If you've been inside the HubSpot platform lately, you probably noticed an alert saying, " Emails will need to be sent from authenticated domain soon."
This is to comply with inbox service providers like Google, Yahoo Mail, and Outlook, who prefer email authentication by DKIM, SPF, and DMARC. Emails sent without authentication are more likely to bounce, quarantine, or be categorized as spam.
We continuously work with clients on email authentication as part of the mix of HubSpot services we offer. From our experiences with this, let me share an overview of what you need to know, what valuable tools can help you, and what we learned.
What is email authentication? And why do you need it?
It is a technical solution that verifies that an email is not forged. It tells a recipient that an email comes from the business it claims to be from.
At a time when cyber-attacks are rampant, email authentication serves to block harmful or fraudulent uses of email such as phishing, in which malicious elements pretending to be reputable companies fool individuals into giving their private information.
Verizon’s 2023 DBIR cites that 36% of all data breaches involved phishing.
Based on the 2023 annual report by the European Union Agency for Cybersecurity (ENISA), social engineering attacks grew significantly with Artificial Intelligence (AI), but phishing remains the top point of access.
The benefits of email authentication are clear:
- It improves your email marketing performance.
- It prevents your emails from being blocked or sent to spam.
- It helps your customers verify that your emails are from your company.
The process involves setting up three separate Domain Name System (DNS) record types in your DNS provider's settings:
- SPF, and
- DMARC Policy
Their names sometimes sound like they refer to members of a hip-hop group. Most times, they conjure up images of complicated IT procedures. As we've come to learn at leadstreet, email authentication with each one is doable. We will briefly discuss each record type.
Most inbox service providers find that emails authenticated by DKIM are sufficient. Emails sent without DKIM authentication are more likely to bounce, quarantine, or be categorized as spam.
This can skew your email performance reporting as quarantined emails will appear as delivered in HubSpot but will not be visible to most recipients.
But some inbox providers - like Google and Yahoo - now require all 3 to be set up, that is: DMARC, DKIM, and SPF. This is so that you can send bulk emails to their users.
(HubSpot error message: both SPF and DMARC are not set)
If you don't meet these requirements, your domain's emails can/will bounce. These bounces will be tagged as a DMARC or Policy bounce.
If you have data indicating that your users are service providers where email authentication by DKIM is enough, you can focus on that. But we recommend setting up all three DNS record types to cover all your bases.
Learn more in this overview by HubSpot.
What is DKIM and how to set it up in your email?
DKIM stands for DomainKeys Identified Mail. It is a method of email authentication aimed at preventing email spoofing, a technique used by malicious actors to send emails with forged sender email addresses. Like someone pretending to be utilizing your company email (or something that looks like it) to ask for a customer's private information. When you authenticate DKIM, you authorize a platform to send emails with from: your domain.
To set up DKIM in HubSpot, you can:
- Set up DKIM using two CNAME records in your DNS provider.
- Use a public key provided by HubSpot provides.
- Wait for verification from a receiving mail server like Gmail.
The DKIM signature will be included in the headers of your sent emails, which correlates to the associated CNAME entries you configured.
You can find a more detailed guide in this HubSpot Knowledgebase article.
What is an SPF record in an email? How does it work?
SPF stands for Sender Policy Framework. This email authentication standard is used to verify that the sending email server (in this case, HubSpot) is authorized to send email on behalf of your specific domain. Mail servers like the Gmail SMTP Server can check HubSpot's SPF to make sure you have allowed the email marketing tool to send emails to your domain.
This is pre-configured on HubSpot's end.
What you need to do is:
- Add HubSpot's SPF record to your From Address domain.
- This will appear as a TXT record in your DNS provider, with the value provided in your HubSpot domain settings.
Learn more when you review this guide from HubSpot Knowledgebase.
What is a DMARC policy in email?
This DNS record is something many people are not familiar with. DMARC stands for "Domain-based Message Authentication, Reporting, and Conformance,". Consider it like a security guard for your email domain. It helps protect your domain from being impersonated by hackers who might send fake emails pretending to be from your organization.
