How do we set up SPF, DKIM, and DMARC in HubSpot?
Most deliverability issues are not caused by content, they come from missing or misconfigured authentication. Proper verification ensures inbox providers trust your mission-critical emails.
TL;DR: Setting up domain authentication is the foundation of email success. By aligning SPF and DKIM and layering on a DMARC monitoring policy, nonprofits protect their sender reputation and significantly reduce the risk of land in the spam folder.
This is one of those areas that sounds more technical than it actually is. If your domain is not properly verified, inbox providers have no reason to trust your emails. The setup is fairly standard—if you have an IT team, this will feel routine; if you do not, HubSpot walks you through the process step by step via your Domain Manager settings.
Starting with DMARC and Monitoring
DMARC builds on SPF and DKIM by adding a policy layer. It tells receiving servers how to handle messages that fail authentication and gives you visibility into what is happening behind the scenes with your domain. We typically start with a p=none policy. This does not block or reject emails; it simply collects data so you can observe activity safely.
This initial monitoring phase allows you to:
- See who is sending on behalf of your domain, including legitimate third-party tools
- Identify misalignment between your sending domain and authenticated domain
- Catch unauthorized usage or spoofing attempts early
- Validate that SPF and DKIM are working as expected across all senders
This step is vital because most nonprofits have more senders than they realize—fundraising platforms, CRM tools, and internal systems. Jumping straight to "reject" without visibility can accidentally block legitimate email. Once reporting looks clean, you can gradually tighten the policy.
Warming Your Domain and Aligning Best Practices
Authentication alone is not enough. Inbox placement is heavily influenced by how you send, especially in the first few weeks after setup. Even with SPF, DKIM, and DMARC in place, sending too much too quickly to a cold audience can hurt your reputation.
After setup, it is important to:
- Warm your sending volume gradually instead of sending large blasts immediately
- Keep your “from” domain perfectly aligned with your authenticated domain
- Send to your most engaged audiences first (openers and clickers) to establish trust
Starting with engaged contacts helps build a "trust bank" with providers like Gmail and Outlook. If you begin with a cold or outdated list, you risk high spam complaints early on, which can permanently impact deliverability. HubSpot’s email health dashboard helps you monitor sends, engagement rates, and bounces in real time so you can adjust as needed.
What This Looks Like in Practice
Once SPF, DKIM, and DMARC are in place, deliverability becomes much more predictable. Emails are less likely to be flagged by filters, and you start to see more consistent inbox placement across all your campaigns.
The difference usually shows up in stabilized engagement metrics and fewer "missing email" complaints from donors. Instead of troubleshooting technical setup, your team can refocus on what matters: improving content, timing, and audience targeting for your next appeal.
Learn More About Deliverability and HubSpot
Related FAQs
What sender reputation practices matter for year-end appeals?
Warm up engaged audiences, suppress inactive contacts, and sequence stewardship to protect deliverability.
Read Full Answer →Can we use SMS or WhatsApp with HubSpot?
Learn how to govern consent, track opt-ins, and manage multichannel communications in one system.
Read Full Answer →What is the right email cadence for stewardship vs appeals?
Balance ongoing stewardship with targeted appeal bursts so engagement stays strong without overwhelming donors.
Read Full Answer →