How does SPF alignment work with DMARC in HubSpot, and what are the implications for shared and dedicated senders?
Michael Ko
Co-founder & CEO, Suped
Published 16 Jul 2025
Updated 16 Aug 2025
11 min read
Understanding how SPF alignment works with DMARC, especially within platforms like HubSpot, is crucial for email deliverability. It's a topic that often leads to confusion, particularly when dealing with shared versus dedicated sending infrastructures. I've encountered many questions about why SPF might pass but still not align for DMARC, and what that means for your emails hitting the inbox.
DMARC, or Domain-based Message Authentication, Reporting, and Conformance, is designed to protect your domain from impersonation and phishing. It relies on the successful authentication and alignment of either SPF (Sender Policy Framework) or DKIM (DomainKeys Identified Mail) records. Without proper alignment, even if SPF passes the initial check, your DMARC policy might still instruct recipient servers to reject or quarantine your emails. This distinction is particularly important when using an Email Service Provider (ESP) like HubSpot, which manages various aspects of your sending infrastructure.
The implications vary significantly depending on whether you're using HubSpot's shared sending infrastructure or a dedicated IP. Each setup presents unique challenges and requirements for achieving DMARC compliance. It's not always about just having an SPF record, but ensuring that the domains involved are correctly aligned according to DMARC's specifications. Let's delve into how this works and what you need to consider for both shared and dedicated sending environments.
SPF (Sender Policy Framework) is an email authentication method that helps prevent sender spoofing. It allows domain owners to publish a DNS record listing the IP addresses authorized to send email on behalf of their domain. When an email server receives a message, it checks the SPF record of the sending domain to verify if the sending IP address is legitimate. If the IP is listed, SPF passes, indicating that the email originates from an authorized source.
DMARC builds upon SPF and DKIM by adding a crucial layer: alignment. For DMARC to pass, either SPF or DKIM must not only pass their respective authentication checks but also achieve alignment with the "From" header domain (the domain visible to the recipient). This alignment ensures that the authenticated domain is the one the user sees, preventing bad actors from sending emails that appear to be from your domain but originate from unauthorized sources.
Strict vs. relaxed SPF alignment
SPF alignment works by comparing the domain in the Return-Path (also known as the "MAIL FROM" or envelope sender) with the domain in the "From" header (the domain displayed to the end-user). There are two modes of alignment, as defined by RFC 7489: strict and relaxed. Strict alignment requires an exact match between these two domains, while relaxed alignment allows for a match to the organizational domain, including subdomains. For instance, marketing.example.com would align with example.com under relaxed alignment, but not strict. Understanding how relaxed domain alignment works is essential for DMARC implementation.
While SPF itself might pass if the sending IP is authorized, SPF alignment for DMARC requires that the domain used in the SPF check (the Return-Path domain) matches the domain in the "From" header. If these domains do not align, DMARC will view the SPF authentication as a failure, even if the underlying SPF check successfully verified the sender's IP. This is a common point of confusion, where an email might technically pass SPF but still fail DMARC's alignment requirement.
HubSpot's approach to SPF alignment
When sending emails through HubSpot on their shared infrastructure, a key aspect to grasp is how the platform handles the Return-Path domain. For shared senders, HubSpot typically uses its own domain, such as hubspotemail.net, as the Return-Path. This means that while the "From" header of your email will show your brand's domain (e.g., yourdomain.com), the hidden Return-Path domain will be HubSpot's. As a result, SPF alignment (where the Return-Path domain matches the From header domain) will generally not be achieved for shared senders.
Even though SPF alignment might not occur, the SPF check itself can still pass because HubSpot includes their sending IPs in their hubspotemail.net SPF policy. However, DMARC mandates that at least one of SPF or DKIM must align with the "From" header domain to pass DMARC. Therefore, for shared HubSpot senders, DMARC compliance predominantly relies on DKIM alignment. This means your emails must be properly signed with DKIM using your domain to pass DMARC checks, even if SPF alignment fails.
This reliance on DKIM alignment means that while SPF is still part of the authentication process, its alignment component is secondary for DMARC compliance when using HubSpot's shared IP pools. If you're on a shared IP and your DKIM setup isn't correctly configured to align, your emails could face significant deliverability issues, including landing in spam folders or being rejected entirely by recipient mail servers. This is why it's vital to ensure your DKIM records are properly set up and aligned.
A common recommendation for HubSpot users, particularly those on shared IPs, is to implement DMARC with a relaxed alignment policy. This approach allows for your DKIM signature to align even if the SPF Return-Path does not perfectly match your "From" domain, providing the flexibility needed for ESPs that use their own domains for the Return-Path. It's a pragmatic solution that helps maintain deliverability while still benefiting from DMARC's protection. For more information, you can read about SPF alignment for DMARC without a dedicated IP.
Implications for shared and dedicated senders
Shared sender details
Return-Path domain: HubSpot's domain (e.g., hubspotemail.net). This cannot be changed.
SPF alignment: Will generally fail DMARC SPF alignment because the Return-Path domain does not match your "From" domain.
DMARC reliance: Primarily relies on DKIM alignment for DMARC to pass.
Configuration: Ensure DKIM is correctly set up for your sending domain in HubSpot.
Dedicated sender details
Return-Path domain: Can be customized to a subdomain of your choice (e.g., mail.yourdomain.com).
SPF alignment: Can achieve SPF alignment if your "From" domain uses the same subdomain or aligns under relaxed DMARC policy.
DMARC reliance: Can pass DMARC via SPF or DKIM alignment.
Configuration: Requires setting up specific DNS records for the chosen subdomain.
