues, including incorrect DKIM signatures on non-primary domains. Use a DMARC monitoring tool.

Having conflicting DKIM or SPF records from different email senders on the same domain, leading to authentication failures and deliverability problems.

Expert tips

When dealing with HubSpot, remember they provide the specific CNAME records for DKIM. You just need to add these to your DNS host, ensuring the host (name) and value are exactly as provided.

For subdomains, if HubSpot provides `hs1._domainkey` for `example.com`, for `mail.example.com` you might need to adjust the host to `hs1._domainkey.mail` depending on your DNS provider's interface.

Use a DMARC policy of `p=none` initially when setting up new domains or making significant changes, to monitor impact without blocking legitimate emails.

Regularly test your email deliverability using an email deliverability tester to verify DKIM is signing correctly from all your sender domains.

Expert view

Expert from Email Geeks says that you can only DKIM sign with domains you own or have explicit permission from the domain owner.

2022-09-05 - Email Geeks

Expert view

Expert from Email Geeks says that HubSpot's knowledge base provides detailed steps for connecting email sending domains and generating the necessary DNS records.

2022-09-05 - Email Geeks

Mastering multi-domain authentication for deliverability

Successfully signing DKIM on sender domains that aren't your primary domain in HubSpot is a fundamental step towards achieving excellent email deliverability. It's about ensuring that every email you send carries a verifiable stamp of authenticity, regardless of the 'From' address.

By diligently following HubSpot's domain connection process for each of your sending domains and correctly adding the provided DKIM and SPF records to your DNS, you'll significantly reduce the likelihood of your emails being flagged as spam or blocked. This proactive approach not only protects your sender reputation but also enhances recipient trust and campaign performance.