Here's how it works:
Authentication: DMARC checks if incoming emails claiming to be from your domain are actually from legitimate sources. It does this by looking at two things: SPF and DKIM, or the first two types of DNS records we discussed. SPF verifies the sender's IP address, while DKIM verifies the email's digital signature.
Reporting: DMARC keeps an eye on all the emails being sent on behalf of your domain and reports back to you. It tells you if someone tries to send emails pretending to be from your domain and whether those emails passed or failed the authentication checks.
Conformance: DMARC lets you set rules for what happens to emails that fail the authentication checks. You can choose to do nothing, send them to a spam folder, or even reject them outright.
Beyond that, it can give you a more accurate understanding of your deliverability with more exact authentication reports.
As mentioned, not all servers check for DMARC before accepting a message into someone's inbox. But most do it, especially the most popular and used servers.
To set up DMARC, you need to:
- Set up DKIM and SPF first. Make sure these two are correctly authenticated based on each program you use to send marketing emails and even transactional emails for eCommerce, invoicing, or document signing. These programs include HubSpot, Dynamics365, Salesforce, Marketo, Mail Gun, Zoho, Shopify, PandaDoc, Twila, and Squarespace. You should also check that DKIM and SPF are correctly set up in the company email system you use, whether that's Office365, Gmail, AOL, Yahoo Mail, or Hotmail. Otherwise, your own mail will not be delivered if you add p=reject.
- Add your DMARC Policy. Go to your DNS Settings and add a TXT record. HubSpot provides the minimum recommended policy with no reporting, but you can make your policy by including additional properties in the Value field of your DNS record.
and value v=DMARC1; p=reject; rua=mailto:firstname.lastname@example.org
- Remember to replace the email address with your email address.
- Click Copy under the Host and Required Data columns then paste the values into the corresponding fields in your DNS provider.
- Once added and verified, all receiving email servers can authenticate incoming emails from your domain and handle any failures based on your policy.
Writing a DMARC Policy
DMARC policy values refer to semicolon-separated properties that determine what type of policy you want to have and what you want to allow or avoid. When writing your policy, start slow with properties like p=none and p=quarantine. With p=reject being the most severe. From there, you can evaluate regularly based on your reports. You can learn more about them in this HubSpot Knowledge article.
Interestingly, you can generate a DMARC Policy through ChatGPT:
You can specify whether you want it to be neutral, strict, or to include quarantine protocols with aggregating or failure reporting.
Here's a sample of that strict DMARC Policy created using Generative AI:
v=DMARC1; p=reject; rua=mailto:email@example.com; ruf=mailto:firstname.lastname@example.org; fo=1; adkim=s; aspf=s; pct=100
Another great tool for creating your own DMARC Policy is this tool by POWERDMarc:
Beware of overly restrictive DMARC Policies
Setting a very strict DMARC policy might have unexpected consequences. An overly restrictive DMARC policy, such as one set to "reject" with strict alignment for both SPF and DKIM, could potentially prevent things like your invoice program from successfully sending out email notifications.
If the program is configured to send emails on behalf of your domain but fails to properly authenticate through SPF and DKIM alignment, email receivers implementing DMARC checks may reject these messages outright.
Understanding DMARC XML Reports
When it comes to DMARC reporting, reports are sent to the email address you specified in your policy in the form of XML. DMARC XML reports can be useful and help you troubleshoot email deliverability.
But it needs to be processed and presented in a way that humans can understand. For that, we recommend the DMARC XML to Human Converter where you just need to upload your XML file.
Getting email authentication support
While DKIM, SPF, and especially DMARK can initially seem daunting, you can authenticate your emails with a few simple steps if you follow the guides. Resources and tools like HubSpot's knowledgebase, ChatGPT, and DMARC XML report converters are available.
In addition, you can always consult the leadstreet team on email authentication and other HubSpot services!