How can I improve SPF alignment and email deliverability when using Hubspot?
Matthew Whittaker
Co-founder & CTO, Suped
Published 22 Jul 2025
Updated 17 Aug 2025
10 min read
Achieving optimal email deliverability, especially when using a platform like Hubspot, often comes down to understanding the nuances of email authentication. Many marketers, myself included, have looked at DMARC reports and seen SPF marked as 'not aligned,' even when the SPF record seemed correctly published. This can be a source of confusion and concern, leading to questions about whether emails are reaching their intended inboxes.
The challenge with SPF alignment in environments like Hubspot stems from how these platforms send emails on your behalf. While SPF (Sender Policy Framework) itself might pass, the domain used in the "envelope from" address, which SPF checks, often belongs to the sending service, not your primary domain. This mismatch with your "header from" domain is precisely what causes SPF alignment to fail, impacting your DMARC compliance.
In this article, I will explain why this happens and outline the steps you can take to enhance your email deliverability, ensuring your messages land in the inbox and avoid the spam folder. We will explore authentication protocols like DKIM and DMARC, delve into sender reputation, and discuss practical strategies to optimize your email program within Hubspot.
When you send emails through Hubspot, the platform uses its own infrastructure. This means the "return-path" or "envelope from" domain in the email's technical headers will typically point to a Hubspot subdomain, such as 25424386.spf05.hubspotemail.net. Your SPF record, which you publish on your own domain, authorizes Hubspot's servers to send email on its behalf. So, SPF passes, but alignment does not, because the "envelope from" domain is Hubspot's, while your "header from" (the address recipients see) is your domain. This distinction is key for DMARC.
For DMARC to pass, either SPF or DKIM must be aligned with your "header from" domain. Since SPF alignment often isn't achievable with Hubspot's shared sending infrastructure, DKIM (DomainKeys Identified Mail) becomes the primary method for authentication alignment. When you configure DKIM with Hubspot, you add a CNAME record that allows Hubspot to sign your emails using your domain. This ensures DKIM alignment, allowing your emails to pass DMARC checks. For a deeper dive, read our guide on how SPF alignment works with DMARC in Hubspot.
Your SPF record should accurately reflect all legitimate senders for your domain. Including Hubspot's required include mechanism (like include:spf.hubspotemail.net) is critical for SPF authentication, even if it doesn't align for DMARC. Be cautious not to exceed the 10 DNS lookup limit for SPF records, as this can cause legitimate emails to fail SPF checks. If you are experiencing SPF failures, check out our guide on how to troubleshoot SPF failures in Google Postmaster Tools.
DMARC is the policy layer that ties SPF and DKIM together, dictating what mailbox providers (like Google and Yahoo) should do with emails that fail authentication. Your DMARC policy (p=none, p=quarantine, or p=reject) tells receiving servers how to handle unauthenticated mail. To properly implement DMARC, you need both SPF and DKIM configured. For a comprehensive overview, review our simple guide to DMARC, SPF, and DKIM.
Even if your SPF isn't aligned through Hubspot, a correctly configured and aligned DKIM signature will ensure your DMARC passes. This is a common and acceptable setup when using email service providers (ESPs) that rely on shared infrastructure. The goal is to ensure at least one of SPF or DKIM passes alignment to satisfy DMARC requirements.
When you're comfortable with your authentication, transitioning your DMARC policy from "none" to "quarantine" or "reject" is a crucial step for securing your domain against spoofing and phishing. Monitor your DMARC reports from Google and Yahoo to confirm that legitimate emails are consistently passing authentication. You can read our guide to safely transition your DMARC policy.
The Hubspotknowledge base provides detailed instructions on setting up email authentication, including SPF, DKIM, and DMARC. Always refer to their official documentation to ensure your setup is compliant and optimized for their sending infrastructure.
Building sender reputation and engagement
While authentication is foundational, it is just one piece of the deliverability puzzle. Your sender reputation is paramount. This reputation is built over time based on various factors, including bounce rates, spam complaint rates, and recipient engagement. Even with perfect SPF and DKIM alignment, a poor reputation can lead to emails landing in spam folders or being blocklisted (blacklisted).
