How do I sign DKIM on a sender domain that isn't the primary domain while using Hubspot?

Many email marketers face challenges when attempting to configure DKIM for domains that are not their website's primary domain, especially when using an ESP (email service provider) like HubSpot. This often stems from a misunderstanding of how DKIM works in conjunction with third-party sending services and the specific setup requirements they impose. Correctly setting up DKIM for secondary domains, such as mail.yourcompany.com or even a completely different domain you own, ensures that your emails are authenticated correctly, pass DMARC checks, and avoid landing in the spam folder.

Key findings

• Domain Ownership: You can only DKIM sign emails with domains you own or have explicit permission to use. Attempting to sign with a domain like gappssmtp.com (Gmail's internal signing domain) is not possible for external senders.
• HubSpot's Role: HubSpot facilitates DKIM signing for your chosen email sending domains by generating the necessary DNS records that you must then add to your domain host.
• Subdomain Handling: When connecting a subdomain to HubSpot for email sending, you often need to append _domainkey to the Host(name) field of the DKIM record.
• DNS Propagation: After adding or updating DNS records, it can take up to 24 hours for changes to propagate globally and be fully verified by HubSpot.
• Authentication Importance: Proper DKIM, SPF, and DMARC setup is critical for email deliverability, preventing emails from being rejected or landing in spam folders, and is especially important with new sender requirements from providers like Google and Yahoo.

Key considerations

• Dedicated Sending Domain: Consider using a specific subdomain (e.g., mail.yourdomain.com) for your marketing emails sent via HubSpot. This isolates your marketing email reputation from your primary domain.
• DNS Access: Ensure you have direct access to your domain's DNS settings or can collaborate effectively with your IT team or domain administrator to add the required TXT records.
• HubSpot Instructions: Follow HubSpot's specific step-by-step instructions carefully for connecting your email sending domain, as they provide the exact DKIM values needed. This includes verifying the domain and updating the DNS records, as outlined in their knowledge base on connecting your email sending domain.
• Troubleshooting: If you encounter Record Invalid errors, double-check for typos, ensure correct record types (TXT), and verify the Host (Name) and Value fields. Also, ensure you understand why DKIM might be failing.
• Email Authentication Best Practices: Review general email authentication best practices for SPF, DKIM, and DMARC. For example, ensuring proper configuration when sending marketing emails from a subdomain is vital.

The common thread among marketers' experiences is the confusion surrounding which domain should be signing the emails and how to implement that signing within the ESP's framework. Initial warm-up efforts on directly controlled domains may show good results, but transferring that success to an ESP environment requires specific attention to the authentication protocols provided by the platform. The objective is always to ensure that the emails sent from non-primary domains pass authentication checks (SPF, DKIM, DMARC) to maintain sender reputation and avoid blocklists or spam filters.

Key opinions

• Authentication Confusion: Many marketers are unclear about which domain should be used for DKIM signing, especially when using a third-party sending service like HubSpot. There's a common misconception that the ESP (e.g., Google or HubSpot) might sign with their own domain, leading to confusion.
• Deliverability Impact: Marketers frequently observe a sudden drop in deliverability, leading to spam folder placement, immediately after configuring their sending domains in HubSpot, even if their domains were previously warmed up with good results.
• Seeking Guidance: There's a strong desire for clear, step-by-step instructions on how to correctly set up DKIM for non-primary sending domains within platforms like HubSpot to avoid deliverability issues.
• Warm-up Discrepancy: A common point of confusion arises when marketers find their domain's reputation good during manual warm-up, but then experience deliverability problems when transitioning to an ESP like HubSpot, suggesting a configuration rather than a pure reputation issue.

Key considerations

• Understanding ESP Authentication: Marketers should familiarize themselves with how their chosen ESP (e.g., HubSpot) handles email authentication for custom domains, recognizing that the ESP provides the necessary keys for your domain, not its own.
• Domain vs. Subdomain: Consider whether you are setting up DKIM for a root domain (e.g., yourdomain.com) or a subdomain (e.g., emails.yourdomain.com), as this affects how you input the DNS records. Understanding whether DKIM can be set up on a subdomain is key.
• Step-by-Step Adherence: Adhere strictly to the domain connection steps provided by HubSpot. These steps are designed to generate and verify the necessary DNS records, including DKIM, for your email sending domain.
• Troubleshooting Resources: Be prepared to consult HubSpot's support documentation, such as articles on changing email preference domain settings, or technical support if issues persist after following the setup guides. Pay attention to common errors like DKIM body hash mismatch failures.

