How does SPF alignment work with DMARC in HubSpot, and what are the implications for shared and dedicated senders?

Key findings

• SPF pass vs. DMARC alignment: An email can pass SPF authentication (meaning the sending IP is authorized by the return path domain’s SPF record) without achieving SPF alignment for DMARC. SPF alignment requires a match between the RFC 5322 From header domain and the SPF authenticated domain (return path domain).
• HubSpot's shared IPs: For emails sent via HubSpot’s shared sending pools, the return path domain will be a HubSpot domain, not your sender domain. This means SPF alignment with your friendly from domain will not occur under strict alignment. However, SPF can still pass because HubSpot's IPs are correctly listed in their own SPF record.
• Dedicated IP implications: With a dedicated IP in HubSpot, you set up a custom sending subdomain (e.g., mail.yourdomain.com) for your return path. While this subdomain allows for SPF configuration on your own domain, it will still not exactly match your primary From domain for strict SPF alignment.
• DMARC reliance on DKIM: Because SPF alignment often fails in ESP environments like HubSpot, DMARC compliance heavily relies on DKIM (DomainKeys Identified Mail) authentication. HubSpot provides custom DKIM signatures that allow for DKIM alignment with your friendly from domain.
• Relaxed alignment is key: For DMARC to pass, only one of the authentication methods (SPF or DKIM) needs to achieve alignment. HubSpot's recommended DMARC setup typically leverages relaxed alignment to ensure messages pass DMARC via DKIM, even if SPF alignment is not achieved.
• Misinformation: There can be confusion between a technical SPF PASS and DMARC alignment. It's vital to understand the difference, as a simple SPF pass does not automatically mean DMARC alignment.

Key considerations

• DMARC policy settings: Ensure your DMARC policy is set up with relaxed alignment for both SPF and DKIM (aspf=r; adkim=r;) to ensure DMARC passes when sending through HubSpot, as it will primarily rely on DKIM alignment.
• Prioritize DKIM setup: Focus on correctly configuring DKIM within HubSpot, as this is the primary method for achieving DMARC compliance. This involves setting up the provided CNAME records in your DNS.
• Understand the technical nuances: Familiarize yourself with the specifics of how SPF, DKIM, and DMARC interact, particularly the differences between authentication passing and DMARC alignment.
• Monitor DMARC reports: Regularly review your DMARC reports to confirm that your emails are passing authentication, ideally through DKIM alignment. This helps identify any issues with your setup or sending practices. You can learn what it means when SPF is not aligned.
• Shared vs. dedicated IPs: While a dedicated IP allows for a branded return path subdomain, it does not fundamentally change the SPF alignment challenge with HubSpot if your primary From domain is different.

Key opinions

• Persistent SPF alignment concerns: Many marketers initially believe that achieving SPF alignment with their From domain is a universal requirement for DMARC, leading to confusion when ESPs like HubSpot use a different return path domain.
• Confusion over dedicated IP benefits: Some marketers using dedicated IPs on HubSpot are surprised to find that SPF alignment (strict) is still not achieved, despite having more control over their sending domain configuration.
• Seeking branded return paths: There is a desire among marketers for ESPs to offer branded return paths even on shared IP pools, as this is often perceived as a way to improve authentication and sender identity.
• Reliance on support documentation: Marketers frequently refer to ESP documentation and community forums for guidance, highlighting the need for clear, accurate, and up-to-date information regarding email authentication.

Key considerations

• Focus on DMARC policy: Marketers should prioritize setting up their DMARC record correctly, particularly understanding that DKIM alignment is often the primary method for DMARC passage with ESPs.
• Leverage relaxed alignment: Adopting a relaxed DMARC alignment policy for SPF and DKIM is generally the recommended approach when using a third-party ESP like HubSpot, ensuring that messages authenticate successfully.
• Verify DKIM setup: Confirm that HubSpot’s DKIM CNAMEs are correctly published in your DNS. This is critical for DMARC compliance, especially when SPF alignment is not achievable.
• Understand technical constraints: Recognize that ESPs may have technical reasons for not allowing branded return paths on shared IPs, as some have their own complex sending networks (e.g., HubSpot does not use SES). More information can be found in expert advice for senders on shared IPs.
• Advocate for clearer communication: Marketers should seek out and advocate for transparent, accurate explanations from ESPs about email authentication processes to avoid confusion and misconfigurations.