For HubSpot users on a dedicated IP, the situation regarding SPF alignment becomes more flexible. A dedicated IP allows you to customize your Return-Path domain, though it's typically a subdomain, such as mail.yourdomain.com. This customization means you can achieve SPF alignment under a relaxed DMARC policy if your "From" header also uses your main domain (e.g., yourdomain.com) or a related subdomain. However, strict alignment might still be challenging if the "From" header domain is your root domain and the Return-Path is a subdomain.
Dedicated IPs, while offering more control and potential for alignment, also come with greater responsibility for managing sender reputation. SPF, DKIM, and DMARC are all critical here. With a dedicated IP, you're expected to manage all associated DNS records, including A records for rDNS, MX records for feedback, SPF, and DKIM (often requiring two CNAMEs from HubSpot). These configurations directly impact your ability to achieve DMARC compliance through either SPF or DKIM alignment. The primary goal is to ensure that your chosen Return-Path domain's SPF record correctly authorizes HubSpot's dedicated IP and aligns with your From domain under a relaxed DMARC policy, or that your DKIM signature aligns.
Even with a dedicated IP and custom subdomain, the subtle differences in domain structure between your "From" header and your Return-Path can affect SPF alignment, especially under strict DMARC policies. This is why DKIM remains a critical component for DMARC compliance, even for dedicated senders. It acts as a safety net, ensuring DMARC passes if SPF alignment falls short. Setting up the correct DNS records, including your DMARC record and policy, is key to leveraging this flexibility effectively.
Example SPF record for HubSpotDNS
v=spf1 include:spf.hubspotemail.net ~all
Ultimately, for both shared and dedicated HubSpot senders, the goal is to ensure that DMARC passes. Since SPF alignment might be a challenge, particularly with shared IPs, relying on DKIM alignment becomes crucial. HubSpot supports DMARC compliance primarily through custom DKIM signatures. This means that as long as your DKIM is correctly configured and aligns with your "From" domain, your emails will pass DMARC, even if SPF alignment does not. It is important to know how SPF, DKIM, and DMARC affect email deliverability.
Ensuring DMARC compliance with HubSpot
Navigating SPF alignment and DMARC with HubSpot requires a clear understanding of the underlying mechanisms, especially the distinction between an SPF "pass" and SPF "alignment." While HubSpot's shared infrastructure generally won't achieve SPF alignment for your root domain, this doesn't automatically mean DMARC failure. The key is to leverage DKIM alignment effectively.
For both shared and dedicated senders using HubSpot, the primary focus should be on ensuring DKIM is properly configured and aligns with your "From" header domain. This will be the main factor in achieving DMARC compliance and improving your email deliverability. Regardless of your sending setup, continuous monitoring of your DMARC reports is essential to catch any authentication failures or alignment issues that could impact your sender reputation and inbox placement. Implementing DMARC with a relaxed policy is often the recommended approach to balance security with deliverability, especially when using third-party ESPs like HubSpot.
Always prioritize a robust DKIM setup in HubSpot and ensure your DMARC policy is configured to allow for relaxed alignment. This strategy will help maintain strong authentication and prevent your legitimate emails from being blocked or sent to spam folders, regardless of whether you're utilizing shared or dedicated IPs within HubSpot. It is important to know how bad SPF alignment affects deliverability.
Views from the trenches
Best practices
Ensure your DKIM records are correctly set up and active in HubSpot for your sending domain.
Always use a DMARC policy with relaxed alignment (p=quarantine or p=reject) to accommodate HubSpot's Return-Path.
Regularly monitor your DMARC reports to identify any authentication failures or anomalies.
Common pitfalls
Assuming SPF alignment will automatically occur with shared HubSpot IPs, leading to DMARC failures.
Setting a DMARC policy to strict alignment (aspf=s or adkim=s) without fully understanding the implications for HubSpot.
Neglecting DKIM setup, which is critical for DMARC compliance with HubSpot's shared infrastructure.
Expert tips
Prioritize DKIM authentication and alignment when using third-party ESPs that manage the Return-Path.
Understand that an SPF 'pass' isn't always an SPF 'alignment' for DMARC purposes.
When migrating to a dedicated IP, carefully plan DNS record deployment and monitor the transition.
Expert view
Expert from Email Geeks says DMARC passes if either SPF or DKIM is aligned. Relaxed alignment means they are in the same organizational space, while strict alignment requires an exact match. SPF passes as long as there is a valid SPF record with the correct IP for the Return-Path domain, even if it's not the friendly From domain.
2022-11-14 - Email Geeks
Expert view
Expert from Email Geeks says that SPF alignment requires the From address domain to match the Return-Path domain exactly, which is generally not possible on HubSpot. For shared senders, the Return-Path is HubSpot's domain. For dedicated senders, it's a subdomain, which still doesn't strictly match the root From address domain.
2022-11-15 - Email Geeks
Key takeaways for DMARC and HubSpot
In summary, while SPF authentication may pass for emails sent via HubSpot, achieving SPF alignment with your "From" domain, especially on shared IPs, is generally not possible due to HubSpot's use of its own Return-Path domain. For DMARC compliance in this scenario, the emphasis shifts heavily to DKIM alignment. When DKIM is correctly configured and aligns with your "From" domain, DMARC will pass, ensuring your emails reach their intended recipients and your domain reputation is protected.
For those with dedicated IPs, there's more potential for SPF alignment through custom subdomains, but DKIM remains a vital component, acting as a redundant authentication method. Regardless of your HubSpot setup, maintaining a DMARC policy with relaxed alignment is typically the most practical and effective strategy. This approach balances stringent email authentication with the operational realities of using an ESP, ultimately safeguarding your email deliverability and brand reputation.
HubSpot, is crucial for email deliverability. It's a topic that often leads to confusion, particularly when dealing with shared versus dedicated sending infrastructures. I've encountered many questions about why SPF might pass but still not align for DMARC, and what that means for your emails hitting the inbox.
