DKIM for HubSpot: Email Authentication Setup Guide
How to set up DKIM for HubSpot. Step-by-step guide covering email domain authentication, DNS record configuration, and verification.
Last updated: 2026-04-10
This guide is part of our Marketing and CRM series.
If your HubSpot marketing emails are landing in spam folders or getting flagged by recipients' mail servers, the most common cause is missing email authentication. DKIM (DomainKeys Identified Mail) proves that your emails actually come from your domain and haven't been tampered with in transit. Without it, inbox providers like Gmail, Outlook, and Yahoo have no way to verify your messages are legitimate. HubSpot includes a built-in domain authentication feature that handles DKIM setup, but you still need to add the correct DNS records on your end. This guide walks you through every step.
HubSpot handles DKIM through its email domain authentication feature. When you authenticate a domain, HubSpot generates DKIM keys and provides CNAME records for your DNS. HubSpot also sets up SPF through a return-path CNAME as part of the same process. You don't need to generate DKIM keys yourself for standard HubSpot email authentication.
How HubSpot DKIM Works
HubSpot uses CNAME-based DKIM, similar to services like SendGrid and Salesforce. Instead of giving you a raw public key to paste into a TXT record, HubSpot provides CNAME records that point to HubSpot-managed keys. Here's what that means in practice:
- You start the domain authentication process in HubSpot settings
- HubSpot generates a DKIM key pair and gives you two CNAME records
- You add those CNAME records to your domain's DNS
- HubSpot verifies the records automatically once they propagate
- HubSpot signs all outgoing emails from that domain with DKIM
This approach lets HubSpot manage key rotation behind the scenes. Once your CNAME records are in place, HubSpot can update the underlying keys without requiring you to touch your DNS again.
Setting Up DKIM in HubSpot
Open email domain settings
Log in to your HubSpot account. Navigate to Settings > Marketing > Email. Click the Domain Authentication tab (or "Connect a Domain" if this is your first time). This is where HubSpot manages email sending domains.
Enter your sending domain
Type the domain you use in your From address (e.g., example.com). HubSpot will generate the DNS records you need based on this domain. Make sure you enter the exact domain your marketing emails are sent from.
Copy the DNS records
HubSpot displays the DNS records you need to add. You'll see two CNAME records for DKIM and one CNAME record for the return-path (which handles SPF alignment). Copy all three records - you need all of them for complete domain authentication.
Add CNAME records to your DNS
Log in to your DNS provider (GoDaddy, Cloudflare, Namecheap, Route 53, etc.) and create the CNAME records exactly as HubSpot shows them. Pay close attention to the hostnames - some DNS providers automatically append your root domain, which can cause duplicate domain suffixes.
Wait for DNS propagation and verification
After adding the records, return to HubSpot. HubSpot checks for the records automatically. DNS propagation typically takes 15 minutes to a few hours, though it can take up to 48 hours in some cases. HubSpot will show a green checkmark once verification succeeds.
HubSpot DNS Records
When you authenticate a domain, HubSpot provides two CNAME records for DKIM. The records follow this pattern:
| Field | DKIM Record 1 | DKIM Record 2 |
|---|---|---|
| Type | CNAME | CNAME |
| Host | `hs1._domainkey` | `hs2._domainkey` |
| Value | *(HubSpot-provided endpoint)* | *(HubSpot-provided endpoint)* |
HubSpot also provides a third CNAME record for the return-path, which aligns SPF with your domain. While this guide focuses on DKIM, you should add all three records to complete domain authentication.
The exact values are unique to your HubSpot account. Always copy them directly from the HubSpot domain authentication page. Even a small typo - an extra space, a missing dot - will cause verification to fail. If your DNS provider auto-appends your domain name, don't include the root domain in the hostname field.
Need DKIM keys for other services?
Generate DKIM key pairs for email services that don't provide built-in key management like HubSpot.
HubSpot DKIM Selectors
HubSpot generates its own DKIM selectors automatically - you don't get to choose them. The selectors are tied to your HubSpot account and typically follow a HubSpot-specific naming pattern. Unlike services that let you pick a selector name, HubSpot assigns them during domain authentication.
Why two selectors? Like SendGrid, HubSpot uses dual DKIM selectors for redundancy and seamless key rotation. If HubSpot needs to rotate a key, the second selector ensures email authentication continues uninterrupted. Both CNAME records are required - don't skip one thinking it's a backup.
This also means your domain will have two _domainkey CNAME entries dedicated to HubSpot. These won't interfere with DKIM records from other email services, since each service uses its own unique selectors.
Using HubSpot with Other Email Services
Most businesses don't send all their email through HubSpot. You might use Google Workspace or Microsoft 365 for day-to-day communication, a transactional service like SendGrid for order confirmations, and HubSpot for marketing campaigns. Each of these services can have its own DKIM configuration on the same domain without conflict.
DKIM selectors are what make this work. Each service uses a different selector, so receiving mail servers know which public key to check for each email:
| Service | Typical Selector |
|---|---|
| HubSpot | `hs1._domainkey` / `hs2._domainkey` |
| Google Workspace | `google._domainkey` |
| Microsoft 365 | `selector1._domainkey` / `selector2._domainkey` |
| SendGrid | `s1._domainkey` / `s2._domainkey` |
Simply add all the required DNS records from each service. They coexist without issues because they use different selector names. If you're managing DKIM across multiple services, consider keeping a spreadsheet of your active selectors and which service each one belongs to.
Troubleshooting HubSpot DKIM
HubSpot says verification failed
- Confirm all three CNAME records are present in your DNS (two DKIM + one return-path)
- Check that the hostnames don't include your root domain twice - some DNS providers auto-append the domain, so entering
hs1._domainkey.example.combecomeshs1._domainkey.example.com.example.com - Wait at least an hour before retrying, as DNS propagation can be slow depending on your provider's TTL settings
DKIM was working but stopped passing
- Check your DNS records haven't been accidentally removed or modified
- If you recently migrated DNS providers, make sure the CNAME records were recreated at the new provider
- Verify the records still resolve using a DNS lookup tool
Emails still landing in spam after DKIM is set up
- DKIM alone doesn't guarantee inbox placement - you also need proper SPF alignment and a DMARC policy
- Check your HubSpot email health score for content or engagement issues
- Make sure your From address domain matches the authenticated domain exactly
- Review your sending reputation - new domains or domains with no sending history may need time to build trust
Custom DKIM keys with HubSpot
- HubSpot's standard domain authentication handles DKIM automatically, so custom keys aren't typically needed
- If you have compliance requirements that demand control over your own key material, you can generate keys with DKIM Creator and work with HubSpot support for advanced configuration
- For most small and mid-size businesses, HubSpot's managed DKIM is the simpler and recommended approach
Related Articles
References
- RFC 6376 — DomainKeys Identified Mail (DKIM) Signatures
- HubSpot official documentation — Email domain authentication and DKIM setup
Sending email through HubSpot and other services? Make sure every channel is authenticated with DKIM.
Generate DKIM keys instantly
Create DKIM key pairs for any email service. Free, secure, and generated in your browser.
Generate DKIM Keys