Key opinions

• DMARC flexibility: Experts clarify that DMARC passes if either SPF or DKIM achieves alignment with the RFC 5322 From header domain.
• Relaxed vs. strict alignment: Relaxed alignment means the authenticated domain is in the same organizational space as the From domain, while strict alignment requires an exact match. Relaxed is generally recommended for ESP use.
• HubSpot's SPF PASS with non-alignment: HubSpot sending IPs are authorized in their hubspotemail.net SPF policy, leading to an SPF PASS. However, this SPF PASS is irrelevant for DMARC alignment because the return path domain does not align with the From domain. DKIM alignment covers this gap.
• Importance of DKIM: With ESPs, DKIM is often the critical factor for DMARC passing, as its alignment mechanism is more forgiving for third-party sending.
• Correcting misinformation: Experts are keen to correct common misunderstandings about DMARC, SPF, and DKIM, stressing that accurate information is vital for the email community.

Key considerations

• Adhere to RFC standards: Recommendations should always align with the official DMARC RFC 7489 to ensure technical correctness and avoid further confusion. Our page on DMARC tags details this.
• Educate on alignment: Clearly distinguish between an SPF PASS (based on the envelope sender domain) and DMARC's requirement for domain alignment.
• Shared IP technicalities: Understand that many ESPs, including HubSpot, may have legitimate technical reasons for not supporting branded return paths on shared IPs, as they manage their own complex sending infrastructure.
• Risk of strict alignment: Experts strongly advise against using strict DMARC alignment unless there is a complete understanding of its implications and associated risks, as it can easily lead to deliverability issues with third-party senders. More information can be found on DMARC alignment modes.
• DMARC as a safety net: DMARC's design to check both SPF and DKIM provides redundancy, acting as a belt and suspenders approach to authentication, ensuring messages are covered even if one method fails alignment.

Key findings

• DMARC specification (RFC 7489): The DMARC specification explicitly states that a message passes DMARC if either the SPF or DKIM authentication mechanism achieves alignment with the RFC 5322 From header domain.
• SPF relaxed alignment: Under relaxed SPF alignment, the authenticated domain (from the Return-Path or MailFrom domain) and the RFC 5322 From domain must share the same organizational domain (base domain), but subdomains are permitted.
• SPF strict alignment: For strict SPF alignment, the authenticated domain and the RFC 5322 From domain must be an exact match.
• SPF (RFC 4408): The SPF specification primarily focuses on authorizing sending IPs for the envelope sender domain (MAIL FROM or Return-Path), which is often different from the From header in ESP environments.
• HubSpot's official guidance: HubSpot's knowledge base confirms that DMARC can be used with their platform by ensuring correct DKIM setup, which provides the necessary alignment for DMARC pass, especially under relaxed alignment settings.

Key considerations

• Refer to RFCs for clarity: When in doubt, always consult the official RFC documents (RFC 7489 for DMARC, RFC 4408 for SPF) for the most accurate and definitive explanations of how these protocols function and interact.
• DMARC policy choice: Understanding relaxed versus strict alignment is critical for choosing the appropriate DMARC policy. For most ESP users, relaxed alignment is the practical choice to ensure DMARC passes via DKIM.
• HubSpot's shared IPs and SPF: Since HubSpot's shared sending IPs are authorized by their own SPF record for hubspotemail.net, an SPF PASS is usually achieved. However, the lack of SPF alignment with your From domain makes DKIM alignment the critical component for DMARC. HubSpot’s article on using DMARC with HubSpot provides guidance.
• Dedicated IP requirements: For dedicated IP users, HubSpot requires setting up various DNS records including A, MX, SPF, and DKIM for a custom subdomain. This enables DKIM alignment for DMARC.