Engagement signals, such as opens, clicks, and replies, tell mailbox providers that your emails are wanted. Conversely, low engagement, high spam complaints, and frequent bounces negatively impact your reputation. Maintaining a clean and engaged email list is one of the most effective strategies to improve your deliverability. If your emails are consistently going to spam, learn more about how to improve email deliverability when emails go to spam.
Key factors for deliverability
List hygiene: Regularly remove inactive subscribers, hard bounces, and known spam traps. This prevents your sender reputation from being damaged by sending to invalid or disengaged addresses.
Content quality: Avoid spammy keywords, excessive images, or broken links. Craft relevant, valuable content that encourages interaction and reduces spam complaints. Personalized content often leads to better engagement.
Engagement: Focus on sending emails to people who want to receive them. Encourage opens, clicks, and replies to signal positive engagement to mailbox providers. High engagement is crucial for inbox placement.
Monitoring feedback loops: Sign up for feedback loops (FBLs) with major ISPs to receive reports on spam complaints. This allows you to quickly remove complaining subscribers.
Regularly monitoring your Hubspot deliverability reports and DMARC aggregate reports will provide insights into your performance. These reports help identify if your emails are reaching the inbox, being sent to spam, or failing authentication checks. Addressing any issues promptly is vital to maintain a strong sender reputation and improve deliverability. For more information, check out Hubspot's guide on email deliverability best practices.
Shared vs. dedicated IP addresses
Whether you use a shared IP or a dedicated IP through Hubspot significantly impacts your IP reputation and how much control you have over it. Most Hubspot users start on shared IPs, meaning your sending reputation is tied to that of other Hubspot customers. While this offers stability and ease of setup, it also means you're affected by the sending practices of others on the same IP. For more on this, check out our guide on how to improve email deliverability on a shared IP.
If you send large volumes of email, a dedicated IP provides exclusive control over your sending reputation. However, it also requires diligent management and a proper warm-up strategy to build a positive reputation from scratch. This can be more complex but offers greater stability and control for high-volume senders. Our article on how to improve email and domain reputation provides further insights.
It is important to remember that DMARC's primary function is identity verification, not direct delivery improvement. While a strong DMARC policy helps protect your brand and reduces spam, actual deliverability hinges on your sending reputation and positive engagement with your recipients. Receiving mailbox providers assess a multitude of signals, and authentication is just one of them.
Shared IP
Pros: Easier setup, pre-warmed IPs, suitable for lower volume senders. Hubspot manages IP reputation.
Cons: IP reputation is shared among all users, potential for negative impact from other senders (blocklists/blacklists). Limited impact on IP reputation for low send volume.
Dedicated IP
Pros: Full control over IP reputation, better for high-volume senders, enhanced deliverability stability. Enables SPF alignment.
Cons: Requires a warm-up period, diligent reputation management, and consistent high volume sending.
For Hubspot users without a dedicated IP, it's generally not possible to achieve 100% SPF alignment on your primary domain because the envelope from domain will always be a Hubspot subdomain. However, this is not problematic as long as your DKIM authentication is correctly set up and aligned, which satisfies DMARC. What is problematic, however, is being placed on an email blocklist (blacklist). Our guide explains what happens when your domain is put on a blocklist.
Practical steps to boost deliverability
To improve deliverability with Hubspot, focus on these key areas. Implement DMARC with a relaxed policy (p=none) initially, then move to stricter policies (p=quarantine or p=reject) as confidence grows. Monitor DMARC reports closely to ensure legitimate emails are consistently passing authentication. This will confirm your setup is robust.
Maintaining a clean email list is critical. Regularly remove unengaged subscribers, hard bounces, and any addresses that trigger spam complaints. Utilize Hubspot's tools for list segmentation and contact management to ensure you're sending to an active audience. Remember, engagement is a primary driver of deliverability. Your emails should provide value, encouraging opens, clicks, and replies. Focus on quality content that resonates with your subscribers.
Avoid behaviors that can negatively impact your sender reputation, such as sending unsolicited emails or purchasing email lists. These practices can lead to high spam complaint rates and land your domain on blocklists (blacklists), severely impacting your ability to reach the inbox. Our guide on how to resolve email deliverability issues offers more advice.
