Hubspot not passing SPF or DKIM aligment?

Greetings,

I am having an odd issue. I thought I had configure my DNS records correctly to allow Hubspot to send emails on my domain behalf, however, all my reports, show that NO email is being aligned correctly. Is there something I am missing? I have my DMARC policy set to NONE for now, given the fact that I cant seem to get Hubspot to align correctly.

Any help would be greatly appreciated. Here is a screen shot of dmarcian.

Hi. For DKIM alignment, follow this HubSpot article:

I don’t think HubSpot allows for SPF alignment, as they hard code a subdomain of hubspotemail.com in the “return path” header.

Thank you so much for your reply!

So, I followed their guides when implementing the DKIM records to a T, and you also have to verify DNS to make sure you “did the right thing” for your public DNS entries. I have also verified that the ZONE passes verification through dmarcian.

With that said, the DKIM should at least align if that is indeed the DKIM signature being used by hubspot? Anyone else having this issue?

You’re welcome.

Yes, DKIM will align now. I have clients using HubSpot and this is best I can do for them. Like I said, SPF won’t align due to HubSpot not allowing for a “custom” return path.

Thinruin, thats the problem…I’ve had that setting (DKIM), for a good month or two now, and yet DKIM doesnt seem to be aligned.

Going to open a ticket with them, and see what’s up.

I see. Well, I attached a screenshot of one of my client’s HubSpot report traffic to show that it should work for you.

Thinruin,

Thanks again for your reply. So help me get something straight here. Being able to align only DKIM, means that DMARC will never be able to be setup to reject? Given that only DKIM and not SPF align?

I was looking at aspf=r (not s), but I fear that is lowering security and allowing emails to at times bypass the DMARC check?

I also found this on their site, which is…well, crap.

Set up DMARC with HubSpot

The domain’s DMARC policy should have SPF and DKIM both set to “relaxed” alignment , and you’ll want to take the following steps:

  1. Connect the domain as an email sending domain.
  2. Add HubSpot to your SPF policy.

DMARC is used to tell your recipients’ email servers how to use existing authentication methods like SPF or DKIM to verify the owner of the domain. All HubSpot customers are on HubSpot’s shared email servers hosted on hubspot, so mail won’t be in alignment with your own domain’s policy by default.

Being able to align only DKIM, means that DMARC will never be able to be setup to reject? Given that only DKIM and not SPF align?

No. A Reject or Quarantine DMARC policy requires either SPF or DKIM to pass, but does not require both to pass. And by pass, I mean align. So DMARC policies can be enforced with SPF or DKIM, or (preferably) both.

I was looking at aspf=r (not s), but I fear that is lowering security and allowing emails to at times bypass the DMARC check?

I’m not sure about that concern. Relaxed SPF alignment allows for subdomains to be considered aligned. For example, comparing business.com to mail.business.com fails “strict” alignment, but passes “relaxed” alignment.