Experts advise that the process involves generating specific DKIM records within the ESP's platform and then meticulously adding these as TXT records to the sender's DNS. They also highlight the importance of proper alignment of the sending domain (the one visible in the From header) with the DKIM signing domain for DMARC compliance, which is a common reason for emails failing authentication. Furthermore, they stress the need for patience during DNS propagation, as changes can take time to become fully active across the internet.

Key opinions

• Domain Ownership Mandate: Experts assert that DKIM signing can only occur for domains that are genuinely owned by the sender or where explicit permission has been granted by the domain owner. This rule is fundamental to preventing email abuse and maintaining trust.
• ESP-Generated Keys: Email service providers (ESPs) like HubSpot generate the unique DKIM records (public keys) that you, as the domain owner, must publish in your DNS. The ESP uses a corresponding private key to sign your outgoing emails.
• Alignment for DMARC: DKIM's effectiveness is amplified by DMARC, which requires alignment between the From header domain and the DKIM signing domain. Without this, even a valid DKIM signature can lead to DMARC failures and potential blocklisting.
• Subdomain Specificity: When setting up DKIM for subdomains, experts emphasize the need to carefully follow ESP-specific instructions regarding the DKIM selector and hostname, often requiring the addition of _domainkey.

Key considerations

• Verify DNS Records: After adding DKIM records to your DNS, use a reliable tool to verify their correct publication and propagation before expecting optimal deliverability. Improper DNS setup is a leading cause of authentication failures.
• DMARC Implementation: Beyond SPF and DKIM, implement DMARC with a monitoring policy (p=none) to gain visibility into your email authentication status and identify any issues with your sending domains. You can also fix common DMARC issues.
• Monitor Deliverability: Continuously monitor your email deliverability metrics, including inbox placement rates and bounce rates, especially after making changes to your authentication settings. Tools like Google Postmaster Tools can provide valuable insights into your domain's reputation.
• Leverage ESP Documentation: Always refer to the official documentation and guides provided by your ESP. For instance, HubSpot's documentation on email authentication offers precise steps for setup.
• Multiple ESPs: If using multiple ESPs for the same sending domain, ensure each ESP's DKIM records are correctly configured in your DNS. This may involve adding multiple DKIM TXT records or selectors. Learn how to set up email authentication for multiple ESPs on the same domain.

Documentation outlines a step-by-step approach, typically starting with connecting a domain within the ESP's settings, which then provides unique TXT record values for DKIM. It stresses the importance of accurately copying these values into the domain's DNS provider. Furthermore, documentation highlights potential issues such as invalid records due to typos or incomplete propagation, offering troubleshooting tips to ensure successful verification and optimal email deliverability.

Key findings

• Domain Connection Process: HubSpot's documentation specifies a clear process to connect an email sending domain, involving selecting 'Email Sending' and following prompts to enter the email address associated with the domain.
• DNS Record Generation: The platform generates specific DNS records (Host/Name and Value) that users need to copy and paste into their domain's DNS settings to authenticate the sending domain.
• Subdomain Specifics: For subdomains, the documentation indicates that _domainkey often needs to be appended to the Host(name) value for DKIM records.
• Verification and Propagation: Upon successful record input, HubSpot shows a 'Verified' message, though it cautions that verification can take up to 24 hours due to DNS propagation delays.
• Troubleshooting Errors: Documentation provides guidance for 'Record Invalid' errors, suggesting users click 'Check them again' to re-verify after corrections.

Key considerations

• DNS Provider Access: You must have login access to your domain's DNS provider (where you purchased or manage your domain) to add the required TXT records.
• Accurate Data Entry: Precision is key when copying the Host(name) and Value fields from HubSpot into your DNS settings to avoid errors and ensure successful authentication.
• Record Type: Ensure that the DNS record type created is a TXT record for DKIM authentication.
• Time for Verification: Be aware of the potential 24-hour delay for DNS changes to fully propagate before troubleshooting or expecting immediate verification results.
• Compliance with Standards: Adhering to these documented steps helps ensure compliance with email authentication standards (SPF, DKIM, DMARC), which are increasingly important for email deliverability in 2025 and beyond, as outlined by sources discussing strong DMARC policies.