Regularly monitor your email performance metrics, including open rates, click-through rates, bounce rates, and spam complaint rates. These metrics provide valuable insights into the health of your email program and help identify potential deliverability issues early on. Tools like Google Postmaster Tools offer detailed data on your domain's reputation with Gmail users.
Factor
Impact on Deliverability
Action for Hubspot Users
SPF alignment
Important for DMARC, but often not aligned with shared IPs. SPF pass is primary.
Ensure Hubspot is included in your SPF record. Focus on DKIM for DMARC alignment.
DKIM alignment
Crucial for DMARC compliance, especially with shared ESPs.
Set up DKIM via Hubspot's email authentication settings.
DMARC policy
Protects against spoofing and phishing. Stricter policies improve trust but require consistent authentication.
Implement DMARC. Start with p=none, then move to p=quarantine or p=reject after monitoring.
Sender reputation
Determines inbox placement. Influenced by complaints, bounces, and engagement.
Maintain a clean list, send relevant content, and monitor metrics.
Views from the trenches
Best practices
Focus on DKIM alignment for DMARC with Hubspot, as SPF alignment may not be achievable due to shared infrastructure.
Always include Hubspot's SPF mechanism in your SPF record to authorize their sending, even if SPF alignment isn't perfect.
Regularly clean your email lists to remove inactive subscribers and hard bounces, as this significantly boosts deliverability.
Prioritize sending emails to engaged recipients who want to receive your messages to build a positive sender reputation.
Common pitfalls
Attempting to force SPF alignment with Hubspot on a shared IP, which is generally not feasible for direct domain alignment.
Neglecting DMARC implementation, which leaves your domain vulnerable to spoofing and can negatively impact deliverability.
Underestimating the importance of engagement, content quality, and list hygiene compared to technical authentication settings.
Sending bulk email marketing from a dedicated IP without a proper warm-up plan, leading to poor reputation and blocked emails.
Expert tips
Remember that DMARC is an identity verification tool, not a direct deliverability improvement tool. Deliverability is mainly driven by the reputation of that identity.
Your DMARC policy (e.g., quarantine or reject) will not directly improve email delivery, but it will help protect your domain and guide receiving servers on how to handle unauthenticated mail.
On a shared IP, your individual sending volume of a few thousand emails per week will have almost no impact on the overall IP reputation, as it's determined by all senders on that IP.
Avoid using tools that claim to 'force' or 'artificially increase' IP reputation by simulating engagement. Mailbox providers frown upon this, and it can lead to severe penalties, including being banned from emailing certain domains.
Expert view
Expert from Email Geeks says you cannot achieve full SPF alignment with Hubspot, given how their shared infrastructure operates.
2024-04-09 - Email Geeks
Expert view
Expert from Email Geeks says that SPF passes because Hubspot publishes the correct record for their bounce domain, but it will not align with the header-from domain for DMARC.
2024-04-09 - Email Geeks
Key takeaways for Hubspot email deliverability
Improving SPF alignment and overall email deliverability with Hubspot is a multi-faceted effort that extends beyond just a single DNS record. While SPF authentication is important, DKIM alignment is typically the key to DMARC compliance when using a shared email service provider like Hubspot. Your domain's reputation, built on consistent positive engagement, low bounce rates, and minimal spam complaints, is what truly drives your emails to the inbox.
The distinction between a passing SPF check and SPF alignment for DMARC is crucial for understanding your DMARC reports. By ensuring proper DKIM configuration, maintaining rigorous list hygiene, crafting engaging content, and monitoring your email performance, you can significantly enhance your email deliverability and achieve your marketing goals.
Always prioritize sending wanted mail to engaged recipients. This fundamental principle, combined with robust authentication and proactive reputation management, forms the bedrock of a successful email program, regardless of the platform you use.
Hubspot, often comes down to understanding the nuances of email authentication. Many marketers, myself included, have looked at DMARC reports and seen SPF marked as 'not aligned,' even when the SPF record seemed correctly published. This can be a source of confusion and concern, leading to questions about whether emails are reaching their intended inboxes.
Google and 
Yahoo) should do with emails that fail authentication. Your DMARC policy (p=none, p=quarantine, or p=reject) tells receiving servers how to handle unauthenticated mail. To properly implement DMARC, you need both SPF and DKIM configured. For a comprehensive overview, review our simple guide to DMARC, SPF, and DKIM.
